From ee1f627155cad4153f3da3160ca6040c137841d3 Mon Sep 17 00:00:00 2001
From: Thomas Müller <thomas.mueller@tmit.eu>
Date: Tue, 24 Sep 2013 13:26:12 +0200
Subject: adding privilege check on move and rename operations

---
 lib/connector/sabre/node.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'lib/connector/sabre/node.php')

diff --git a/lib/connector/sabre/node.php b/lib/connector/sabre/node.php
index 0bffa58af78..29b7f9e53a5 100644
--- a/lib/connector/sabre/node.php
+++ b/lib/connector/sabre/node.php
@@ -78,6 +78,11 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
 	 */
 	public function setName($name) {
 
+		// rename is only allowed if the update privilege is granted
+		if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+
 		list($parentPath, ) = Sabre_DAV_URLUtil::splitPath($this->path);
 		list(, $newName) = Sabre_DAV_URLUtil::splitPath($name);
 
@@ -135,6 +140,12 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
 	 *  Even if the modification time is set to a custom value the access time is set to now.
 	 */
 	public function touch($mtime) {
+
+		// touch is only allowed if the update privilege is granted
+		if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+
 		\OC\Files\Filesystem::touch($this->path, $mtime);
 	}
 
-- 
cgit v1.2.3