Prevent access to shareinfo if share if read-only
This commit is contained in:
Lukas Reschke
parent
66d853680c
commit
075bf73c80
|
|
@ -42,6 +42,13 @@ if($token === ''){
|
|||
}
|
||||
|
||||
$linkedItem = \OCP\Share::getShareByToken($token);
|
||||
$shareManager = \OC::$server->getShareManager();
|
||||
$share = $shareManager->getShareByToken($token);
|
||||
if(!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
|
||||
OCP\JSON::error(array('data' => 'Share is not readable.'));
|
||||
exit();
|
||||
}
|
||||
|
||||
if($linkedItem === false || ($linkedItem['item_type'] !== 'file' && $linkedItem['item_type'] !== 'folder')) {
|
||||
\OC_Response::setStatus(\OC_Response::STATUS_NOT_FOUND);
|
||||
\OCP\Util::writeLog('core-preview', 'Passed token parameter is not valid', \OCP\Util::DEBUG);
|
||||
|
|
|
|||
|
|
@ -71,6 +71,11 @@ $shareManager = \OC::$server->getShareManager();
|
|||
$share = $shareManager->getShareByToken($token);
|
||||
$sharePermissions= (int)$share->getPermissions();
|
||||
|
||||
if(!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
|
||||
OCP\JSON::error(array('data' => 'Share is not readable.'));
|
||||
exit();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param \OCP\Files\FileInfo $dir
|
||||
* @param \OC\Files\View $view
|
||||
|
|
|
|||
|
|
@ -252,6 +252,7 @@ class ShareController extends Controller {
|
|||
* @param string $path
|
||||
* @return TemplateResponse|RedirectResponse
|
||||
* @throws NotFoundException
|
||||
* @throws \Exception
|
||||
*/
|
||||
public function showShare($token, $path = '') {
|
||||
\OC_User::setIncognitoMode(true);
|
||||
|
|
@ -373,13 +374,18 @@ class ShareController extends Controller {
|
|||
* @param string $files
|
||||
* @param string $path
|
||||
* @param string $downloadStartSecret
|
||||
* @return void|RedirectResponse
|
||||
* @return void|OCP\AppFramework\Http\Response
|
||||
* @throws NotFoundException
|
||||
*/
|
||||
public function downloadShare($token, $files = null, $path = '', $downloadStartSecret = '') {
|
||||
\OC_User::setIncognitoMode(true);
|
||||
|
||||
$share = $this->shareManager->getShareByToken($token);
|
||||
|
||||
if(!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
|
||||
return new OCP\AppFramework\Http\DataResponse('Share is read-only');
|
||||
}
|
||||
|
||||
// Share is password protected - check whether the user is permitted to access the share
|
||||
if ($share->getPassword() !== null && !$this->linkShareAuth($share)) {
|
||||
return new RedirectResponse($this->urlGenerator->linkToRoute('files_sharing.sharecontroller.authenticate',
|
||||
|
|
|
|||
Loading…
Reference in New Issue