Prevent access to shareinfo if share if read-only
This commit is contained in:
parent
66d853680c
commit
075bf73c80
|
@ -42,6 +42,13 @@ if($token === ''){
|
||||||
}
|
}
|
||||||
|
|
||||||
$linkedItem = \OCP\Share::getShareByToken($token);
|
$linkedItem = \OCP\Share::getShareByToken($token);
|
||||||
|
$shareManager = \OC::$server->getShareManager();
|
||||||
|
$share = $shareManager->getShareByToken($token);
|
||||||
|
if(!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
|
||||||
|
OCP\JSON::error(array('data' => 'Share is not readable.'));
|
||||||
|
exit();
|
||||||
|
}
|
||||||
|
|
||||||
if($linkedItem === false || ($linkedItem['item_type'] !== 'file' && $linkedItem['item_type'] !== 'folder')) {
|
if($linkedItem === false || ($linkedItem['item_type'] !== 'file' && $linkedItem['item_type'] !== 'folder')) {
|
||||||
\OC_Response::setStatus(\OC_Response::STATUS_NOT_FOUND);
|
\OC_Response::setStatus(\OC_Response::STATUS_NOT_FOUND);
|
||||||
\OCP\Util::writeLog('core-preview', 'Passed token parameter is not valid', \OCP\Util::DEBUG);
|
\OCP\Util::writeLog('core-preview', 'Passed token parameter is not valid', \OCP\Util::DEBUG);
|
||||||
|
|
|
@ -71,6 +71,11 @@ $shareManager = \OC::$server->getShareManager();
|
||||||
$share = $shareManager->getShareByToken($token);
|
$share = $shareManager->getShareByToken($token);
|
||||||
$sharePermissions= (int)$share->getPermissions();
|
$sharePermissions= (int)$share->getPermissions();
|
||||||
|
|
||||||
|
if(!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
|
||||||
|
OCP\JSON::error(array('data' => 'Share is not readable.'));
|
||||||
|
exit();
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param \OCP\Files\FileInfo $dir
|
* @param \OCP\Files\FileInfo $dir
|
||||||
* @param \OC\Files\View $view
|
* @param \OC\Files\View $view
|
||||||
|
|
|
@ -252,6 +252,7 @@ class ShareController extends Controller {
|
||||||
* @param string $path
|
* @param string $path
|
||||||
* @return TemplateResponse|RedirectResponse
|
* @return TemplateResponse|RedirectResponse
|
||||||
* @throws NotFoundException
|
* @throws NotFoundException
|
||||||
|
* @throws \Exception
|
||||||
*/
|
*/
|
||||||
public function showShare($token, $path = '') {
|
public function showShare($token, $path = '') {
|
||||||
\OC_User::setIncognitoMode(true);
|
\OC_User::setIncognitoMode(true);
|
||||||
|
@ -373,13 +374,18 @@ class ShareController extends Controller {
|
||||||
* @param string $files
|
* @param string $files
|
||||||
* @param string $path
|
* @param string $path
|
||||||
* @param string $downloadStartSecret
|
* @param string $downloadStartSecret
|
||||||
* @return void|RedirectResponse
|
* @return void|OCP\AppFramework\Http\Response
|
||||||
|
* @throws NotFoundException
|
||||||
*/
|
*/
|
||||||
public function downloadShare($token, $files = null, $path = '', $downloadStartSecret = '') {
|
public function downloadShare($token, $files = null, $path = '', $downloadStartSecret = '') {
|
||||||
\OC_User::setIncognitoMode(true);
|
\OC_User::setIncognitoMode(true);
|
||||||
|
|
||||||
$share = $this->shareManager->getShareByToken($token);
|
$share = $this->shareManager->getShareByToken($token);
|
||||||
|
|
||||||
|
if(!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
|
||||||
|
return new OCP\AppFramework\Http\DataResponse('Share is read-only');
|
||||||
|
}
|
||||||
|
|
||||||
// Share is password protected - check whether the user is permitted to access the share
|
// Share is password protected - check whether the user is permitted to access the share
|
||||||
if ($share->getPassword() !== null && !$this->linkShareAuth($share)) {
|
if ($share->getPassword() !== null && !$this->linkShareAuth($share)) {
|
||||||
return new RedirectResponse($this->urlGenerator->linkToRoute('files_sharing.sharecontroller.authenticate',
|
return new RedirectResponse($this->urlGenerator->linkToRoute('files_sharing.sharecontroller.authenticate',
|
||||||
|
|
Loading…
Reference in New Issue