mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add some additonal permission checks to the webdav backend

This commit is contained in:
Bjoern Schiessle 2016-06-30 11:09:20 +02:00
parent f7a69c765a
commit 3571207bd9
1 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
apps/dav/lib/Connector/Sabre/ObjectTree.php
View File

@ -71,7 +71,7 @@ class ObjectTree extends \Sabre\DAV\Tree {
* is present.
*
* @param string $path chunk file path to convert
*
*
* @return string path to real file
*/
private function resolveChunkFile($path) {
@ -196,6 +196,15 @@ class ObjectTree extends \Sabre\DAV\Tree {
throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup');
}
$infoDestination = $this->fileView->getFileInfo(dirname($destinationPath));
$infoSource = $this->fileView->getFileInfo($sourcePath);
$destinationPermission = $infoDestination && $infoDestination->isUpdateable();
$sourcePermission = $infoSource && $infoSource->isDeletable();
if (!$destinationPermission || !$sourcePermission) {
throw new Forbidden();
}
$targetNodeExists = $this->nodeExists($destinationPath);
$sourceNode = $this->getNodeForPath($sourcePath);
if ($sourceNode instanceof \Sabre\DAV\ICollection && $targetNodeExists) {
@ -273,6 +282,12 @@ class ObjectTree extends \Sabre\DAV\Tree {
throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup');
}
$info = $this->fileView->getFileInfo(dirname($destination));
if ($info && !$info->isUpdateable()) {
throw new Forbidden();
}
// this will trigger existence check
$this->getNodeForPath($source);