add some additonal permission checks to the webdav backend

This commit is contained in:
Bjoern Schiessle 2016-06-30 11:09:20 +02:00
parent f7a69c765a
commit 3571207bd9
1 changed files with 16 additions and 1 deletions

View File

@ -71,7 +71,7 @@ class ObjectTree extends \Sabre\DAV\Tree {
* is present. * is present.
* *
* @param string $path chunk file path to convert * @param string $path chunk file path to convert
* *
* @return string path to real file * @return string path to real file
*/ */
private function resolveChunkFile($path) { private function resolveChunkFile($path) {
@ -196,6 +196,15 @@ class ObjectTree extends \Sabre\DAV\Tree {
throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup'); throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup');
} }
$infoDestination = $this->fileView->getFileInfo(dirname($destinationPath));
$infoSource = $this->fileView->getFileInfo($sourcePath);
$destinationPermission = $infoDestination && $infoDestination->isUpdateable();
$sourcePermission = $infoSource && $infoSource->isDeletable();
if (!$destinationPermission || !$sourcePermission) {
throw new Forbidden();
}
$targetNodeExists = $this->nodeExists($destinationPath); $targetNodeExists = $this->nodeExists($destinationPath);
$sourceNode = $this->getNodeForPath($sourcePath); $sourceNode = $this->getNodeForPath($sourcePath);
if ($sourceNode instanceof \Sabre\DAV\ICollection && $targetNodeExists) { if ($sourceNode instanceof \Sabre\DAV\ICollection && $targetNodeExists) {
@ -273,6 +282,12 @@ class ObjectTree extends \Sabre\DAV\Tree {
throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup'); throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup');
} }
$info = $this->fileView->getFileInfo(dirname($destination));
if ($info && !$info->isUpdateable()) {
throw new Forbidden();
}
// this will trigger existence check // this will trigger existence check
$this->getNodeForPath($source); $this->getNodeForPath($source);