add some additonal permission checks to the webdav backend

This commit is contained in:
Bjoern Schiessle 2016-06-30 11:09:20 +02:00
parent f7a69c765a
commit 3571207bd9
1 changed files with 16 additions and 1 deletions

View File

@ -196,6 +196,15 @@ class ObjectTree extends \Sabre\DAV\Tree {
throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup');
}
$infoDestination = $this->fileView->getFileInfo(dirname($destinationPath));
$infoSource = $this->fileView->getFileInfo($sourcePath);
$destinationPermission = $infoDestination && $infoDestination->isUpdateable();
$sourcePermission = $infoSource && $infoSource->isDeletable();
if (!$destinationPermission || !$sourcePermission) {
throw new Forbidden();
}
$targetNodeExists = $this->nodeExists($destinationPath);
$sourceNode = $this->getNodeForPath($sourcePath);
if ($sourceNode instanceof \Sabre\DAV\ICollection && $targetNodeExists) {
@ -273,6 +282,12 @@ class ObjectTree extends \Sabre\DAV\Tree {
throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup');
}
$info = $this->fileView->getFileInfo(dirname($destination));
if ($info && !$info->isUpdateable()) {
throw new Forbidden();
}
// this will trigger existence check
$this->getNodeForPath($source);