add some additonal permission checks to the webdav backend
This commit is contained in:
parent
f7a69c765a
commit
3571207bd9
|
@ -196,6 +196,15 @@ class ObjectTree extends \Sabre\DAV\Tree {
|
|||
throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup');
|
||||
}
|
||||
|
||||
$infoDestination = $this->fileView->getFileInfo(dirname($destinationPath));
|
||||
$infoSource = $this->fileView->getFileInfo($sourcePath);
|
||||
$destinationPermission = $infoDestination && $infoDestination->isUpdateable();
|
||||
$sourcePermission = $infoSource && $infoSource->isDeletable();
|
||||
|
||||
if (!$destinationPermission || !$sourcePermission) {
|
||||
throw new Forbidden();
|
||||
}
|
||||
|
||||
$targetNodeExists = $this->nodeExists($destinationPath);
|
||||
$sourceNode = $this->getNodeForPath($sourcePath);
|
||||
if ($sourceNode instanceof \Sabre\DAV\ICollection && $targetNodeExists) {
|
||||
|
@ -273,6 +282,12 @@ class ObjectTree extends \Sabre\DAV\Tree {
|
|||
throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup');
|
||||
}
|
||||
|
||||
|
||||
$info = $this->fileView->getFileInfo(dirname($destination));
|
||||
if ($info && !$info->isUpdateable()) {
|
||||
throw new Forbidden();
|
||||
}
|
||||
|
||||
// this will trigger existence check
|
||||
$this->getNodeForPath($source);
|
||||
|
||||
|
|
Loading…
Reference in New Issue