Merge pull request #4969 from owncloud/fixing-4043-master

adding privilege check on move and rename operations

lib/connector/sabre/node.php

@@ -78,6 +78,11 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
 	 */
 	public function setName($name) {
 
+		// rename is only allowed if the update privilege is granted
+		if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+
 		list($parentPath, ) = Sabre_DAV_URLUtil::splitPath($this->path);
 		list(, $newName) = Sabre_DAV_URLUtil::splitPath($name);
 
@@ -135,6 +140,12 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
 	 *  Even if the modification time is set to a custom value the access time is set to now.
 	 */
 	public function touch($mtime) {
+
+		// touch is only allowed if the update privilege is granted
+		if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+
 		\OC\Files\Filesystem::touch($this->path, $mtime);
 	}
 

lib/connector/sabre/objecttree.php

@@ -11,6 +11,14 @@ namespace OC\Connector\Sabre;
 use OC\Files\Filesystem;
 
 class ObjectTree extends \Sabre_DAV_ObjectTree {
+
+	/**
+	 * keep this public to allow mock injection during unit test
+	 *
+	 * @var \OC\Files\View
+	 */
+	public $fileView;
+
 	/**
 	 * Returns the INode object for the requested path
 	 *
@@ -21,14 +29,16 @@ class ObjectTree extends \Sabre_DAV_ObjectTree {
 	public function getNodeForPath($path) {
 
 		$path = trim($path, '/');
-		if (isset($this->cache[$path])) return $this->cache[$path];
+		if (isset($this->cache[$path])) {
+			return $this->cache[$path];
+		}
 
 		// Is it the root node?
 		if (!strlen($path)) {
 			return $this->rootNode;
 		}
 
-		$info = Filesystem::getFileInfo($path);
+		$info = $this->getFileView()->getFileInfo($path);
 
 		if (!$info) {
 			throw new \Sabre_DAV_Exception_NotFound('File with name ' . $path . ' could not be located');
@@ -64,7 +74,25 @@ class ObjectTree extends \Sabre_DAV_ObjectTree {
 		list($sourceDir,) = \Sabre_DAV_URLUtil::splitPath($sourcePath);
 		list($destinationDir,) = \Sabre_DAV_URLUtil::splitPath($destinationPath);
 
-		Filesystem::rename($sourcePath, $destinationPath);
+		// check update privileges
+		$fs = $this->getFileView();
+		if (!$fs->isUpdatable($sourcePath)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+		if ($sourceDir !== $destinationDir) {
+			// for a full move we need update privileges on sourcePath and sourceDir as well as destinationDir
+			if (!$fs->isUpdatable($sourceDir)) {
+				throw new \Sabre_DAV_Exception_Forbidden();
+			}
+			if (!$fs->isUpdatable($destinationDir)) {
+				throw new \Sabre_DAV_Exception_Forbidden();
+			}
+		}
+
+		$renameOkay = $fs->rename($sourcePath, $destinationPath);
+		if (!$renameOkay) {
+			throw new \Sabre_DAV_Exception_Forbidden('');
+		}
 
 		$this->markDirty($sourceDir);
 		$this->markDirty($destinationDir);
@@ -101,4 +129,14 @@ class ObjectTree extends \Sabre_DAV_ObjectTree {
 		list($destinationDir,) = \Sabre_DAV_URLUtil::splitPath($destination);
 		$this->markDirty($destinationDir);
 	}
+
+	/**
+	 * @return \OC\Files\View
+	 */
+	public function getFileView() {
+		if (is_null($this->fileView)) {
+			$this->fileView = \OC\Files\Filesystem::getView();
+		}
+		return $this->fileView;
+	}
 }

tests/lib/connector/sabre/objecttree.php

@@ -0,0 +1,87 @@
+<?php
+/**
+ * Copyright (c) 2013 Thomas Müller <thomas.mueller@tmit.eu>
+ * This file is licensed under the Affero General Public License version 3 or
+ * later.
+ * See the COPYING-README file.
+ */
+
+namespace Test\OC\Connector\Sabre;
+
+
+use OC_Connector_Sabre_Directory;
+use PHPUnit_Framework_TestCase;
+use Sabre_DAV_Exception_Forbidden;
+
+class TestDoubleFileView extends \OC\Files\View{
+
+	public function __construct($updatables, $canRename = true) {
+		$this->updatables = $updatables;
+		$this->canRename = $canRename;
+	}
+
+	public function isUpdatable($path) {
+		return $this->updatables[$path];
+	}
+
+	public function rename($path1, $path2) {
+		return $this->canRename;
+	}
+}
+
+class ObjectTree extends PHPUnit_Framework_TestCase {
+
+	/**
+	 * @dataProvider moveFailedProvider
+	 * @expectedException Sabre_DAV_Exception_Forbidden
+	 */
+	public function testMoveFailed($source, $dest, $updatables) {
+		$this->moveTest($source, $dest, $updatables);
+	}
+
+	/**
+	 * @dataProvider moveSuccessProvider
+	 */
+	public function testMoveSuccess($source, $dest, $updatables) {
+		$this->moveTest($source, $dest, $updatables);
+		$this->assertTrue(true);
+	}
+
+	function moveFailedProvider() {
+		return array(
+			array('a/b', 'a/c', array('a' => false, 'a/b' => false, 'a/c' => false)),
+			array('a/b', 'b/b', array('a' => false, 'a/b' => false, 'b' => false, 'b/b' => false)),
+			array('a/b', 'b/b', array('a' => false, 'a/b' => true, 'b' => false, 'b/b' => false)),
+			array('a/b', 'b/b', array('a' => true, 'a/b' => true, 'b' => false, 'b/b' => false)),
+		);
+	}
+
+	function moveSuccessProvider() {
+		return array(
+			array('a/b', 'a/c', array('a' => false, 'a/b' => true, 'a/c' => false)),
+			array('a/b', 'b/b', array('a' => true, 'a/b' => true, 'b' => true, 'b/b' => false)),
+		);
+	}
+
+	/**
+	 * @param $source
+	 * @param $dest
+	 * @param $updatables
+	 */
+	private function moveTest($source, $dest, $updatables) {
+		$rootDir = new OC_Connector_Sabre_Directory('');
+		$objectTree = $this->getMock('\OC\Connector\Sabre\ObjectTree',
+			array('nodeExists', 'getNodeForPath'),
+			array($rootDir));
+
+		$objectTree->expects($this->once())
+			->method('getNodeForPath')
+			->with($this->identicalTo($source))
+			->will($this->returnValue(false));
+
+		/** @var $objectTree \OC\Connector\Sabre\ObjectTree */
+		$objectTree->fileView = new TestDoubleFileView($updatables);
+		$objectTree->move($source, $dest);
+	}
+
+}