mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Do not allow to delete/update group shares as a group member

This commit is contained in:
Joas Schilling 2016-08-03 09:22:18 +02:00
parent 37d1277252
commit a5471b4a3e
No known key found for this signature in database
GPG Key ID: E166FD8976B3BAC8
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
apps/files_sharing/api/share20ocs.php
View File

@ -240,7 +240,7 @@ class Share20OCS {
} }
} }
if (!$this->canAccessShare($share)) { if (!$this->canAccessShare($share, false)) {
return new \OC_OCS_Result(null, 404, 'could not delete share'); return new \OC_OCS_Result(null, 404, 'could not delete share');
} }
@ -564,7 +564,7 @@ class Share20OCS {
} }
} }
if (!$this->canAccessShare($share)) { if (!$this->canAccessShare($share, false)) {
return new \OC_OCS_Result(null, 404, 'wrong share Id, share doesn\'t exist.'); return new \OC_OCS_Result(null, 404, 'wrong share Id, share doesn\'t exist.');
} }
@ -669,9 +669,10 @@ class Share20OCS {
/** /**
* @param \OCP\Share\IShare $share * @param \OCP\Share\IShare $share
* @param bool $checkGroups
* @return bool * @return bool
*/ */
protected function canAccessShare(\OCP\Share\IShare $share) { protected function canAccessShare(\OCP\Share\IShare $share, $checkGroups = true) {
// A file with permissions 0 can't be accessed by us. So Don't show it // A file with permissions 0 can't be accessed by us. So Don't show it
if ($share->getPermissions() === 0) { if ($share->getPermissions() === 0) {
return false; return false;
@ -690,7 +691,7 @@ class Share20OCS {
return true; return true;
} }
if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) { if ($checkGroups && $share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
$sharedWith = $this->groupManager->get($share->getSharedWith()); $sharedWith = $this->groupManager->get($share->getSharedWith());
if ($sharedWith->inGroup($this->currentUser)) { if ($sharedWith->inGroup($this->currentUser)) {
return true; return true;