Merge pull request #707 from nextcloud/backport-637-prevent-delete-update-on-group-shares-9

[stable9] Do not allow to delete/update group shares as a group member

apps/files_sharing/api/share20ocs.php

@@ -240,7 +240,7 @@ class Share20OCS {
 			}
 		}
 
-		if (!$this->canAccessShare($share)) {
+		if (!$this->canAccessShare($share, false)) {
 			return new \OC_OCS_Result(null, 404, 'could not delete share');
 		}
 
@@ -564,7 +564,7 @@ class Share20OCS {
 			}
 		}
 
-		if (!$this->canAccessShare($share)) {
+		if (!$this->canAccessShare($share, false)) {
 			return new \OC_OCS_Result(null, 404, 'wrong share Id, share doesn\'t exist.');
 		}
 
@@ -669,9 +669,10 @@ class Share20OCS {
 
 	/**
 	 * @param \OCP\Share\IShare $share
+	 * @param bool $checkGroups
 	 * @return bool
 	 */
-	protected function canAccessShare(\OCP\Share\IShare $share) {
+	protected function canAccessShare(\OCP\Share\IShare $share, $checkGroups = true) {
 		// A file with permissions 0 can't be accessed by us. So Don't show it
 		if ($share->getPermissions() === 0) {
 			return false;
@@ -690,7 +691,7 @@ class Share20OCS {
 			return true;
 		}
 
-		if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
+		if ($checkGroups && $share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
 			$sharedWith = $this->groupManager->get($share->getSharedWith());
 			if ($sharedWith->inGroup($this->currentUser)) {
 				return true;

build/integration/features/sharing-v1.feature

@@ -594,3 +594,18 @@ Feature: sharing
       | /foo/       |
       | /foo%20(2)/ |
 
+  Scenario: Deleting a group share as user
+    Given As an "admin"
+    And user "user0" exists
+    And user "user1" exists
+    And group "group1" exists
+    And user "user1" belongs to group "group1"
+    And As an "user0"
+    And creating a share with
+      | path | welcome.txt |
+      | shareType | 1 |
+      | shareWith | group1 |
+    When As an "user1"
+    And Deleting last share
+    Then the OCS status code should be "404"
+    And the HTTP status code should be "200"