Set proper permissions on link share

If we do not allow public upload we should limit the permissions on
links shares upon retrieval.

* Added unit test
* Allow fetching federated shares by token as well
This commit is contained in:
Roeland Jago Douma 2016-04-01 17:02:59 +02:00
parent 6eefea1bb6
commit bd3bde2f3b
No known key found for this signature in database
GPG Key ID: 1E152838F164D13B
2 changed files with 38 additions and 1 deletions

View File

@ -976,7 +976,17 @@ class Manager implements IManager {
public function getShareByToken($token) {
$provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_LINK);
try {
$share = $provider->getShareByToken($token);
} catch (ShareNotFound $e) {
//Ignore
}
// If it is not a link share try to fetch a federated share by token
if ($share === null) {
$provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_REMOTE);
$share = $provider->getShareByToken($token);
}
if ($share->getExpirationDate() !== null &&
$share->getExpirationDate() <= new \DateTime()) {
@ -984,6 +994,14 @@ class Manager implements IManager {
throw new ShareNotFound();
}
/*
* Reduce the permissions for link shares if public upload is not enabled
*/
if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK &&
!$this->shareApiLinkAllowPublicUpload()) {
$share->setPermissions($share->getPermissions() & ~(\OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE));
}
return $share;
}

View File

@ -2084,6 +2084,25 @@ class ManagerTest extends \Test\TestCase {
$this->assertSame($share, $res);
}
public function testGetShareByTokenPublicSharingDisabled() {
$share = $this->manager->newShare();
$share->setShareType(\OCP\Share::SHARE_TYPE_LINK)
->setPermissions(\OCP\Constants::PERMISSION_READ | \OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE);
$this->config->method('getAppValue')->will($this->returnValueMap([
['core', 'shareapi_allow_public_upload', 'yes', 'no'],
]));
$this->defaultProvider->expects($this->once())
->method('getShareByToken')
->willReturn('validToken')
->willReturn($share);
$res = $this->manager->getShareByToken('validToken');
$this->assertSame(\OCP\Constants::PERMISSION_READ, $res->getPermissions());
}
public function testCheckPasswordNoLinkShare() {
$share = $this->getMock('\OCP\Share\IShare');
$share->method('getShareType')->willReturn(\OCP\Share::SHARE_TYPE_USER);