Set proper permissions on link share
If we do not allow public upload we should limit the permissions on links shares upon retrieval. * Added unit test * Allow fetching federated shares by token as well
This commit is contained in:
Roeland Jago Douma
parent
6eefea1bb6
commit
bd3bde2f3b
|
|
@ -976,7 +976,17 @@ class Manager implements IManager {
|
|||
public function getShareByToken($token) {
|
||||
$provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_LINK);
|
||||
|
||||
try {
|
||||
$share = $provider->getShareByToken($token);
|
||||
} catch (ShareNotFound $e) {
|
||||
//Ignore
|
||||
}
|
||||
|
||||
// If it is not a link share try to fetch a federated share by token
|
||||
if ($share === null) {
|
||||
$provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_REMOTE);
|
||||
$share = $provider->getShareByToken($token);
|
||||
}
|
||||
|
||||
if ($share->getExpirationDate() !== null &&
|
||||
$share->getExpirationDate() <= new \DateTime()) {
|
||||
|
|
@ -984,6 +994,14 @@ class Manager implements IManager {
|
|||
throw new ShareNotFound();
|
||||
}
|
||||
|
||||
/*
|
||||
* Reduce the permissions for link shares if public upload is not enabled
|
||||
*/
|
||||
if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK &&
|
||||
!$this->shareApiLinkAllowPublicUpload()) {
|
||||
$share->setPermissions($share->getPermissions() & ~(\OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE));
|
||||
}
|
||||
|
||||
return $share;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -2084,6 +2084,25 @@ class ManagerTest extends \Test\TestCase {
|
|||
$this->assertSame($share, $res);
|
||||
}
|
||||
|
||||
public function testGetShareByTokenPublicSharingDisabled() {
|
||||
$share = $this->manager->newShare();
|
||||
$share->setShareType(\OCP\Share::SHARE_TYPE_LINK)
|
||||
->setPermissions(\OCP\Constants::PERMISSION_READ | \OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE);
|
||||
|
||||
$this->config->method('getAppValue')->will($this->returnValueMap([
|
||||
['core', 'shareapi_allow_public_upload', 'yes', 'no'],
|
||||
]));
|
||||
|
||||
$this->defaultProvider->expects($this->once())
|
||||
->method('getShareByToken')
|
||||
->willReturn('validToken')
|
||||
->willReturn($share);
|
||||
|
||||
$res = $this->manager->getShareByToken('validToken');
|
||||
|
||||
$this->assertSame(\OCP\Constants::PERMISSION_READ, $res->getPermissions());
|
||||
}
|
||||
|
||||
public function testCheckPasswordNoLinkShare() {
|
||||
$share = $this->getMock('\OCP\Share\IShare');
|
||||
$share->method('getShareType')->willReturn(\OCP\Share::SHARE_TYPE_USER);
|
||||
|
|
|
|||
Loading…
Reference in New Issue