mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #706 from nextcloud/backport-637-prevent-delete-update-on-group-shares 

[stable10] Do not allow to delete/update group shares as a group member
This commit is contained in:
Björn Schießle 2016-08-03 14:52:49 +02:00 committed by GitHub
parent 482a725a8b e2c4f4f9aa
commit d896d42931
2 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
apps/files_sharing/lib/API/Share20OCS.php
View File

@ -224,7 +224,7 @@ class Share20OCS {
return new \OC_OCS_Result(null, 404, 'could not delete share');
}
if (!$this->canAccessShare($share)) {
if (!$this->canAccessShare($share, false)) {
$share->getNode()->unlock(ILockingProvider::LOCK_SHARED);
return new \OC_OCS_Result(null, 404, $this->l->t('Could not delete share'));
}
@ -573,7 +573,7 @@ class Share20OCS {
$share->getNode()->lock(\OCP\Lock\ILockingProvider::LOCK_SHARED);
if (!$this->canAccessShare($share)) {
if (!$this->canAccessShare($share, false)) {
$share->getNode()->unlock(ILockingProvider::LOCK_SHARED);
return new \OC_OCS_Result(null, 404, $this->l->t('Wrong share ID, share doesn\'t exist'));
}
@ -703,7 +703,7 @@ class Share20OCS {
* @param \OCP\Share\IShare $share
* @return bool
*/
protected function canAccessShare(\OCP\Share\IShare $share) {
protected function canAccessShare(\OCP\Share\IShare $share, $checkGroups = true) {
// A file with permissions 0 can't be accessed by us. So Don't show it
if ($share->getPermissions() === 0) {
return false;
@ -722,7 +722,7 @@ class Share20OCS {
return true;
}
if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
if ($checkGroups && $share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
$sharedWith = $this->groupManager->get($share->getSharedWith());
if ($sharedWith->inGroup($this->currentUser)) {
return true;

16
build/integration/features/sharing-v1.feature
View File

@ -759,3 +759,19 @@ Feature: sharing
| shareType | 0 |
Then the OCS status code should be "997"
And the HTTP status code should be "401"
Scenario: Deleting a group share as user
Given As an "admin"
And user "user0" exists
And user "user1" exists
And group "group1" exists
And user "user1" belongs to group "group1"
And As an "user0"
And creating a share with
| path | welcome.txt |
| shareType | 1 |
| shareWith | group1 |
When As an "user1"
And Deleting last share
Then the OCS status code should be "404"
And the HTTP status code should be "200"