From 63218ec098655f9d7630b16394818746736d2f77 Mon Sep 17 00:00:00 2001
From: Robin McCorkell <rmccorkell@owncloud.com>
Date: Tue, 25 Aug 2015 14:51:47 +0100
Subject: [PATCH] Prevent objectstore being set from client side

---
 apps/files_external/controller/storagescontroller.php | 10 ++++++++++
 apps/files_external/service/storagesservice.php       |  8 ++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/apps/files_external/controller/storagescontroller.php b/apps/files_external/controller/storagescontroller.php
index 3d91af8bd8..613f22c033 100644
--- a/apps/files_external/controller/storagescontroller.php
+++ b/apps/files_external/controller/storagescontroller.php
@@ -138,6 +138,16 @@ abstract class StoragesController extends Controller {
 			);
 		}
 
+		if ($storage->getBackendOption('objectstore')) {
+			// objectstore must not be sent from client side
+			return new DataResponse(
+				array(
+					'message' => (string)$this->l10n->t('Objectstore forbidden')
+				),
+				Http::STATUS_UNPROCESSABLE_ENTITY
+			);
+		}
+
 		/** @var Backend */
 		$backend = $storage->getBackend();
 		/** @var AuthMechanism */
diff --git a/apps/files_external/service/storagesservice.php b/apps/files_external/service/storagesservice.php
index 3e2152741e..947e544d88 100644
--- a/apps/files_external/service/storagesservice.php
+++ b/apps/files_external/service/storagesservice.php
@@ -472,10 +472,14 @@ abstract class StoragesService {
 		if (!isset($allStorages[$id])) {
 			throw new NotFoundException('Storage with id "' . $id . '" not found');
 		}
-
 		$oldStorage = $allStorages[$id];
-		$allStorages[$id] = $updatedStorage;
 
+		// ensure objectstore is persistent
+		if ($objectstore = $oldStorage->getBackendOption('objectstore')) {
+			$updatedStorage->setBackendOption('objectstore', $objectstore);
+		}
+
+		$allStorages[$id] = $updatedStorage;
 		$this->writeConfig($allStorages);
 
 		$this->triggerChangeHooks($oldStorage, $updatedStorage);