Merge pull request #2100 from nextcloud/do_not_increse_link_share_perms
Fixes not allowed increasing of link share permissions
This commit is contained in:
Roeland Jago Douma
GitHub
commit
ff96fffe39
|
|
@ -692,6 +692,7 @@ class ShareAPIController extends OCSController {
|
|||
|
||||
if ($newPermissions !== null) {
|
||||
$share->setPermissions($newPermissions);
|
||||
$permissions = $newPermissions;
|
||||
}
|
||||
|
||||
if ($expireDate === '') {
|
||||
|
|
|
|||
|
|
@ -1205,7 +1205,7 @@ class ShareAPIControllerTest extends \Test\TestCase {
|
|||
public function testUpdateLinkShareClear() {
|
||||
$ocs = $this->mockFormatShare();
|
||||
|
||||
$node = $this->getMockBuilder('\OCP\Files\Folder')->getMock();
|
||||
$node = $this->getMockBuilder(Folder::class)->getMock();
|
||||
$share = $this->newShare();
|
||||
$share->setPermissions(\OCP\Constants::PERMISSION_ALL)
|
||||
->setSharedBy($this->currentUser)
|
||||
|
|
@ -1229,6 +1229,9 @@ class ShareAPIControllerTest extends \Test\TestCase {
|
|||
})
|
||||
)->will($this->returnArgument(0));
|
||||
|
||||
$this->shareManager->method('getSharedWith')
|
||||
->willReturn([]);
|
||||
|
||||
$expected = new DataResponse(null);
|
||||
$result = $ocs->updateShare(42, null, '', 'false', '');
|
||||
|
||||
|
|
@ -1261,6 +1264,9 @@ class ShareAPIControllerTest extends \Test\TestCase {
|
|||
})
|
||||
)->will($this->returnArgument(0));
|
||||
|
||||
$this->shareManager->method('getSharedWith')
|
||||
->willReturn([]);
|
||||
|
||||
$expected = new DataResponse(null);
|
||||
$result = $ocs->updateShare(42, null, 'password', 'true', '2000-01-01');
|
||||
|
||||
|
|
@ -1483,6 +1489,9 @@ class ShareAPIControllerTest extends \Test\TestCase {
|
|||
})
|
||||
)->will($this->returnArgument(0));
|
||||
|
||||
$this->shareManager->method('getSharedWith')
|
||||
->willReturn([]);
|
||||
|
||||
$expected = new DataResponse(null);
|
||||
$result = $ocs->updateShare(42, null, null, 'true', null);
|
||||
|
||||
|
|
@ -1633,6 +1642,52 @@ class ShareAPIControllerTest extends \Test\TestCase {
|
|||
}
|
||||
}
|
||||
|
||||
public function testUpdateShareCannotIncreasePermissionsLinkShare() {
|
||||
$ocs = $this->mockFormatShare();
|
||||
|
||||
$folder = $this->createMock(Folder::class);
|
||||
|
||||
$share = \OC::$server->getShareManager()->newShare();
|
||||
$share
|
||||
->setId(42)
|
||||
->setSharedBy($this->currentUser)
|
||||
->setShareOwner('anotheruser')
|
||||
->setShareType(\OCP\Share::SHARE_TYPE_LINK)
|
||||
->setPermissions(\OCP\Constants::PERMISSION_READ)
|
||||
->setNode($folder);
|
||||
|
||||
// note: updateShare will modify the received instance but getSharedWith will reread from the database,
|
||||
// so their values will be different
|
||||
$incomingShare = \OC::$server->getShareManager()->newShare();
|
||||
$incomingShare
|
||||
->setId(42)
|
||||
->setSharedBy($this->currentUser)
|
||||
->setShareOwner('anotheruser')
|
||||
->setShareType(\OCP\Share::SHARE_TYPE_USER)
|
||||
->setSharedWith('currentUser')
|
||||
->setPermissions(\OCP\Constants::PERMISSION_READ)
|
||||
->setNode($folder);
|
||||
|
||||
$this->shareManager->method('getShareById')->with('ocinternal:42')->willReturn($share);
|
||||
|
||||
$this->shareManager->expects($this->any())
|
||||
->method('getSharedWith')
|
||||
->will($this->returnValueMap([
|
||||
['currentUser', \OCP\Share::SHARE_TYPE_USER, $share->getNode(), -1, 0, [$incomingShare]],
|
||||
['currentUser', \OCP\Share::SHARE_TYPE_GROUP, $share->getNode(), -1, 0, []]
|
||||
]));
|
||||
|
||||
$this->shareManager->expects($this->never())->method('updateShare');
|
||||
$this->shareManager->method('shareApiLinkAllowPublicUpload')->willReturn(true);
|
||||
|
||||
try {
|
||||
$ocs->updateShare(42, null, null, 'true');
|
||||
$this->fail();
|
||||
} catch (OCSNotFoundException $e) {
|
||||
$this->assertEquals('Cannot increase permissions', $e->getMessage());
|
||||
}
|
||||
}
|
||||
|
||||
public function testUpdateShareCanIncreasePermissionsIfOwner() {
|
||||
$ocs = $this->mockFormatShare();
|
||||
|
||||
|
|
|
|||
|
|
@ -971,3 +971,20 @@ Feature: sharing
|
|||
When Deleting last share
|
||||
Then etag of element "/" of user "user1" has changed
|
||||
And etag of element "/PARENT" of user "user0" has not changed
|
||||
|
||||
Scenario: do not allow to increase link share permissions on reshare
|
||||
Given As an "admin"
|
||||
And user "admin" created a folder "/TMP"
|
||||
And user "user0" exists
|
||||
And creating a share with
|
||||
| path | TMP |
|
||||
| shareType | 0 |
|
||||
| shareWith | user0 |
|
||||
| permissions | 17 |
|
||||
When As an "user0"
|
||||
And creating a share with
|
||||
| path | TMP |
|
||||
| shareType | 3 |
|
||||
And Updating last share with
|
||||
| publicUpload | true |
|
||||
Then the OCS status code should be "404"
|
||||
|
|
|
|||
Loading…
Reference in New Issue