Merge pull request #12562 from nextcloud/backport/12544/stable13

rullzer · web-flow · commit bea70d4ad37b · 2018-11-21T08:57:55.000+01:00
[13] Handle permission in update of share better
diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php
@@ -695,6 +695,10 @@ public function updateShare(
 			throw new OCSNotFoundException($this->l->t('Wrong share ID, share doesn\'t exist'));
 		}
 
+		if ($share->getShareOwner() !== $this->currentUser && $share->getSharedBy() !== $this->currentUser) {
+			throw new OCSForbiddenException('You are not allowed to edit incomming shares');
+		}
+
 		if ($permissions === null && $password === null && $publicUpload === null && $expireDate === null) {
 			throw new OCSBadRequestException($this->l->t('Wrong or no update parameter given'));
 		}

Original file line number	Diff line number	Diff line change
`@@ -695,6 +695,10 @@ public function updateShare(`
`695`	`695`	`throw new OCSNotFoundException($this->l->t('Wrong share ID, share doesn\'t exist'));`
`696`	`696`	`}`
`697`	`697`
	`698`	`+ if ($share->getShareOwner() !== $this->currentUser && $share->getSharedBy() !== $this->currentUser) {`
	`699`	`+ throw new OCSForbiddenException('You are not allowed to edit incomming shares');`
	`700`	`+ }`
	`701`	`+`
`698`	`702`	`if ($permissions === null && $password === null && $publicUpload === null && $expireDate === null) {`
`699`	`703`	`throw new OCSBadRequestException($this->l->t('Wrong or no update parameter given'));`
`700`	`704`	`}`