Check permissions when downloading files.

gollem/lib/Application.php

@@ -312,9 +312,17 @@ public function topbarCreate(Horde_Tree_Renderer_Base $tree, $parent = null,
      */
     public function download(Horde_Variables $vars)
     {
-        $vfs = $GLOBALS['injector']
-            ->getInstance('Gollem_Factory_Vfs')
+        global $injector, $session;
+
+        // Check permissions.
+        if ($vars->backend != $session->get('gollem', 'backend_key')) {
+            throw new Horde_Exception_PermissionDenied();
+        }
+        Gollem::changeDir();
+
+        $vfs = $injector->getInstance('Gollem_Factory_Vfs')
             ->create($vars->backend);
+
         $res = array(
             'data' => is_callable(array($vfs, 'readStream'))
                 ? $vfs->readStream($vars->dir, $vars->filename)
@@ -323,7 +331,8 @@ public function download(Horde_Variables $vars)
 
         try {
             $res['size'] = $vfs->size($vars->dir, $vars->filename);
-        } catch (Horde_Vfs_Exception $e) {}
+        } catch (Horde_Vfs_Exception $e) {
+        }
 
         return $res;
     }