Add more check on user before modifying a share.

core/src/plugins/action.share/class.ShareCenter.php

@@ -1570,6 +1570,9 @@ public function createSharedMinisite($httpVars, $repository, $accessDriver)
         $this->initPublicFolder($downloadFolder);
 
         if(isset($existingData)){
+            $repo = ConfService::getRepositoryById($existingData["REPOSITORY"]);
+            if($repo == null) throw new Exception("Oups, something went wrong");
+            $this->shareStore->testUserCanEditShare($repo->getOwner());
             $data = $existingData;
         }else{
             $data = array(
@@ -1825,6 +1828,7 @@ public function createSharedRepository($httpVars, $repository, $accessDriver, $u
             $options["PLUGINS_DATA"] = $customData;
         }
         if (isSet($editingRepo)) {
+            $this->shareStore->testUserCanEditShare($editingRepo->getOwner());
             $newRepo = $editingRepo;
             $replace = false;
             if ($editingRepo->getDisplay() != $label) {

core/src/plugins/action.share/class.ShareStore.php

@@ -278,7 +278,7 @@ public function listShares($limitToUser = '', $parentRepository = '', $cursor =
         return $dbLets;
     }
 
-    protected function testUserCanEditShare($userId){
+    public function testUserCanEditShare($userId){
 
         if(empty($userId)){
             $mess = ConfService::getMessages();
@@ -432,7 +432,12 @@ public function incrementDownloadCounter($hash){
 
     public function resetDownloadCounter($hash, $userId){
         $data = $this->loadShare($hash);
-        // TODO We must check that the user has the right to do that!
+        $repoId = $data["REPOSITORY"];
+        $repo = ConfService::getRepositoryById($repoId);
+        if ($repo == null) {
+            throw new Exception("Cannot find associated share");
+        }
+        $this->testUserCanEditShare($repo->getOwner());
         PublicletCounter::reset($hash);
     }