fix public link update

cs3org · Dec 7, 2023 · 59bfd5e · 59bfd5e
1 parent 7b47abd
commit 59bfd5e
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 3 deletions.
diff --git a/changelog/unreleased/fix-publick-link-update.md b/changelog/unreleased/fix-publick-link-update.md
@@ -0,0 +1,6 @@
+Bugfix: Fix the public link update
+
+We fixed a bug when normal users can update the public link to delete its password if permission is not sent in data.
+
+https://github.com/cs3org/reva/pull/4380        
+https://github.com/owncloud/ocis/issues/7821
diff --git a/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go b/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go
@@ -419,9 +419,15 @@ func (h *Handler) updatePublicShare(w http.ResponseWriter, r *http.Request, shar
 	}
 
 	// empty permissions mean internal link here - NOT denial. Hence we need an extra check
-	if !sufficientPermissions(statRes.GetInfo().GetPermissionSet(), newPermissions, true) {
-		response.WriteOCSError(w, r, http.StatusForbidden, "no share permission", nil)
-		return
+	if newPermissions != nil {
+		if !sufficientPermissions(statRes.GetInfo().GetPermissionSet(), newPermissions, true) {
+			response.WriteOCSError(w, r, http.StatusForbidden, "no share permission", nil)
+			return
+		}
+	} else {
+		statRes.GetInfo().GetPermissionSet()
+		p := decreasePermissionsIfNecessary(int(conversions.RoleFromResourcePermissions(statRes.GetInfo().GetPermissionSet(), false).OCSPermissions()))
+		permKey = &p
 	}
 
 	// ExpireDate