Skip to content
Permalink
Browse files

add some additonal permission checks to the webdav backend

  • Loading branch information...
schiessle committed Jun 30, 2016
1 parent 723cf78 commit 3491400261c1454a9a30d3ec96969573330120cc
@@ -71,7 +71,7 @@ public function init(\Sabre\DAV\INode $rootNode, \OC\Files\View $view, \OCP\File
* is present.
*
* @param string $path chunk file path to convert
*
*
* @return string path to real file
*/
private function resolveChunkFile($path) {
@@ -184,16 +184,29 @@ public function getNodeForPath($path) {
*
* @param string $sourcePath The path to the file which should be moved
* @param string $destinationPath The full destination path, so not just the destination parent node
* @throws \Sabre\DAV\Exception\BadRequest
* @throws \Sabre\DAV\Exception\ServiceUnavailable
* @throws \Sabre\DAV\Exception\Forbidden
* @return int
* @throws FileLocked
* @throws Forbidden
* @throws InvalidPath
* @throws \Sabre\DAV\Exception\Forbidden
* @throws \Sabre\DAV\Exception\Locked
* @throws \Sabre\DAV\Exception\NotFound
* @throws \Sabre\DAV\Exception\ServiceUnavailable
*/
public function move($sourcePath, $destinationPath) {
if (!$this->fileView) {
throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup');
}
$infoDestination = $this->fileView->getFileInfo(dirname($destinationPath));
$infoSource = $this->fileView->getFileInfo($sourcePath);
$destinationPermission = $infoDestination && $infoDestination->isUpdateable();
$sourcePermission = $infoSource && $infoSource->isDeletable();
if (!$destinationPermission || !$sourcePermission) {
throw new Forbidden('No permissions to move object.');
}
$targetNodeExists = $this->nodeExists($destinationPath);
$sourceNode = $this->getNodeForPath($sourcePath);
if ($sourceNode instanceof \Sabre\DAV\ICollection && $targetNodeExists) {
@@ -263,14 +276,24 @@ public function move($sourcePath, $destinationPath) {
*
* @param string $source
* @param string $destination
* @throws FileLocked
* @throws Forbidden
* @throws InvalidPath
* @throws \Exception
* @throws \Sabre\DAV\Exception\Locked
* @throws \Sabre\DAV\Exception\NotFound
* @throws \Sabre\DAV\Exception\ServiceUnavailable
* @return void
*/
public function copy($source, $destination) {
if (!$this->fileView) {
throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup');
}
$info = $this->fileView->getFileInfo(dirname($destination));
if ($info && !$info->isUpdateable()) {
throw new Forbidden('No permissions to copy object.');
}
// this will trigger existence check
$this->getNodeForPath($source);
@@ -56,6 +56,11 @@ public function rename($path1, $path2) {
public function getRelativePath($path) {
return $path;
}
public function getFileInfo($path, $includeMountPoints = true) {
$objectTreeTest = new ObjectTreeTest();
return $objectTreeTest->getFileInfoMock();
}
}
/**
@@ -67,6 +72,21 @@ public function getRelativePath($path) {
*/
class ObjectTree extends \Test\TestCase {
public function getFileInfoMock() {
$mock = $this->getMock('\OCP\Files\FileInfo');
$mock
->expects($this->any())
->method('isDeletable')
->willReturn(true);
$mock
->expects($this->any())
->method('isUpdateable')
->willReturn(true);
return $mock;
}
/**
* @dataProvider moveFailedProvider
* @expectedException \Sabre\DAV\Exception\Forbidden
@@ -64,9 +64,25 @@ public function userMovesFile($user, $fileSource, $fileDestination){
$this->response = $this->makeDavRequest($user, "MOVE", $fileSource, $headers);
}
/**
* @When /^Downloading file "([^"]*)" with range "([^"]*)"$/
* @When /^User "([^"]*)" copies file "([^"]*)" to "([^"]*)"$/
* @param string $user
* @param string $fileSource
* @param string $fileDestination
*/
public function userCopiesFileTo($user, $fileSource, $fileDestination) {
$fullUrl = substr($this->baseUrl, 0, -4) . $this->davPath;
$headers['Destination'] = $fullUrl . $fileDestination;
try {
$this->response = $this->makeDavRequest($user, 'COPY', $fileSource, $headers);
} catch (\GuzzleHttp\Exception\ClientException $e) {
// 4xx and 5xx responses cause an exception
$this->response = $e->getResponse();
}
}
public function downloadFileWithRange($fileSource, $range){
$fullUrl = substr($this->baseUrl, 0, -4) . $this->davPath;
$headers['Range'] = $range;
@@ -241,3 +241,35 @@ Feature: webdav-related
| 0 |
| 1 |
| 3 |


Scenario: Copying files into a folder with edit permissions
Given using dav path "remote.php/webdav"
And user "user0" exists
And user "user1" exists
And As an "user1"
And user "user1" created a folder "/testcopypermissionsAllowed"
And as "user1" creating a share with
| path | testcopypermissionsAllowed |
| shareType | 0 |
| permissions | 31 |
| shareWith | user0 |
And User "user0" uploads file with content "copytest" to "/copytest.txt"
When User "user0" copies file "/copytest.txt" to "/testcopypermissionsAllowed/copytest.txt"
Then the HTTP status code should be "201"


Scenario: Copying files into a folder without edit permissions
Given using dav path "remote.php/webdav"
And user "user0" exists
And user "user1" exists
And As an "user1"
And user "user1" created a folder "/testcopypermissionsNotAllowed"
And as "user1" creating a share with
| path | testcopypermissionsNotAllowed |
| shareType | 0 |
| permissions | 1 |
| shareWith | user0 |
And User "user0" uploads file with content "copytest" to "/copytest.txt"
When User "user0" copies file "/copytest.txt" to "/testcopypermissionsNotAllowed/copytest.txt"
Then the HTTP status code should be "403"

0 comments on commit 3491400

Please sign in to comment.
You can’t perform that action at this time.