Skip to content
Permalink
Browse files

Do not allow to delete/update group shares as a group member

  • Loading branch information...
nickvergessen committed Aug 3, 2016
1 parent 37d1277 commit a5471b4a3e3f30e99e4de39c97c0c3b3c2f1618f
Showing with 5 additions and 4 deletions.
  1. +5 −4 apps/files_sharing/api/share20ocs.php
@@ -240,7 +240,7 @@ public function deleteShare($id) {
}
}
if (!$this->canAccessShare($share)) {
if (!$this->canAccessShare($share, false)) {
return new \OC_OCS_Result(null, 404, 'could not delete share');
}
@@ -564,7 +564,7 @@ public function updateShare($id) {
}
}
if (!$this->canAccessShare($share)) {
if (!$this->canAccessShare($share, false)) {
return new \OC_OCS_Result(null, 404, 'wrong share Id, share doesn\'t exist.');
}
@@ -669,9 +669,10 @@ public function updateShare($id) {
/**
* @param \OCP\Share\IShare $share
* @param bool $checkGroups
* @return bool
*/
protected function canAccessShare(\OCP\Share\IShare $share) {
protected function canAccessShare(\OCP\Share\IShare $share, $checkGroups = true) {
// A file with permissions 0 can't be accessed by us. So Don't show it
if ($share->getPermissions() === 0) {
return false;
@@ -690,7 +691,7 @@ protected function canAccessShare(\OCP\Share\IShare $share) {
return true;
}
if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
if ($checkGroups && $share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
$sharedWith = $this->groupManager->get($share->getSharedWith());
if ($sharedWith->inGroup($this->currentUser)) {
return true;

0 comments on commit a5471b4

Please sign in to comment.
You can’t perform that action at this time.