Skip to content
Permalink
Browse files Browse the repository at this point in the history
Do not allow to delete/update group shares as a group member
  • Loading branch information
nickvergessen committed Aug 3, 2016
1 parent 37d1277 commit a5471b4
Showing 1 changed file with 5 additions and 4 deletions.
9 changes: 5 additions & 4 deletions apps/files_sharing/api/share20ocs.php
Expand Up @@ -240,7 +240,7 @@ public function deleteShare($id) {
}
}

if (!$this->canAccessShare($share)) {
if (!$this->canAccessShare($share, false)) {
return new \OC_OCS_Result(null, 404, 'could not delete share');
}

Expand Down Expand Up @@ -564,7 +564,7 @@ public function updateShare($id) {
}
}

if (!$this->canAccessShare($share)) {
if (!$this->canAccessShare($share, false)) {
return new \OC_OCS_Result(null, 404, 'wrong share Id, share doesn\'t exist.');
}

Expand Down Expand Up @@ -669,9 +669,10 @@ public function updateShare($id) {

/**
* @param \OCP\Share\IShare $share
* @param bool $checkGroups
* @return bool
*/
protected function canAccessShare(\OCP\Share\IShare $share) {
protected function canAccessShare(\OCP\Share\IShare $share, $checkGroups = true) {
// A file with permissions 0 can't be accessed by us. So Don't show it
if ($share->getPermissions() === 0) {
return false;
Expand All @@ -690,7 +691,7 @@ protected function canAccessShare(\OCP\Share\IShare $share) {
return true;
}

if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
if ($checkGroups && $share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
$sharedWith = $this->groupManager->get($share->getSharedWith());
if ($sharedWith->inGroup($this->currentUser)) {
return true;
Expand Down

0 comments on commit a5471b4

Please sign in to comment.