X Tutup
Skip to content

Commit b0aaeb2

Browse files
VicDeoVicDeo
committed
Prevent sharing share_folder
1 parent c75fecf commit b0aaeb2

File tree

3 files changed

+22
-2
lines changed

3 files changed

+22
-2
lines changed

changelog/unreleased/36297

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
Bugfix: Fix possibility of sharing for the share_folder by resetting share permission for it
2+
3+
share_folder had share permission so it was possible for the user to share all received shares.
4+
5+
https://github.com/owncloud/core/issues/36241
6+
https://github.com/owncloud/core/pull/36297

lib/private/Files/View.php

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1503,8 +1503,11 @@ public function getDirectoryContent($directory, $mimetype_filter = '') {
15031503
$files = \array_filter($contents, function (ICacheEntry $content) {
15041504
return (!\OC\Files\Filesystem::isForbiddenFileOrDir($content['path']));
15051505
});
1506-
$files = \array_map(function (ICacheEntry $content) use ($path, $storage, $mount, $sharingDisabled) {
1507-
if ($sharingDisabled) {
1506+
1507+
$shareFolder = \trim($this->config->getSystemValue('share_folder', '/'), '/');
1508+
$files = \array_map(function (ICacheEntry $content) use ($path, $storage, $mount, $sharingDisabled, $shareFolder) {
1509+
$isShareFolder = $content['path'] === "files/$shareFolder";
1510+
if ($sharingDisabled || $isShareFolder) {
15081511
$content['permissions'] = $content['permissions'] & ~\OCP\Constants::PERMISSION_SHARE;
15091512
}
15101513
$owner = $this->getUserObjectForOwner($storage->getOwner($content['path']));

tests/acceptance/features/apiShareManagementBasic/createShare.feature

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1440,3 +1440,14 @@ Feature: sharing
14401440
| /randomfile.txt |
14411441
And the content of file "randomfile.txt" for user "user2" should be "user0 file"
14421442
And the content of file "randomfile.txt" for user "user1" should be "user0 file"
1443+
1444+
Scenario Outline: Do not allow sharing of the entire share_folder
1445+
Given using OCS API version "<ocs_api_version>"
1446+
And the administrator has set the default folder for received shares to "<share_folder>"
1447+
When user "user0" shares folder "/ReceivedShares" with user "user1" using the sharing API
1448+
Then the OCS status code should be "<ocs_status_code>"
1449+
And the HTTP status code should be "<http_status_code>"
1450+
Examples:
1451+
| ocs_api_version | ocs_status_code | http_status_code | share_folder |
1452+
| 1 | 403 | 200 | /ReceivedShares |
1453+
| 2 | 403 | 403 | /ReceivedShares |

0 commit comments

Comments
 (0)
X Tutup