Make users only able to share with users in groups they belong to

apps/files_sharing/ajax/userautocomplete.php

@@ -7,21 +7,23 @@ OC_JSON::checkLoggedIn();
 OC_JSON::checkAppEnabled('files_sharing');
 
 $users = array();
-$ocusers = OC_User::getUsers();
+$groups = array();
 $self = OC_User::getUser();
-$groups = OC_Group::getUserGroups($self);
+$userGroups = OC_Group::getUserGroups($self);
 $users[] = "<optgroup label='Users'>";
-foreach ($ocusers as $user) {
-	if ($user != $self) {
-		$users[] = "<option value='".$user."'>".$user."</option>";
+$groups[] = "<optgroup label='Groups'>";
+foreach ($userGroups as $group) {
+	$groupUsers = OC_Group::usersInGroup($group);
+	foreach ($groupUsers as $user) {
+		if ($user != $self) {
+			$users[] = "<option value='".$user."'>".$user."</option>";
+		}
 	}
+	$groups[] = "<option value='".$group."'>".$group."</option>";
 }
 $users[] = "</optgroup>";
-$users[] = "<optgroup label='Groups'>";
-foreach ($groups as $group) {
-	$users[] = "<option value='".$group."'>".$group."</option>";
-}
-$users[] = "</optgroup>";
+$groups[] = "</optgroup>";
+$users = array_merge($users, $groups);
 OC_JSON::encodedPrint($users);
 
 ?>

apps/files_sharing/lib_share.php

@@ -52,8 +52,18 @@ class OC_Share {
 				// Remove the owner from the list of users in the group
 				$uid_shared_with = array_diff($uid_shared_with, array($uid_owner));
 			} else if (OC_User::userExists($uid_shared_with)) {
-				$gid = null;
-				$uid_shared_with = array($uid_shared_with);
+				$userGroups = OC_Group::getUserGroups($uid_owner);
+				// Check if the user is in one of the owner's groups
+				foreach ($userGroups as $group) {
+					if ($inGroup = OC_Group::inGroup($uid_shared_with, $group)) {
+						$gid = null;
+						$uid_shared_with = array($uid_shared_with);
+						break;
+					}
+				}
+				if (!$inGroup) {
+					throw new Exception("You can't share with ".$uid_shared_with);
+				}
 			} else {
 				throw new Exception($uid_shared_with." is not a user");
 			}