adding privilege check on move and rename operations
This commit is contained in:
Thomas Müller
parent
40871bab88
commit
ee1f627155
2 changed files with 34 additions and 1 deletions
|
|
@ -78,6 +78,11 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
|
|||
*/
|
||||
public function setName($name) {
|
||||
|
||||
// rename is only allowed if the update privilege is granted
|
||||
if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
|
||||
throw new \Sabre_DAV_Exception_Forbidden();
|
||||
}
|
||||
|
||||
list($parentPath, ) = Sabre_DAV_URLUtil::splitPath($this->path);
|
||||
list(, $newName) = Sabre_DAV_URLUtil::splitPath($name);
|
||||
|
||||
|
|
@ -135,6 +140,12 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
|
|||
* Even if the modification time is set to a custom value the access time is set to now.
|
||||
*/
|
||||
public function touch($mtime) {
|
||||
|
||||
// touch is only allowed if the update privilege is granted
|
||||
if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
|
||||
throw new \Sabre_DAV_Exception_Forbidden();
|
||||
}
|
||||
|
||||
\OC\Files\Filesystem::touch($this->path, $mtime);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -64,7 +64,29 @@ class ObjectTree extends \Sabre_DAV_ObjectTree {
|
|||
list($sourceDir,) = \Sabre_DAV_URLUtil::splitPath($sourcePath);
|
||||
list($destinationDir,) = \Sabre_DAV_URLUtil::splitPath($destinationPath);
|
||||
|
||||
Filesystem::rename($sourcePath, $destinationPath);
|
||||
// check update privileges
|
||||
if ($sourceDir === $destinationDir) {
|
||||
// for renaming it's enough to check if the sourcePath can be updated
|
||||
if (!\OC\Files\Filesystem::isUpdatable($sourcePath)) {
|
||||
throw new \Sabre_DAV_Exception_Forbidden();
|
||||
}
|
||||
} else {
|
||||
// for a full move we need update privileges on sourcePath and sourceDir as well as destinationDir
|
||||
if (!\OC\Files\Filesystem::isUpdatable($sourcePath)) {
|
||||
throw new \Sabre_DAV_Exception_Forbidden();
|
||||
}
|
||||
if (!\OC\Files\Filesystem::isUpdatable($sourceDir)) {
|
||||
throw new \Sabre_DAV_Exception_Forbidden();
|
||||
}
|
||||
if (!\OC\Files\Filesystem::isUpdatable($destinationDir)) {
|
||||
throw new \Sabre_DAV_Exception_Forbidden();
|
||||
}
|
||||
}
|
||||
|
||||
$renameOkay = Filesystem::rename($sourcePath, $destinationPath);
|
||||
if (!$renameOkay) {
|
||||
throw new \Sabre_DAV_Exception_Forbidden('');
|
||||
}
|
||||
|
||||
$this->markDirty($sourceDir);
|
||||
$this->markDirty($destinationDir);
|
||||
|
|
|
|||
Loading…
Reference in a new issue