diff options
author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2020-04-06 10:06:41 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-04-06 10:06:41 +0300 |
commit | 395aac27285e8c56387444eccbac57191a7e0778 (patch) | |
tree | feb8e3680797a2f0cafb74640b3f6c376ab4afa5 | |
parent | b8958c4de59a9822eeeb6efddbf3f23f5b81f7a0 (diff) | |
parent | 95cb77786afb22f99152710d8f7f4d99ad932ce7 (diff) |
Merge pull request #843 from nextcloud/bugfix/noid/check-acl-before-restore
Check ACL before restoring from the trash bin
-rw-r--r-- | lib/Trash/TrashBackend.php | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/lib/Trash/TrashBackend.php b/lib/Trash/TrashBackend.php index 3c01ea8b..dd57384b 100644 --- a/lib/Trash/TrashBackend.php +++ b/lib/Trash/TrashBackend.php @@ -32,6 +32,7 @@ use OCP\Constants; use OCP\Files\Folder; use OCP\Files\Node; use OCP\Files\NotFoundException; +use OCP\Files\NotPermittedException; use OCP\Files\Storage\IStorage; use OCP\IUser; @@ -100,6 +101,9 @@ class TrashBackend implements ITrashBackend { if ($node === null) { throw new NotFoundException(); } + if (!$this->userHasAccessToPath($item->getUser(), $folderId . '/' . $item->getOriginalLocation(), Constants::PERMISSION_UPDATE)) { + throw new NotPermittedException(); + } $trashStorage = $node->getStorage(); $targetFolder = $this->mountProvider->getFolder($folderId); @@ -177,10 +181,10 @@ class TrashBackend implements ITrashBackend { return in_array($folderId, $folderIds); } - private function userHasAccessToPath(IUser $user, string $path) { - $permissions = $this->aclManagerFactory->getACLManager($user) + private function userHasAccessToPath(IUser $user, string $path, $permission = Constants::PERMISSION_READ) { + $activePermissions = $this->aclManagerFactory->getACLManager($user) ->getACLPermissionsForPath('__groupfolders/' . ltrim($path, '/')); - return ($permissions & Constants::PERMISSION_READ) === Constants::PERMISSION_READ; + return ($activePermissions & $permission); } /** |