diff options
author | Gary Kim <gary@garykim.dev> | 2020-03-04 08:58:55 +0300 |
---|---|---|
committer | Gary Kim <gary@garykim.dev> | 2020-03-04 09:05:58 +0300 |
commit | 00dd295c097d1fc3c7537159e26ebfd705de4cb3 (patch) | |
tree | e34c09dd24e21ba2ab0442a9a5a544037ba7f7b8 /apps/files/lib | |
parent | 8607a9871ce7f1f34f0514fb939f48680667825d (diff) |
Do not allow transfer ownership when the user isn't the owner
Signed-off-by: Gary Kim <gary@garykim.dev>
Diffstat (limited to 'apps/files/lib')
-rw-r--r-- | apps/files/lib/Controller/TransferOwnershipController.php | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/apps/files/lib/Controller/TransferOwnershipController.php b/apps/files/lib/Controller/TransferOwnershipController.php index 639e73187ca..0b33e12e88f 100644 --- a/apps/files/lib/Controller/TransferOwnershipController.php +++ b/apps/files/lib/Controller/TransferOwnershipController.php @@ -96,6 +96,10 @@ class TransferOwnershipController extends OCSController { return new DataResponse([], Http::STATUS_BAD_REQUEST); } + if ($node->getOwner()->getUID() !== $this->userId) { + return new DataResponse([], Http::STATUS_FORBIDDEN); + } + $transferOwnership = new TransferOwnershipEntity(); $transferOwnership->setSourceUser($this->userId); $transferOwnership->setTargetUser($recipient); |