Do not allow transfer ownership when the user isn't the owner

Signed-off-by: Gary Kim <gary@garykim.dev>
author: Gary Kim <gary@garykim.dev> 2020-03-04 08:58:55 +0300
committer: Gary Kim <gary@garykim.dev> 2020-03-04 09:05:58 +0300
commit: 00dd295c097d1fc3c7537159e26ebfd705de4cb3 (patch)
tree: e34c09dd24e21ba2ab0442a9a5a544037ba7f7b8 /apps/files/lib
parent: 8607a9871ce7f1f34f0514fb939f48680667825d (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/apps/files/lib/Controller/TransferOwnershipController.php b/apps/files/lib/Controller/TransferOwnershipController.php
index 639e73187ca..0b33e12e88f 100644
--- a/apps/files/lib/Controller/TransferOwnershipController.php
+++ b/apps/files/lib/Controller/TransferOwnershipController.php
@@ -96,6 +96,10 @@ class TransferOwnershipController extends OCSController {
 			return new DataResponse([], Http::STATUS_BAD_REQUEST);
 		}
 
+		if ($node->getOwner()->getUID() !== $this->userId) {
+			return new DataResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		$transferOwnership = new TransferOwnershipEntity();
 		$transferOwnership->setSourceUser($this->userId);
 		$transferOwnership->setTargetUser($recipient);
author	Gary Kim <gary@garykim.dev>	2020-03-04 08:58:55 +0300
committer	Gary Kim <gary@garykim.dev>	2020-03-04 09:05:58 +0300
commit	00dd295c097d1fc3c7537159e26ebfd705de4cb3 (patch)
tree	e34c09dd24e21ba2ab0442a9a5a544037ba7f7b8 /apps/files/lib
parent	8607a9871ce7f1f34f0514fb939f48680667825d (diff)