Merge pull request #1718 from nextcloud/copy-owner

albums: check copy source owner is the current user and throw
nextcloud · Apr 12, 2023 · 9bea79b · 9bea79b
2 parents 2dfd705 + 79c8c4a
commit 9bea79b
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/lib/Sabre/Album/AlbumRoot.php b/lib/Sabre/Album/AlbumRoot.php
@@ -156,13 +156,18 @@ public function getLastModified(): int {
  }
 
  public function copyInto($targetName, $sourcePath, INode $sourceNode): bool {
- if ($sourceNode instanceof File) {
- $sourceId = $sourceNode->getId();
- $ownerUID = $sourceNode->getFileInfo()->getOwner()->getUID();
- return $this->addFile($sourceId, $ownerUID);
+ if (!$sourceNode instanceof File) {
+ throw new Forbidden("The source is not a file");
  }
+
+ $sourceId = $sourceNode->getId();
+ $ownerUID = $sourceNode->getFileInfo()->getOwner()->getUID();
  $uid = $this->userId;
- throw new \Exception("Can't add file to album, only files from $uid can be added");
+ if ($ownerUID !== $uid) {
+ throw new Forbidden("Can't add file to album, only files from $uid can be added");
+ }
+
+ return $this->addFile($sourceId, $ownerUID);
  }
 
  protected function addFile(int $sourceId, string $ownerUID): bool {