From a343a60a6886162c3556e5cff5a12d6218804a58 Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Tue, 20 Nov 2018 09:42:01 +0100 Subject: [PATCH] Handle permission in update of share better Signed-off-by: Roeland Jago Douma --- apps/files_sharing/lib/Controller/ShareAPIController.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php index e33f93e8ce6c5..2bd535e319f4c 100644 --- a/apps/files_sharing/lib/Controller/ShareAPIController.php +++ b/apps/files_sharing/lib/Controller/ShareAPIController.php @@ -808,6 +808,10 @@ public function updateShare( throw new OCSNotFoundException($this->l->t('Wrong share ID, share doesn\'t exist')); } + if ($share->getShareOwner() !== $this->currentUser && $share->getSharedBy() !== $this->currentUser) { + throw new OCSForbiddenException('You are not allowed to edit incomming shares'); + } + if ($permissions === null && $password === null && $sendPasswordByTalk === null &&