Handle permission in update of share better

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
nextcloud · Nov 20, 2018 · 7b2a7f6 · 7b2a7f6
1 parent d268a97
commit 7b2a7f6
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php
@@ -695,6 +695,10 @@ public function updateShare(
 			throw new OCSNotFoundException($this->l->t('Wrong share ID, share doesn\'t exist'));
 		}
 
+		if ($share->getShareOwner() !== $this->currentUser && $share->getSharedBy() !== $this->currentUser) {
+			throw new OCSForbiddenException('You are not allowed to edit incomming shares');
+		}
+
 		if ($permissions === null && $password === null && $publicUpload === null && $expireDate === null) {
 			throw new OCSBadRequestException($this->l->t('Wrong or no update parameter given'));
 		}