diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php index 470e4c53c5c05..2d27293dfd8ce 100644 --- a/apps/files_sharing/lib/Controller/ShareAPIController.php +++ b/apps/files_sharing/lib/Controller/ShareAPIController.php @@ -695,6 +695,10 @@ public function updateShare( throw new OCSNotFoundException($this->l->t('Wrong share ID, share doesn\'t exist')); } + if ($share->getShareOwner() !== $this->currentUser && $share->getSharedBy() !== $this->currentUser) { + throw new OCSForbiddenException('You are not allowed to edit incomming shares'); + } + if ($permissions === null && $password === null && $publicUpload === null && $expireDate === null) { throw new OCSBadRequestException($this->l->t('Wrong or no update parameter given')); }