From 5fef9dfc22eba8d62e5db412632927a523ebf7d5 Mon Sep 17 00:00:00 2001
From: Michael Gapczynski <GapczynskiM@gmail.com>
Date: Wed, 28 Mar 2012 21:18:17 -0400
Subject: [PATCH] Make users only able to share with users in groups they
 belong to

---
 apps/files_sharing/ajax/userautocomplete.php | 22 +++++++++++---------
 apps/files_sharing/lib_share.php             | 14 +++++++++++--
 2 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/apps/files_sharing/ajax/userautocomplete.php b/apps/files_sharing/ajax/userautocomplete.php
index 9d971fb62a..38b673ee51 100644
--- a/apps/files_sharing/ajax/userautocomplete.php
+++ b/apps/files_sharing/ajax/userautocomplete.php
@@ -7,21 +7,23 @@ OC_JSON::checkLoggedIn();
 OC_JSON::checkAppEnabled('files_sharing');
 
 $users = array();
-$ocusers = OC_User::getUsers();
+$groups = array();
 $self = OC_User::getUser();
-$groups = OC_Group::getUserGroups($self);
+$userGroups = OC_Group::getUserGroups($self);
 $users[] = "<optgroup label='Users'>";
-foreach ($ocusers as $user) {
-	if ($user != $self) {
-		$users[] = "<option value='".$user."'>".$user."</option>";
+$groups[] = "<optgroup label='Groups'>";
+foreach ($userGroups as $group) {
+	$groupUsers = OC_Group::usersInGroup($group);
+	foreach ($groupUsers as $user) {
+		if ($user != $self) {
+			$users[] = "<option value='".$user."'>".$user."</option>";
+		}
 	}
+	$groups[] = "<option value='".$group."'>".$group."</option>";
 }
 $users[] = "</optgroup>";
-$users[] = "<optgroup label='Groups'>";
-foreach ($groups as $group) {
-	$users[] = "<option value='".$group."'>".$group."</option>";
-}
-$users[] = "</optgroup>";
+$groups[] = "</optgroup>";
+$users = array_merge($users, $groups);
 OC_JSON::encodedPrint($users);
 
 ?>
diff --git a/apps/files_sharing/lib_share.php b/apps/files_sharing/lib_share.php
index 42739bdfba..673984f393 100644
--- a/apps/files_sharing/lib_share.php
+++ b/apps/files_sharing/lib_share.php
@@ -52,8 +52,18 @@ class OC_Share {
 				// Remove the owner from the list of users in the group
 				$uid_shared_with = array_diff($uid_shared_with, array($uid_owner));
 			} else if (OC_User::userExists($uid_shared_with)) {
-				$gid = null;
-				$uid_shared_with = array($uid_shared_with);
+				$userGroups = OC_Group::getUserGroups($uid_owner);
+				// Check if the user is in one of the owner's groups
+				foreach ($userGroups as $group) {
+					if ($inGroup = OC_Group::inGroup($uid_shared_with, $group)) {
+						$gid = null;
+						$uid_shared_with = array($uid_shared_with);
+						break;
+					}
+				}
+				if (!$inGroup) {
+					throw new Exception("You can't share with ".$uid_shared_with);
+				}
 			} else {
 				throw new Exception($uid_shared_with." is not a user");
 			}
-- 
GitLab