diff --git a/apps/files_sharing/api/ocssharewrapper.php b/apps/files_sharing/api/ocssharewrapper.php
index ab54e5e5e346505f47e5bfa7c87b87132a1fa634..2a2c16da1f3aeb6ad41ed1b132fab513e0a2bdb8 100644
--- a/apps/files_sharing/api/ocssharewrapper.php
+++ b/apps/files_sharing/api/ocssharewrapper.php
@@ -41,7 +41,8 @@ class OCSShareWrapper {
\OC::$server->getUserManager(),
\OC::$server->getRequest(),
\OC::$server->getUserFolder(),
- \OC::$server->getURLGenerator());
+ \OC::$server->getURLGenerator(),
+ \OC::$server->getUserSession()->getUser());
}
public function getAllShares($params) {
diff --git a/apps/files_sharing/api/share20ocs.php b/apps/files_sharing/api/share20ocs.php
index aaf5a3c72b6c33e49d6ead99626721bb7fece6af..788cbe8586678ffc6b68fb5bd1b400eda955ef6f 100644
--- a/apps/files_sharing/api/share20ocs.php
+++ b/apps/files_sharing/api/share20ocs.php
@@ -22,35 +22,52 @@ namespace OCA\Files_Sharing\API;
use OC\Share20\IShare;
+use OCP\IGroupManager;
+use OCP\IUserManager;
+use OCP\IRequest;
+use OCP\Files\Folder;
+use OCP\IURLGenerator;
+use OCP\IUser;
+
class Share20OCS {
/** @var \OC\Share20\Manager */
private $shareManager;
- /** @var \OCP\IGroupManager */
+ /** @var IGroupManager */
private $groupManager;
- /** @var \OCP\IUserManager */
+ /** @var IUserManager */
private $userManager;
- /** @var \OCP\IRequest */
+ /** @var IRequest */
private $request;
- /** @var \OCP\Files\Folder */
+ /** @var Folder */
private $userFolder;
- public function __construct(\OC\Share20\Manager $shareManager,
- \OCP\IGroupManager $groupManager,
- \OCP\IUserManager $userManager,
- \OCP\IRequest $request,
- \OCP\Files\Folder $userFolder,
- \OCP\IURLGenerator $urlGenerator) {
+ /** @var IUrlGenerator */
+ private $urlGenerator;
+
+ /** @var IUser */
+ private $currentUser;
+
+ public function __construct(
+ \OC\Share20\Manager $shareManager,
+ \OCP\IGroupManager $groupManager,
+ \OCP\IUserManager $userManager,
+ \OCP\IRequest $request,
+ \OCP\Files\Folder $userFolder,
+ \OCP\IURLGenerator $urlGenerator,
+ \OCP\IUser $currentUser
+ ) {
$this->shareManager = $shareManager;
$this->userManager = $userManager;
$this->groupManager = $groupManager;
$this->request = $request;
$this->userFolder = $userFolder;
$this->urlGenerator = $urlGenerator;
+ $this->currentUser = $currentUser;
}
/**
@@ -131,8 +148,12 @@ class Share20OCS {
return new \OC_OCS_Result(null, 404, 'wrong share ID, share doesn\'t exist.');
}
- $share = $this->formatShare($share);
- return new \OC_OCS_Result($share);
+ if ($this->canAccessShare($share)) {
+ $share = $this->formatShare($share);
+ return new \OC_OCS_Result($share);
+ } else {
+ return new \OC_OCS_Result(null, 404, 'wrong share ID, share doesn\'t exist.');
+ }
}
/**
@@ -156,6 +177,10 @@ class Share20OCS {
\OCA\Files_Sharing\API\Local::deleteShare(['id' => $id]);
}
+ if (!$this->canAccessShare($share)) {
+ return new \OC_OCS_Result(null, 404, 'could not delete share');
+ }
+
try {
$this->shareManager->deleteShare($share);
} catch (\OC\Share20\Exception\BackendError $e) {
@@ -164,4 +189,30 @@ class Share20OCS {
return new \OC_OCS_Result();
}
+
+ /**
+ * @param IShare $share
+ * @return bool
+ */
+ protected function canAccessShare(IShare $share) {
+ // Owner of the file and the sharer of the file can always get share
+ if ($share->getShareOwner() === $this->currentUser ||
+ $share->getSharedBy() === $this->currentUser
+ ) {
+ return true;
+ }
+
+ // If the share is shared with you (or a group you are a member of)
+ if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER &&
+ $share->getSharedWith() === $this->currentUser) {
+ return true;
+ }
+
+ if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP &&
+ $share->getSharedWith()->inGroup($this->currentUser)) {
+ return true;
+ }
+
+ return false;
+ }
}
diff --git a/apps/files_sharing/tests/api/share20ocstest.php b/apps/files_sharing/tests/api/share20ocstest.php
index 9393b8d12c3e0cc04ff8a763472789212b474f03..fb37824b33708149fafda5eb029aee8743377fbe 100644
--- a/apps/files_sharing/tests/api/share20ocstest.php
+++ b/apps/files_sharing/tests/api/share20ocstest.php
@@ -20,28 +20,38 @@
*/
namespace OCA\Files_Sharing\Tests\API;
+use OC\Share20\IShare;
use OCA\Files_Sharing\API\Share20OCS;
+use OCP\IGroupManager;
+use OCP\IUserManager;
+use OCP\IRequest;
+use OCP\Files\Folder;
+use OCP\IURLGenerator;
+use OCP\IUser;
class Share20OCSTest extends \Test\TestCase {
/** @var \OC\Share20\Manager */
private $shareManager;
- /** @var \OCP\IGroupManager */
+ /** @var IGroupManager */
private $groupManager;
- /** @var \OCP\IUserManager */
+ /** @var IUserManager */
private $userManager;
- /** @var \OCP\IRequest */
+ /** @var IRequest */
private $request;
- /** @var \OCP\Files\Folder */
+ /** @var Folder */
private $userFolder;
- /** @var \OCP\IURLGenerator */
+ /** @var IURLGenerator */
private $urlGenerator;
+ /** @var IUser */
+ private $currentUser;
+
/** @var Share20OCS */
private $ocs;
@@ -54,13 +64,17 @@ class Share20OCSTest extends \Test\TestCase {
$this->request = $this->getMock('OCP\IRequest');
$this->userFolder = $this->getMock('OCP\Files\Folder');
$this->urlGenerator = $this->getMock('OCP\IURLGenerator');
-
- $this->ocs = new Share20OCS($this->shareManager,
- $this->groupManager,
- $this->userManager,
- $this->request,
- $this->userFolder,
- $this->urlGenerator);
+ $this->currentUser = $this->getMock('OCP\IUser');
+
+ $this->ocs = new Share20OCS(
+ $this->shareManager,
+ $this->groupManager,
+ $this->userManager,
+ $this->request,
+ $this->userFolder,
+ $this->urlGenerator,
+ $this->currentUser
+ );
}
public function testDeleteShareShareNotFound() {
@@ -76,6 +90,7 @@ class Share20OCSTest extends \Test\TestCase {
public function testDeleteShareCouldNotDelete() {
$share = $this->getMock('OC\Share20\IShare');
+ $share->method('getShareOwner')->willReturn($this->currentUser);
$this->shareManager
->expects($this->once())
->method('getShareById')
@@ -94,6 +109,7 @@ class Share20OCSTest extends \Test\TestCase {
public function testDeleteShare() {
$share = $this->getMock('OC\Share20\IShare');
+ $share->method('getSharedBy')->willReturn($this->currentUser);
$this->shareManager
->expects($this->once())
->method('getShareById')
@@ -244,42 +260,6 @@ class Share20OCSTest extends \Test\TestCase {
];
$data[] = [$share, $expected];
- // Folder shared with remote
- $share = $this->createShare(101,
- \OCP\Share::SHARE_TYPE_REMOTE,
- 'user@remote.com',
- $owner,
- $folder,
- 4,
- 5,
- null,
- 6,
- 'target',
- 0);
- $expected = [
- 'id' => 101,
- 'share_type' => \OCP\Share::SHARE_TYPE_REMOTE,
- 'share_with' => 'user@remote.com',
- 'share_with_displayname' => 'user@remote.com',
- 'uid_owner' => 'ownerId',
- 'displayname_owner' => 'ownerDisplay',
- 'item_type' => 'folder',
- 'item_source' => 2,
- 'file_source' => 2,
- 'file_target' => 'target',
- 'file_parent' => 3,
- 'token' => null,
- 'expiration' => null,
- 'permissions' => 4,
- 'stime' => 5,
- 'parent' => 6,
- 'storage_id' => 'STORAGE',
- 'path' => 'folder',
- 'storage' => null, // HACK around static function
- 'mail_send' => 0,
- ];
- $data[] = [$share, $expected];
-
// File shared by link with Expire
$expire = \DateTime::createFromFormat('Y-m-d h:i:s', '2000-01-02 01:02:03');
$share = $this->createShare(101,
@@ -327,6 +307,20 @@ class Share20OCSTest extends \Test\TestCase {
* @dataProvider dataGetShare
*/
public function testGetShare(\OC\Share20\IShare $share, array $result) {
+ $ocs = $this->getMockBuilder('OCA\Files_Sharing\API\Share20OCS')
+ ->setConstructorArgs([
+ $this->shareManager,
+ $this->groupManager,
+ $this->userManager,
+ $this->request,
+ $this->userFolder,
+ $this->urlGenerator,
+ $this->currentUser
+ ])->setMethods(['canAccessShare'])
+ ->getMock();
+
+ $ocs->method('canAccessShare')->willReturn(true);
+
$this->shareManager
->expects($this->once())
->method('getShareById')
@@ -342,5 +336,44 @@ class Share20OCSTest extends \Test\TestCase {
->willReturn('url');
$expected = new \OC_OCS_Result($result);
- $this->assertEquals($expected->getData(), $this->ocs->getShare($share->getId())->getData()); }
+ $this->assertEquals($expected->getData(), $ocs->getShare($share->getId())->getData());
+ }
+
+ public function testCanAccessShare() {
+ $share = $this->getMock('OC\Share20\IShare');
+ $share->method('getShareOwner')->willReturn($this->currentUser);
+ $this->assertTrue($this->invokePrivate($this->ocs, 'canAccessShare', [$share]));
+
+ $share = $this->getMock('OC\Share20\IShare');
+ $share->method('getSharedBy')->willReturn($this->currentUser);
+ $this->assertTrue($this->invokePrivate($this->ocs, 'canAccessShare', [$share]));
+
+ $share = $this->getMock('OC\Share20\IShare');
+ $share->method('getShareType')->willReturn(\OCP\Share::SHARE_TYPE_USER);
+ $share->method('getSharedWith')->willReturn($this->currentUser);
+ $this->assertTrue($this->invokePrivate($this->ocs, 'canAccessShare', [$share]));
+
+ $share = $this->getMock('OC\Share20\IShare');
+ $share->method('getShareType')->willReturn(\OCP\Share::SHARE_TYPE_USER);
+ $share->method('getSharedWith')->willReturn($this->getMock('OCP\IUser'));
+ $this->assertFalse($this->invokePrivate($this->ocs, 'canAccessShare', [$share]));
+
+ $share = $this->getMock('OC\Share20\IShare');
+ $share->method('getShareType')->willReturn(\OCP\Share::SHARE_TYPE_GROUP);
+ $group = $this->getMock('OCP\IGroup');
+ $group->method('inGroup')->with($this->currentUser)->willReturn(true);
+ $share->method('getSharedWith')->willReturn($group);
+ $this->assertTrue($this->invokePrivate($this->ocs, 'canAccessShare', [$share]));
+
+ $share = $this->getMock('OC\Share20\IShare');
+ $share->method('getShareType')->willReturn(\OCP\Share::SHARE_TYPE_GROUP);
+ $group = $this->getMock('OCP\IGroup');
+ $group->method('inGroup')->with($this->currentUser)->willReturn(false);
+ $share->method('getSharedWith')->willReturn($group);
+ $this->assertFalse($this->invokePrivate($this->ocs, 'canAccessShare', [$share]));
+
+ $share = $this->getMock('OC\Share20\IShare');
+ $share->method('getShareType')->willReturn(\OCP\Share::SHARE_TYPE_LINK);
+ $this->assertFalse($this->invokePrivate($this->ocs, 'canAccessShare', [$share]));
+ }
}