nextcloud/passman
1
1
Fork 0
mirror of https://github.com/nextcloud/passman.git synced 2025-02-25 16:04:19 +08:00
Code Issues Projects Releases Packages Wiki Activity

improve permission check in share controller getFile()

Browse source
This commit is contained in:
binsky 2023-04-22 21:15:54 +02:00
parent baf9a189ea
commit 82efcde766
1 changed files with 8 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
controller/sharecontroller.php
View file

@ -476,13 +476,17 @@ class ShareController extends ApiController {
} catch (\Exception $e) {
return new NotFoundJSONResponse();
}
// $this->userId does not exist for anonymous share link downloads
$userId = ($this->userId) ? $this->userId->getUID() : null;
$acl = $this->shareService->getACL($userId, $credential->getGuid());
if (!$acl->hasPermission(SharingACL::FILES)) {
return new NotFoundJSONResponse();
} else {
return $this->fileService->getFileByGuid($file_guid);
if ($acl->hasPermission(SharingACL::FILES)) {
// get file by guid and check if it is owned by the owner of the shared credential
return $this->fileService->getFileByGuid($file_guid, $credential->getUserId());
}
return new NotFoundJSONResponse();
}
/**