fix: only allow modifying sharing to form owners

Chartman123 · backportbot[bot] · commit 7bac2278092c · 2026-04-23T08:07:53.000Z
fix: only allow modifying sharing to form owners

Signed-off-by: Christian Hartmann &lt;chris-hartmann@gmx.de&gt;

[skip ci]
diff --git a/src/components/SidebarTabs/SharingSearchDiv.vue b/src/components/SidebarTabs/SharingSearchDiv.vue
@@ -8,7 +8,7 @@
 		<NcSelectUsers
 			keep-open
 			:loading="showLoadingCircle"
-			:disabled="locked"
+			:disabled="locked || !isCurrentUserOwner"
 			:options="options"
 			:placeholder="t('forms', 'Search for user, group or team …')"
 			:aria-label-listbox="t('forms', 'Search for user, group or team …')"
@@ -46,6 +46,11 @@ export default {
 			type: Boolean,
 			required: true,
 		},
+
+		isCurrentUserOwner: {
+			type: Boolean,
+			required: true,
+		},
 	},
 
 	computed: {
diff --git a/src/components/SidebarTabs/SharingShareDiv.vue b/src/components/SidebarTabs/SharingShareDiv.vue
@@ -14,7 +14,7 @@
 			<span>{{ displayName }}</span>
 			<span>{{ displayNameAppendix }}</span>
 		</div>
-		<NcActions class="share-div__actions">
+		<NcActions class="share-div__actions" :disabled="!isCurrentUserOwner">
 			<NcActionCaption :name="t('forms', 'Permissions')" />
 			<NcActionCheckbox
 				:model-value="canEditForm"
@@ -80,6 +80,11 @@ export default {
 			type: Boolean,
 			required: true,
 		},
+
+		isCurrentUserOwner: {
+			type: Boolean,
+			required: true,
+		},
 	},
 
 	computed: {
diff --git a/src/components/SidebarTabs/SharingSidebarTab.vue b/src/components/SidebarTabs/SharingSidebarTab.vue
@@ -31,7 +31,9 @@
 			</div>
 			<span class="share-div__desc">{{ t('forms', 'Share link') }}</span>
 			<NcActions>
-				<NcActionButton :disabled="locked" @click="addPublicLink">
+				<NcActionButton
+					:disabled="locked || !isCurrentUserOwner"
+					@click="addPublicLink">
 					<template #icon>
 						<IconPlus :size="20" />
 					</template>
@@ -80,15 +82,17 @@
 					</NcActionButton>
 					<NcActionButton
 						v-else
-						:disabled="locked"
+						:disabled="locked || !isCurrentUserOwner"
 						@click="makeEmbeddable(share)">
 						<template #icon>
 							<IconLinkBoxVariantOutline :size="20" />
 						</template>
 						<!-- TRANSLATORS: This means the link can be embedded into external websites -->
 						{{ t('forms', 'Convert to embeddable link') }}
 					</NcActionButton>
-					<NcActionButton :disabled="locked" @click="removeShare(share)">
+					<NcActionButton
+						:disabled="locked || !isCurrentUserOwner"
+						@click="removeShare(share)">
 						<template #icon>
 							<IconDelete :size="20" />
 						</template>
@@ -274,6 +278,10 @@ export default {
 	},
 
 	computed: {
+		isCurrentUserOwner() {
+			return getCurrentUser().uid === this.form.ownerId
+		},
+
 		sortedShares() {
 			// Remove Link-Shares, which are handled separately, then sort
 			return this.form.shares
