Skip to content

Commit 1f2fb38

Browse files
icewind1991icewind1991
committed
fix: redact share token if share has more permissions than the current user
Signed-off-by: Robin Appelman <robin@icewind.nl>
1 parent a0b5986 commit 1f2fb38

1 file changed

Lines changed: 10 additions & 5 deletions

File tree

apps/files_sharing/lib/Controller/ShareAPIController.php

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -228,6 +228,10 @@ protected function formatShare(IShare $share, ?Node $recipientNode = null): arra
228228
$result['expiration'] = $expiration->format('Y-m-d 00:00:00');
229229
}
230230

231+
$currentUserPermissions = $recipientNode?->getPermissions() ?? Constants::PERMISSION_ALL;
232+
$userHasEnoughPermissions = ($currentUserPermissions & $share->getPermissions()) === $share->getPermissions();
233+
$token = $userHasEnoughPermissions ? $share->getToken() : null;
234+
231235
if ($share->getShareType() === IShare::TYPE_USER) {
232236
$sharedWith = $this->userManager->get($share->getSharedWith());
233237
$result['share_with'] = $share->getSharedWith();
@@ -253,6 +257,7 @@ protected function formatShare(IShare $share, ?Node $recipientNode = null): arra
253257
$result['share_with'] = $share->getSharedWith();
254258
$result['share_with_displayname'] = $group !== null ? $group->getDisplayName() : $share->getSharedWith();
255259
} elseif ($share->getShareType() === IShare::TYPE_LINK) {
260+
$url = ($token !== null) ? $this->urlGenerator->linkToRouteAbsolute('files_sharing.sharecontroller.showShare', ['token' => $token]) : null;
256261

257262
// "share_with" and "share_with_displayname" for passwords of link
258263
// shares was deprecated in Nextcloud 15, use "password" instead.
@@ -263,23 +268,23 @@ protected function formatShare(IShare $share, ?Node $recipientNode = null): arra
263268

264269
$result['send_password_by_talk'] = $share->getSendPasswordByTalk();
265270

266-
$result['token'] = $share->getToken();
267-
$result['url'] = $this->urlGenerator->linkToRouteAbsolute('files_sharing.sharecontroller.showShare', ['token' => $share->getToken()]);
271+
$result['token'] = $token;
272+
$result['url'] = $url;
268273
} elseif ($share->getShareType() === IShare::TYPE_REMOTE) {
269274
$result['share_with'] = $share->getSharedWith();
270275
$result['share_with_displayname'] = $this->getCachedFederatedDisplayName($share->getSharedWith());
271-
$result['token'] = $share->getToken();
276+
$result['token'] = $token;
272277
} elseif ($share->getShareType() === IShare::TYPE_REMOTE_GROUP) {
273278
$result['share_with'] = $share->getSharedWith();
274279
$result['share_with_displayname'] = $this->getDisplayNameFromAddressBook($share->getSharedWith(), 'CLOUD');
275-
$result['token'] = $share->getToken();
280+
$result['token'] = $token;
276281
} elseif ($share->getShareType() === IShare::TYPE_EMAIL) {
277282
$result['share_with'] = $share->getSharedWith();
278283
$result['password'] = $share->getPassword();
279284
$result['password_expiration_time'] = $share->getPasswordExpirationTime() !== null ? $share->getPasswordExpirationTime()->format(\DateTime::ATOM) : null;
280285
$result['send_password_by_talk'] = $share->getSendPasswordByTalk();
281286
$result['share_with_displayname'] = $this->getDisplayNameFromAddressBook($share->getSharedWith(), 'EMAIL');
282-
$result['token'] = $share->getToken();
287+
$result['token'] = $token;
283288
} elseif ($share->getShareType() === IShare::TYPE_CIRCLE) {
284289
// getSharedWith() returns either "name (type, owner)" or
285290
// "name (type, owner) [id]", depending on the Teams app version.

0 commit comments

Comments
 (0)