Skip to content

Commit 2949ab8

Browse files
sorbaughsorbaugh
authored
Merge pull request #59801 from nextcloud/backport/59792/stable27
[stable27] hide share token if share has more permissions than the current user
2 parents 44f7d2d + 8374eb6 commit 2949ab8

2 files changed

Lines changed: 40 additions & 5 deletions

File tree

apps/files_sharing/lib/Controller/ShareAPIController.php

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -192,6 +192,10 @@ protected function formatShare(IShare $share, Node $recipientNode = null): array
192192
$result['expiration'] = $expiration->format('Y-m-d 00:00:00');
193193
}
194194

195+
$currentUserPermissions = $recipientNode?->getPermissions() ?? Constants::PERMISSION_ALL;
196+
$userHasEnoughPermissions = ($currentUserPermissions & $share->getPermissions()) === $share->getPermissions();
197+
$token = $userHasEnoughPermissions ? $share->getToken() : null;
198+
195199
if ($share->getShareType() === IShare::TYPE_USER) {
196200
$sharedWith = $this->userManager->get($share->getSharedWith());
197201
$result['share_with'] = $share->getSharedWith();
@@ -218,6 +222,7 @@ protected function formatShare(IShare $share, Node $recipientNode = null): array
218222
$result['share_with'] = $share->getSharedWith();
219223
$result['share_with_displayname'] = $group !== null ? $group->getDisplayName() : $share->getSharedWith();
220224
} elseif ($share->getShareType() === IShare::TYPE_LINK) {
225+
$url = ($token !== null) ? $this->urlGenerator->linkToRouteAbsolute('files_sharing.sharecontroller.showShare', ['token' => $token]) : null;
221226

222227
// "share_with" and "share_with_displayname" for passwords of link
223228
// shares was deprecated in Nextcloud 15, use "password" instead.
@@ -228,23 +233,23 @@ protected function formatShare(IShare $share, Node $recipientNode = null): array
228233

229234
$result['send_password_by_talk'] = $share->getSendPasswordByTalk();
230235

231-
$result['token'] = $share->getToken();
232-
$result['url'] = $this->urlGenerator->linkToRouteAbsolute('files_sharing.sharecontroller.showShare', ['token' => $share->getToken()]);
236+
$result['token'] = $token;
237+
$result['url'] = $url;
233238
} elseif ($share->getShareType() === IShare::TYPE_REMOTE) {
234239
$result['share_with'] = $share->getSharedWith();
235240
$result['share_with_displayname'] = $this->getCachedFederatedDisplayName($share->getSharedWith());
236-
$result['token'] = $share->getToken();
241+
$result['token'] = $token;
237242
} elseif ($share->getShareType() === IShare::TYPE_REMOTE_GROUP) {
238243
$result['share_with'] = $share->getSharedWith();
239244
$result['share_with_displayname'] = $this->getDisplayNameFromAddressBook($share->getSharedWith(), 'CLOUD');
240-
$result['token'] = $share->getToken();
245+
$result['token'] = $token;
241246
} elseif ($share->getShareType() === IShare::TYPE_EMAIL) {
242247
$result['share_with'] = $share->getSharedWith();
243248
$result['password'] = $share->getPassword();
244249
$result['password_expiration_time'] = $share->getPasswordExpirationTime() !== null ? $share->getPasswordExpirationTime()->format(\DateTime::ATOM) : null;
245250
$result['send_password_by_talk'] = $share->getSendPasswordByTalk();
246251
$result['share_with_displayname'] = $this->getDisplayNameFromAddressBook($share->getSharedWith(), 'EMAIL');
247-
$result['token'] = $share->getToken();
252+
$result['token'] = $token;
248253
} elseif ($share->getShareType() === IShare::TYPE_CIRCLE) {
249254
// getSharedWith() returns either "name (type, owner)" or
250255
// "name (type, owner) [id]", depending on the Circles app version.

build/integration/sharing_features/sharing-v1-part2.feature

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,36 @@ Feature: sharing
2121
And User "user2" should be included in the response
2222
And User "user3" should not be included in the response
2323

24+
Scenario: getting all shares of a file with reshares with link share with less permissions
25+
Given user "user0" exists
26+
And user "user1" exists
27+
When as "user0" creating a share with
28+
| path | textfile0.txt |
29+
| shareType | 0 |
30+
| shareWith | user1 |
31+
| permissions | 17 |
32+
Then the OCS status code should be "100"
33+
And the HTTP status code should be "200"
34+
When as "user0" creating a share with
35+
| path | textfile0.txt |
36+
| shareType | 3 |
37+
| permissions | 19 |
38+
Then the OCS status code should be "100"
39+
And the HTTP status code should be "200"
40+
And last link share can be downloaded
41+
When As an "user1"
42+
And sending "GET" to "/apps/files_sharing/api/v1/shares?reshares=true&path=textfile0 (2).txt"
43+
Then the OCS status code should be "100"
44+
And the HTTP status code should be "200"
45+
And User "user1" should not be included in the response
46+
Then the list of returned shares has 1 shares
47+
And share 0 is returned with
48+
| share_type | 3 |
49+
| uid_owner | user0 |
50+
| token | |
51+
| url | |
52+
| permissions | 19 |
53+
2454
Scenario: getting all shares of a file with a received share after revoking the resharing rights
2555
Given user "user0" exists
2656
And user "user1" exists

0 commit comments

Comments
 (0)