fix: allow renaming files with just update permissions

icewind1991 · icewind1991 · commit d021c18fb66c · 2026-03-27T14:53:30.000+01:00
Signed-off-by: Robin Appelman &lt;robin@icewind.nl&gt;
diff --git a/apps/dav/lib/Connector/Sabre/FilesPlugin.php b/apps/dav/lib/Connector/Sabre/FilesPlugin.php
@@ -205,10 +205,19 @@ public function checkMove(string $source, string $target): void {
 		// First check copyable (move only needs additional delete permission)
 		$this->checkCopy($source, $target);
 
-		// The source needs to be deletable for moving
-		$sourceNodeFileInfo = $sourceNode->getFileInfo();
-		if (!$sourceNodeFileInfo->isDeletable()) {
-			throw new Forbidden($source . ' cannot be deleted');
+		[$sourceDir] = \Sabre\Uri\split($source);
+		[$destinationDir, ] = \Sabre\Uri\split($target);
+
+		if ($sourceDir === $destinationDir) {
+			if (!$sourceNode->canRename()) {
+				throw new Forbidden($source . ' cannot be renamed');
+			}
+		} else {
+			// The source needs to be deletable for moving
+			$sourceNodeFileInfo = $sourceNode->getFileInfo();
+			if (!$sourceNodeFileInfo->isDeletable()) {
+				throw new Forbidden($source . ' cannot be deleted');
+			}
 		}
 
 		// The source is not allowed to be the parent of the target
diff --git a/apps/dav/lib/Connector/Sabre/Node.php b/apps/dav/lib/Connector/Sabre/Node.php
@@ -23,6 +23,7 @@
 use OCP\Server;
 use OCP\Share\Exceptions\ShareNotFound;
 use OCP\Share\IManager;
+use Sabre\DAV\Exception\Forbidden;
 
 abstract class Node implements \Sabre\DAV\INode {
 	/**
@@ -110,6 +111,31 @@ public function getPath() {
 		return $this->path;
 	}
 
+	/**
+	 * Check if this node can be renamed
+	 */
+	public function canRename(): bool {
+		// the root of a movable mountpoint can be renamed regardless of the file permissions
+		if ($this->info->getMountPoint() instanceof MoveableMount && $this->info->getInternalPath() === '') {
+			return true;
+		}
+
+		// we allow renaming the file if either the file has update permissions
+		if ($this->info->isUpdateable()) {
+			return true;
+		}
+
+		// or the file can be deleted and the parent has create permissions
+		[$parentPath,] = \Sabre\Uri\split($this->path);
+		if ($parentPath === null) {
+			// can't rename the users home
+			return false;
+		}
+
+		$parent = $this->node->getParent();
+		return $this->info->isDeletable() && $parent->isCreatable();
+	}
+
 	/**
 	 * Renames the node
 	 *
@@ -118,10 +144,8 @@ public function getPath() {
 	 * @throws \Sabre\DAV\Exception\Forbidden
 	 */
 	public function setName($name) {
-		// rename is only allowed if the delete privilege is granted
-		// (basically rename is a copy with delete of the original node)
-		if (!($this->info->isDeletable() || ($this->info->getMountPoint() instanceof MoveableMount && $this->info->getInternalPath() === ''))) {
-			throw new \Sabre\DAV\Exception\Forbidden();
+		if (!$this->canRename()) {
+			throw new Forbidden('');
 		}
 
 		[$parentPath,] = \Sabre\Uri\split($this->path);
