Skip to content

Commit ec80c6b

Browse files
sorbaughsorbaugh
authored
Merge pull request #59803 from nextcloud/backport/59792/stable25
[stable25] hide share token if share has more permissions than the current user
2 parents 707d899 + 06f6950 commit ec80c6b

2 files changed

Lines changed: 39 additions & 4 deletions

File tree

apps/files_sharing/lib/Controller/ShareAPIController.php

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -236,6 +236,10 @@ protected function formatShare(IShare $share, Node $recipientNode = null): array
236236
$result['expiration'] = $expiration->format('Y-m-d 00:00:00');
237237
}
238238

239+
$currentUserPermissions = $recipientNode ? $recipientNode->getPermissions() : Constants::PERMISSION_ALL;
240+
$userHasEnoughPermissions = ($currentUserPermissions & $share->getPermissions()) === $share->getPermissions();
241+
$token = $userHasEnoughPermissions ? $share->getToken() : null;
242+
239243
if ($share->getShareType() === IShare::TYPE_USER) {
240244
$sharedWith = $this->userManager->get($share->getSharedWith());
241245
$result['share_with'] = $share->getSharedWith();
@@ -262,6 +266,7 @@ protected function formatShare(IShare $share, Node $recipientNode = null): array
262266
$result['share_with'] = $share->getSharedWith();
263267
$result['share_with_displayname'] = $group !== null ? $group->getDisplayName() : $share->getSharedWith();
264268
} elseif ($share->getShareType() === IShare::TYPE_LINK) {
269+
$url = ($token !== null) ? $this->urlGenerator->linkToRouteAbsolute('files_sharing.sharecontroller.showShare', ['token' => $token]) : null;
265270

266271
// "share_with" and "share_with_displayname" for passwords of link
267272
// shares was deprecated in Nextcloud 15, use "password" instead.
@@ -272,19 +277,19 @@ protected function formatShare(IShare $share, Node $recipientNode = null): array
272277

273278
$result['send_password_by_talk'] = $share->getSendPasswordByTalk();
274279

275-
$result['token'] = $share->getToken();
276-
$result['url'] = $this->urlGenerator->linkToRouteAbsolute('files_sharing.sharecontroller.showShare', ['token' => $share->getToken()]);
280+
$result['token'] = $token;
281+
$result['url'] = $url;
277282
} elseif ($share->getShareType() === IShare::TYPE_REMOTE || $share->getShareType() === IShare::TYPE_REMOTE_GROUP) {
278283
$result['share_with'] = $share->getSharedWith();
279284
$result['share_with_displayname'] = $this->getDisplayNameFromAddressBook($share->getSharedWith(), 'CLOUD');
280-
$result['token'] = $share->getToken();
285+
$result['token'] = $token;
281286
} elseif ($share->getShareType() === IShare::TYPE_EMAIL) {
282287
$result['share_with'] = $share->getSharedWith();
283288
$result['password'] = $share->getPassword();
284289
$result['password_expiration_time'] = $share->getPasswordExpirationTime() !== null ? $share->getPasswordExpirationTime()->format(\DateTime::ATOM) : null;
285290
$result['send_password_by_talk'] = $share->getSendPasswordByTalk();
286291
$result['share_with_displayname'] = $this->getDisplayNameFromAddressBook($share->getSharedWith(), 'EMAIL');
287-
$result['token'] = $share->getToken();
292+
$result['token'] = $token;
288293
} elseif ($share->getShareType() === IShare::TYPE_CIRCLE) {
289294
// getSharedWith() returns either "name (type, owner)" or
290295
// "name (type, owner) [id]", depending on the Circles app version.

build/integration/sharing_features/sharing-v1-part2.feature

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,36 @@ Feature: sharing
2121
And User "user2" should be included in the response
2222
And User "user3" should not be included in the response
2323

24+
Scenario: getting all shares of a file with reshares with link share with less permissions
25+
Given user "user0" exists
26+
And user "user1" exists
27+
When as "user0" creating a share with
28+
| path | textfile0.txt |
29+
| shareType | 0 |
30+
| shareWith | user1 |
31+
| permissions | 17 |
32+
Then the OCS status code should be "100"
33+
And the HTTP status code should be "200"
34+
When as "user0" creating a share with
35+
| path | textfile0.txt |
36+
| shareType | 3 |
37+
| permissions | 19 |
38+
Then the OCS status code should be "100"
39+
And the HTTP status code should be "200"
40+
And last link share can be downloaded
41+
When As an "user1"
42+
And sending "GET" to "/apps/files_sharing/api/v1/shares?reshares=true&path=textfile0 (2).txt"
43+
Then the OCS status code should be "100"
44+
And the HTTP status code should be "200"
45+
And User "user1" should not be included in the response
46+
Then the list of returned shares has 1 shares
47+
And share 0 is returned with
48+
| share_type | 3 |
49+
| uid_owner | user0 |
50+
| token | |
51+
| url | |
52+
| permissions | 19 |
53+
2454
Scenario: getting all shares of a file with a received share after revoking the resharing rights
2555
Given user "user0" exists
2656
And user "user1" exists

0 commit comments

Comments
 (0)