Do not allow to delete/update group shares as a group member

4e5fb747 · Joas Schilling · Roeland Jago Douma · 5f83f4d9 · 4e5fb747
Unverified Commit 4e5fb747 authored 8 years ago by Joas Schilling Committed by Roeland Jago Douma 8 years ago
--- a/apps/files_sharing/lib/API/Share20OCS.php
+++ b/apps/files_sharing/lib/API/Share20OCS.php
@@ -224,7 +224,7 @@ class Share20OCS {
 			return new \OC_OCS_Result(null, 404, 'could not delete share');
 		}

-		if (!$this->canAccessShare($share)) {
+		if (!$this->canAccessShare($share, false)) {
 			$share->getNode()->unlock(ILockingProvider::LOCK_SHARED);
 			return new \OC_OCS_Result(null, 404, $this->l->t('Could not delete share'));
 		}
@@ -573,7 +573,7 @@ class Share20OCS {

 		$share->getNode()->lock(\OCP\Lock\ILockingProvider::LOCK_SHARED);

-		if (!$this->canAccessShare($share)) {
+		if (!$this->canAccessShare($share, false)) {
 			$share->getNode()->unlock(ILockingProvider::LOCK_SHARED);
 			return new \OC_OCS_Result(null, 404, $this->l->t('Wrong share ID, share doesn\'t exist'));
 		}
@@ -703,7 +703,7 @@ class Share20OCS {
 	 * @param \OCP\Share\IShare $share
 	 * @return bool
 	 */
-	protected function canAccessShare(\OCP\Share\IShare $share) {
+	protected function canAccessShare(\OCP\Share\IShare $share, $checkGroups = true) {
 		// A file with permissions 0 can't be accessed by us. So Don't show it
 		if ($share->getPermissions() === 0) {
 			return false;
@@ -722,7 +722,7 @@ class Share20OCS {
 			return true;
 		}

-		if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
+		if ($checkGroups && $share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
 			$sharedWith = $this->groupManager->get($share->getSharedWith());
 			if ($sharedWith->inGroup($this->currentUser)) {
 				return true;