From 4e5fb74773ef83ef1256f68be9a6a054b10a9cc2 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Thu, 28 Jul 2016 16:52:00 +0200
Subject: [PATCH] Do not allow to delete/update group shares as a group member

---
 apps/files_sharing/lib/API/Share20OCS.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/files_sharing/lib/API/Share20OCS.php b/apps/files_sharing/lib/API/Share20OCS.php
index fd5e5ddc786..593e9d877c7 100644
--- a/apps/files_sharing/lib/API/Share20OCS.php
+++ b/apps/files_sharing/lib/API/Share20OCS.php
@@ -224,7 +224,7 @@ class Share20OCS {
 			return new \OC_OCS_Result(null, 404, 'could not delete share');
 		}
 
-		if (!$this->canAccessShare($share)) {
+		if (!$this->canAccessShare($share, false)) {
 			$share->getNode()->unlock(ILockingProvider::LOCK_SHARED);
 			return new \OC_OCS_Result(null, 404, $this->l->t('Could not delete share'));
 		}
@@ -573,7 +573,7 @@ class Share20OCS {
 
 		$share->getNode()->lock(\OCP\Lock\ILockingProvider::LOCK_SHARED);
 
-		if (!$this->canAccessShare($share)) {
+		if (!$this->canAccessShare($share, false)) {
 			$share->getNode()->unlock(ILockingProvider::LOCK_SHARED);
 			return new \OC_OCS_Result(null, 404, $this->l->t('Wrong share ID, share doesn\'t exist'));
 		}
@@ -703,7 +703,7 @@ class Share20OCS {
 	 * @param \OCP\Share\IShare $share
 	 * @return bool
 	 */
-	protected function canAccessShare(\OCP\Share\IShare $share) {
+	protected function canAccessShare(\OCP\Share\IShare $share, $checkGroups = true) {
 		// A file with permissions 0 can't be accessed by us. So Don't show it
 		if ($share->getPermissions() === 0) {
 			return false;
@@ -722,7 +722,7 @@ class Share20OCS {
 			return true;
 		}
 
-		if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
+		if ($checkGroups && $share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
 			$sharedWith = $this->groupManager->get($share->getSharedWith());
 			if ($sharedWith->inGroup($this->currentUser)) {
 				return true;
-- 
GitLab