Merge pull request #19764 from nextcloud/fix/transfer-ownerhip-owner-check

Do not allow transfer ownership when the user isn't the owner

Merge pull request #19764 from nextcloud/fix/transfer-ownerhip-owner-check
65b75c8b · Roeland Jago Douma · GitHub · b57ffe8d · 68b764bb · 65b75c8b
Unverified Commit 65b75c8b authored 5 years ago by Roeland Jago Douma Committed by GitHub 5 years ago
--- a/apps/files/js/dist/personal-settings.js
+++ b/apps/files/js/dist/personal-settings.js
--- a/apps/files/js/dist/personal-settings.js.map
+++ b/apps/files/js/dist/personal-settings.js.map
--- a/apps/files/lib/Controller/TransferOwnershipController.php
+++ b/apps/files/lib/Controller/TransferOwnershipController.php
@@ -96,6 +96,10 @@ class TransferOwnershipController extends OCSController {
 			return new DataResponse([], Http::STATUS_BAD_REQUEST);
 		}
+		if ($node->getOwner()->getUID() !== $this->userId) {
+			return new DataResponse([], Http::STATUS_FORBIDDEN);
+		}
 		$transferOwnership = new TransferOwnershipEntity();
 		$transferOwnership->setSourceUser($this->userId);
 		$transferOwnership->setTargetUser($recipient);

--- a/apps/files/src/components/TransferOwnershipDialogue.vue
+++ b/apps/files/src/components/TransferOwnershipDialogue.vue
@@ -215,7 +215,11 @@ export default {
 				.catch(error => {
 					logger.error('Could not send ownership transfer request', { error })
-					this.submitError = error.message || t('files', 'Unknown error')
+					if (error?.response?.status === 403) {
+						this.submitError = t('files', 'Cannot transfter ownership of a file or folder you don\'t own')
+					} else {
+						this.submitError = error.message || t('files', 'Unknown error')
+					}
 				})
 		},
 	},