Do not allow transfer ownership when the user isn't the owner

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

Do not allow transfer ownership when the user isn't the owner
68b764bb · Christoph Wurst · 26ea9681 · 68b764bb · 68b764bb · 68b764bb
Unverified Commit 68b764bb authored 5 years ago by Christoph Wurst
--- a/apps/files/js/dist/personal-settings.js
+++ b/apps/files/js/dist/personal-settings.js
--- a/apps/files/js/dist/personal-settings.js.map
+++ b/apps/files/js/dist/personal-settings.js.map
--- a/apps/files/lib/Controller/TransferOwnershipController.php
+++ b/apps/files/lib/Controller/TransferOwnershipController.php
@@ -96,6 +96,10 @@ class TransferOwnershipController extends OCSController {
 			return new DataResponse([], Http::STATUS_BAD_REQUEST);
 		}
+		if ($node->getOwner()->getUID() !== $this->userId) {
+			return new DataResponse([], Http::STATUS_FORBIDDEN);
+		}
 		$transferOwnership = new TransferOwnershipEntity();
 		$transferOwnership->setSourceUser($this->userId);
 		$transferOwnership->setTargetUser($recipient);

--- a/apps/files/src/components/TransferOwnershipDialogue.vue
+++ b/apps/files/src/components/TransferOwnershipDialogue.vue
@@ -215,7 +215,11 @@ export default {
 				.catch(error => {
 					logger.error('Could not send ownership transfer request', { error })
-					this.submitError = error.message || t('files', 'Unknown error')
+					if (error?.response?.status === 403) {
+						this.submitError = t('files', 'Cannot transfter ownership of a file or folder you don\'t own')
+					} else {
+						this.submitError = error.message || t('files', 'Unknown error')
+					}
 				})
 		},
 	},