From 0320a99ccc85ffc90c1cda40eda43d108463ae48 Mon Sep 17 00:00:00 2001 From: provokateurin Date: Wed, 15 Oct 2025 23:19:35 +0200 Subject: [PATCH] fix(publicremote): Always grant read and delete permission for chunked uploads to a share Signed-off-by: provokateurin --- apps/dav/appinfo/v2/publicremote.php | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/apps/dav/appinfo/v2/publicremote.php b/apps/dav/appinfo/v2/publicremote.php index e089fa7bb62..8d509e636a8 100644 --- a/apps/dav/appinfo/v2/publicremote.php +++ b/apps/dav/appinfo/v2/publicremote.php @@ -81,7 +81,7 @@ $linkCheckPlugin = new PublicLinkCheckPlugin(); $filesDropPlugin = new FilesDropPlugin(); /** @var string $baseuri defined in public.php */ -$server = $serverFactory->createServer(true, $baseuri, $requestUri, $authPlugin, function (\Sabre\DAV\Server $server) use ($authBackend, $linkCheckPlugin, $filesDropPlugin) { +$server = $serverFactory->createServer(true, $baseuri, $requestUri, $authPlugin, function (\Sabre\DAV\Server $server) use ($baseuri, $requestUri, $authBackend, $linkCheckPlugin, $filesDropPlugin) { // GET must be allowed for e.g. showing images and allowing Zip downloads if ($server->httpRequest->getMethod() !== 'GET') { // If this is *not* a GET request we only allow access to public DAV from AJAX or when Server2Server is allowed @@ -103,8 +103,16 @@ $server = $serverFactory->createServer(true, $baseuri, $requestUri, $authPlugin, $previousLog = Filesystem::logWarningWhenAddingStorageWrapper(false); /** @psalm-suppress MissingClosureParamType */ - Filesystem::addStorageWrapper('sharePermissions', function ($mountPoint, $storage) use ($share) { - return new PermissionsMask(['storage' => $storage, 'mask' => $share->getPermissions() | Constants::PERMISSION_SHARE]); + Filesystem::addStorageWrapper('sharePermissions', function ($mountPoint, $storage) use ($requestUri, $baseuri, $share) { + $mask = $share->getPermissions() | Constants::PERMISSION_SHARE; + + // For chunked uploads it is necessary to have read and delete permission, + // so the temporary directory, chunks and destination file can be read and delete after the assembly. + if (str_starts_with(substr($requestUri, strlen($baseuri) - 1), '/uploads/')) { + $mask |= Constants::PERMISSION_READ | Constants::PERMISSION_DELETE; + } + + return new PermissionsMask(['storage' => $storage, 'mask' => $mask]); }); /** @psalm-suppress MissingClosureParamType */