upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-02-19 02:38:40 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

fix(publicremote): Always grant read and delete permission for chunked uploads to a share

Browse source 
Signed-off-by: provokateurin <kate@provokateurin.de>
This commit is contained in:
provokateurin 2025-10-15 23:19:35 +02:00
parent 6df6b58e6c
commit 5fa4c3d8fd
No known key found for this signature in database
1 changed files with 11 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
apps/dav/appinfo/v2/publicremote.php
View file

@ -81,7 +81,7 @@ $linkCheckPlugin = new PublicLinkCheckPlugin();
$filesDropPlugin = new FilesDropPlugin();
/** @var string $baseuri defined in public.php */
$server = $serverFactory->createServer(true, $baseuri, $requestUri, $authPlugin, function (\Sabre\DAV\Server $server) use ($authBackend, $linkCheckPlugin, $filesDropPlugin) {
$server = $serverFactory->createServer(true, $baseuri, $requestUri, $authPlugin, function (\Sabre\DAV\Server $server) use ($baseuri, $requestUri, $authBackend, $linkCheckPlugin, $filesDropPlugin) {
// GET must be allowed for e.g. showing images and allowing Zip downloads
if ($server->httpRequest->getMethod() !== 'GET') {
// If this is *not* a GET request we only allow access to public DAV from AJAX or when Server2Server is allowed
@ -103,8 +103,16 @@ $server = $serverFactory->createServer(true, $baseuri, $requestUri, $authPlugin,
$previousLog = Filesystem::logWarningWhenAddingStorageWrapper(false);
/** @psalm-suppress MissingClosureParamType */
Filesystem::addStorageWrapper('sharePermissions', function ($mountPoint, $storage) use ($share) {
return new PermissionsMask(['storage' => $storage, 'mask' => $share->getPermissions() | Constants::PERMISSION_SHARE]);
Filesystem::addStorageWrapper('sharePermissions', function ($mountPoint, $storage) use ($requestUri, $baseuri, $share) {
$mask = $share->getPermissions() | Constants::PERMISSION_SHARE;
// For chunked uploads it is necessary to have read and delete permission,
// so the temporary directory, chunks and destination file can be read and delete after the assembly.
if (str_starts_with(substr($requestUri, strlen($baseuri) - 1), '/uploads/')) {
$mask |= Constants::PERMISSION_READ | Constants::PERMISSION_DELETE;
}
return new PermissionsMask(['storage' => $storage, 'mask' => $mask]);
});
/** @psalm-suppress MissingClosureParamType */