upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-09 00:32:29 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 35

fix(files): Do not allow copy action on public shares without create permission

Browse source 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
This commit is contained in:
Ferdinand Thiessen 2024-08-02 12:34:19 +02:00
parent a84de3c755
commit e93ceea804
No known key found for this signature in database
GPG key ID: 45FAE7268762B400
2 changed files with 18 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
apps/files/src/actions/moveOrCopyActionUtils.ts
View file

@ -7,7 +7,11 @@ import type { Folder, Node } from '@nextcloud/files'
import type { ShareAttribute } from '../../../files_sharing/src/sharing'
import { Permission } from '@nextcloud/files'
import { isPublicShare } from '@nextcloud/sharing/public'
import PQueue from 'p-queue'
import { loadState } from '@nextcloud/initial-state'
const sharePermissions = loadState<number>('files_sharing', 'sharePermissions', Permission.NONE)
// This is the processing queue. We only want to allow 3 concurrent requests
let queue: PQueue
@ -51,7 +55,17 @@ export const canDownload = (nodes: Node[]) => {
export const canCopy = (nodes: Node[]) => {
// a shared file cannot be copied if the download is disabled
// it can be copied if the user has at least read permissions
return canDownload(nodes)
&& !nodes.some(node => node.permissions === Permission.NONE)
if (!canDownload(nodes)) {
return false
}
// it cannot be copied if the user has only view permissions
if (nodes.some((node) => node.permissions === Permission.NONE)) {
return false
}
// on public shares all files have the same permission so copy is only possible if write permission is granted
if (isPublicShare()) {
return Boolean(sharePermissions & Permission.CREATE)
}
// otherwise permission is granted
return true
}

1
apps/files_sharing/lib/DefaultPublicShareTemplateProvider.php
View file

@ -91,6 +91,7 @@ class DefaultPublicShareTemplateProvider implements IPublicShareTemplateProvider
// Set up initial state
$this->initialState->provideInitialState('isPublic', true);
$this->initialState->provideInitialState('sharingToken', $token);
$this->initialState->provideInitialState('sharePermissions', $share->getPermissions());
$this->initialState->provideInitialState('filename', $shareNode->getName());
$this->initialState->provideInitialState('view', $view);