aboutsummaryrefslogtreecommitdiffstats
path: root/include/reddav.php
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2014-01-09 19:20:10 -0800
committerfriendica <info@friendica.com>2014-01-09 19:20:10 -0800
commita309bc0d478f5335853ed0cb7a0f0bfe41110643 (patch)
tree343ce7d473210f22020ebd9789304d7c891c5b07 /include/reddav.php
parent49882f2be4ef9d1b28c72f8101fe9b15d7176ff6 (diff)
downloadvolse-hubzilla-a309bc0d478f5335853ed0cb7a0f0bfe41110643.tar.gz
volse-hubzilla-a309bc0d478f5335853ed0cb7a0f0bfe41110643.tar.bz2
volse-hubzilla-a309bc0d478f5335853ed0cb7a0f0bfe41110643.zip
only let visitors remove their own files.
Diffstat (limited to 'include/reddav.php')
-rw-r--r--include/reddav.php12
1 files changed, 10 insertions, 2 deletions
diff --git a/include/reddav.php b/include/reddav.php
index 24eca9e81..2aedeed04 100644
--- a/include/reddav.php
+++ b/include/reddav.php
@@ -115,11 +115,12 @@ class RedDirectory extends DAV\Node implements DAV\ICollection {
$filesize = 0;
$hash = random_string();
- $r = q("INSERT INTO attach ( aid, uid, hash, filename, folder, flags, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid )
- VALUES ( %d, %d, '%s', '%s', '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ",
+ $r = q("INSERT INTO attach ( aid, uid, hash, creator, filename, folder, flags, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid )
+ VALUES ( %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ",
intval($c[0]['channel_account_id']),
intval($c[0]['channel_id']),
dbesc($hash),
+ dbesc($this->auth->observer),
dbesc($name),
dbesc($this->folder_hash),
dbesc(ATTACH_FLAG_OS),
@@ -415,6 +416,13 @@ class RedFile extends DAV\Node implements DAV\IFile {
return;
}
+ if($this->auth->owner_id !== $this->auth->channel_id) {
+ if(($this->auth->observer !== $this->data['creator']) || ($this->data['flags'] & ATTACH_FLAG_DIR)) {
+ throw new DAV\Exception\Forbidden('Permission denied.');
+ return;
+ }
+ }
+
attach_delete($this->auth->owner_id,$this->data['hash']);
}