From a309bc0d478f5335853ed0cb7a0f0bfe41110643 Mon Sep 17 00:00:00 2001 From: friendica Date: Thu, 9 Jan 2014 19:20:10 -0800 Subject: only let visitors remove their own files. --- include/reddav.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'include/reddav.php') diff --git a/include/reddav.php b/include/reddav.php index 24eca9e81..2aedeed04 100644 --- a/include/reddav.php +++ b/include/reddav.php @@ -115,11 +115,12 @@ class RedDirectory extends DAV\Node implements DAV\ICollection { $filesize = 0; $hash = random_string(); - $r = q("INSERT INTO attach ( aid, uid, hash, filename, folder, flags, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid ) - VALUES ( %d, %d, '%s', '%s', '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ", + $r = q("INSERT INTO attach ( aid, uid, hash, creator, filename, folder, flags, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid ) + VALUES ( %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ", intval($c[0]['channel_account_id']), intval($c[0]['channel_id']), dbesc($hash), + dbesc($this->auth->observer), dbesc($name), dbesc($this->folder_hash), dbesc(ATTACH_FLAG_OS), @@ -415,6 +416,13 @@ class RedFile extends DAV\Node implements DAV\IFile { return; } + if($this->auth->owner_id !== $this->auth->channel_id) { + if(($this->auth->observer !== $this->data['creator']) || ($this->data['flags'] & ATTACH_FLAG_DIR)) { + throw new DAV\Exception\Forbidden('Permission denied.'); + return; + } + } + attach_delete($this->auth->owner_id,$this->data['hash']); } -- cgit v1.2.3