Block reading children of upload-only folder on GET request

owncloud · Aug 29, 2019 · 84e9ea0 · 84e9ea0
1 parent 4aa17f5
commit 84e9ea0
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/apps/dav/lib/Files/PublicFiles/PublicSharedRootNode.php b/apps/dav/lib/Files/PublicFiles/PublicSharedRootNode.php
@@ -69,7 +69,9 @@ public function __construct(IShare $share, IRequest $request) {
 	 */
 	public function getChildren() {
 		// Within a PROPFIND request we return no listing in case the share is a file drop folder
-		if ($this->isPropfind() && $this->isFileDropFolder()) {
+		if ($this->isFileDropFolder()
+			&& ($this->isPropfind() || $this->isGet())
+		) {
 			return [];
 		}
 
@@ -184,11 +186,7 @@ public function getACL() {
 				'principal' => '{DAV:}owner',
 				'protected' => true,
 			],
-			[
-				'privilege' => '{DAV:}read',
-				'principal' => 'principals/system/public',
-				'protected' => true,
-			]
+
 		];
 
 		if ($this->checkPermissions(Constants::PERMISSION_UPDATE)) {
@@ -227,6 +225,10 @@ private function isPropfind() {
 		return $this->request->getMethod() === 'PROPFIND';
 	}
 
+	private function isGet() {
+		return $this->request->getMethod() === 'GET';
+	}
+
 	/**
 	 * An anonymous upload folder aka file drop folder has only the create permission
 	 * @return bool