Block reading children of upload-only folder on GET request

owncloud · Aug 29, 2019 · cbd4705 · cbd4705
1 parent 4aa17f5
commit cbd4705
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 8 deletions.
diff --git a/apps/dav/lib/Files/PublicFiles/PublicSharedRootNode.php b/apps/dav/lib/Files/PublicFiles/PublicSharedRootNode.php
@@ -69,7 +69,9 @@ public function __construct(IShare $share, IRequest $request) {
 	 */
 	public function getChildren() {
 		// Within a PROPFIND request we return no listing in case the share is a file drop folder
-		if ($this->isPropfind() && $this->isFileDropFolder()) {
+		if ($this->isFileDropFolder()
+			&& ($this->isPropfind() || $this->isGet())
+		) {
 			return [];
 		}
 
@@ -184,11 +186,7 @@ public function getACL() {
 				'principal' => '{DAV:}owner',
 				'protected' => true,
 			],
-			[
-				'privilege' => '{DAV:}read',
-				'principal' => 'principals/system/public',
-				'protected' => true,
-			]
+
 		];
 
 		if ($this->checkPermissions(Constants::PERMISSION_UPDATE)) {
@@ -227,6 +225,10 @@ private function isPropfind() {
 		return $this->request->getMethod() === 'PROPFIND';
 	}
 
+	private function isGet() {
+		return $this->request->getMethod() === 'GET';
+	}
+
 	/**
 	 * An anonymous upload folder aka file drop folder has only the create permission
 	 * @return bool

diff --git a/apps/dav/tests/unit/Files/PublicFiles/PublicSharedRootNodeTest.php b/apps/dav/tests/unit/Files/PublicFiles/PublicSharedRootNodeTest.php
@@ -22,6 +22,7 @@
 namespace OCA\DAV\Tests\Unit\Files\PublicFiles;
 
 use OCA\DAV\Files\PublicFiles\PublicSharedRootNode;
+use OCP\Constants;
 use OCP\Files\NotFoundException;
 use OCP\IRequest;
 use OCP\Share\IShare;
@@ -39,4 +40,15 @@ public function testNoLongerExistingResource() {
 		$publicSharedRoot = new PublicSharedRootNode($share, $request);
 		$publicSharedRoot->getChildren();
 	}
+
+	public function testNoChildrenOnGetForPublicUpload() {
+		$share = $this->createMock(IShare::class);
+		$request = $this->createMock(IRequest::class);
+		$share->method('getPermissions')->willReturn(Constants::PERMISSION_CREATE);
+		$request->method('getMethod')->willReturn('GET');
+
+		$publicSharedRoot = new PublicSharedRootNode($share, $request);
+		$children = $publicSharedRoot->getChildren();
+		$this->assertEmpty($children);
+	}
 }
diff --git a/tests/acceptance/features/apiShareOperations/downloadFromShare.feature b/tests/acceptance/features/apiShareOperations/downloadFromShare.feature
@@ -14,8 +14,7 @@ Feature: sharing
       | path        | FOLDER |
       | permissions | create |
     Then the public download of file "/test.txt" from inside the last public shared folder using the old public WebDAV API should fail with HTTP status code "404"
-    And the public should be able to download the range "bytes=0-7" of file "/test.txt" from inside the last public shared folder using the new public WebDAV API and the content should be "ownCloud"
-    #And the public download of file "/test.txt" from inside the last public shared folder using the new public WebDAV API should fail with HTTP status code "404"
+    And the public download of file "/test.txt" from inside the last public shared folder using the new public WebDAV API should fail with HTTP status code "404"
 
   @public_link_share-feature-required
   Scenario: Downloading from share after the share source was deleted