- better checking of access rights

2025-02-06 07:04:57 +00:00 · 2011-12-15 07:27:19 +00:00 · 2011-12-15 07:27:19 +00:00 · 957b13d84f
commit 957b13d84f
parent 7ae83fc80e
1 changed files with 18 additions and 2 deletions
--- a/webdav/letodms_webdav.php
+++ b/webdav/letodms_webdav.php
@ -394,7 +394,9 @@ class HTTP_WebDAV_Server_LetoDMS extends HTTP_WebDAV_Server
 		$format = "%15s  %-19s  %-s\n";

 		$subfolders = $folder->getSubFolders();
+		$subfolders = LetoDMS_Core_DMS::filterAccess($subfolders, $this->user, M_READ);
 		$documents = $folder->getDocuments();
+		$documents = LetoDMS_Core_DMS::filterAccess($documents, $this->user, M_READ);
 		$objs = array_merge($subfolders, $documents);

 		echo "<html><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" /><title>Index of ".htmlspecialchars($options['path'])."</title></head>\n";
@ -496,13 +498,19 @@ class HTTP_WebDAV_Server_LetoDMS extends HTTP_WebDAV_Server
 				else $fileType = substr($name, $lastDotIndex);
 		}
 		if($document = $this->dms->getDocumentByName($name, $folder)) {
-			if(!$document->addContent('', $this->user, $tmpFile, $name, $fileType, $mimetype, array(), array(), 0)) {
+			if ($document->getAccessMode($this->user) < M_READWRITE) {
+				unlink($tmpFile);
+				return "403 Forbidden";
+			} elseif(!$document->addContent('', $this->user, $tmpFile, $name, $fileType, $mimetype, array(), array(), 0)) {
 				unlink($tmpFile);
 				return "409 Conflict";
 			}

 		} else {
-			if(!$res = $folder->addDocument($name, '', 0, $this->user, '', array(), $tmpFile, $name, $fileType, $mimetype, 0, array(), array(), 0, "")) {
+			if ($folder->getAccessMode($this->user) < M_READWRITE) {
+				unlink($tmpFile);
+				return "403 Forbidden";
+			} elseif(!$res = $folder->addDocument($name, '', 0, $this->user, '', array(), $tmpFile, $name, $fileType, $mimetype, 0, array(), array(), 0, "")) {
 				unlink($tmpFile);
 				return "409 Conflict";
 			}
@ -556,6 +564,10 @@ class HTTP_WebDAV_Server_LetoDMS extends HTTP_WebDAV_Server
 			return "403 Forbidden";				 
 		}

+		if ($folder->getAccessMode($this->user) < M_READWRITE) {
+			return "403 Forbidden";				 
+		}
+
 		if (!$folder->addSubFolder($name, '', $this->user, 0)) {
 			return "403 Forbidden";				 
 		}
@ -812,6 +824,10 @@ class HTTP_WebDAV_Server_LetoDMS extends HTTP_WebDAV_Server
 				return false;
 		}

+		if ($obj->getAccessMode($this->user) < M_READWRITE) {
+			return false;				 
+		}
+
 		foreach ($options["props"] as $key => $prop) {
 			if ($prop["ns"] == "DAV:") {
 				$options["props"][$key]['status'] = "403 Forbidden";