fix: Block incompatible operations with remote tokens

With federated tokens we do not allow storage operations that would be relative to the file path so we should block them Signed-off-by: Julius Härtl <jus@bitgrid.net>
nextcloud · Apr 30, 2024 · 479c046 · 479c046
1 parent c84ce0f
commit 479c046
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/lib/Controller/WopiController.php b/lib/Controller/WopiController.php
@@ -163,11 +163,11 @@ public function checkFileInfo($fileId, $access_token) {
 			'UserExtraInfo' => [],
 			'UserPrivateInfo' => [],
 			'UserCanWrite' => $canWriteThroughLock && (bool)$wopi->getCanwrite(),
-			'UserCanNotWriteRelative' => $isPublic || $this->encryptionManager->isEnabled() || $wopi->getHideDownload(),
+			'UserCanNotWriteRelative' => $isPublic || $this->encryptionManager->isEnabled() || $wopi->getHideDownload() || $wopi->isRemoteToken(),
 			'PostMessageOrigin' => $wopi->getServerHost(),
 			'LastModifiedTime' => Helper::toISO8601($file->getMTime()),
-			'SupportsRename' => !$isVersion,
-			'UserCanRename' => !$isPublic && !$isVersion,
+			'SupportsRename' => !$isVersion && !$wopi->isRemoteToken(),
+			'UserCanRename' => !$isPublic && !$isVersion && !$wopi->isRemoteToken(),
 			'EnableInsertRemoteImage' => !$isPublic,
 			'EnableShare' => $file->isShareable() && !$isVersion && !$isPublic,
 			'HideUserList' => '',