fix: Block incompatible operations with remote tokens

With federated tokens we do not allow storage operations that would be relative to the file path so we should block them Signed-off-by: Julius Härtl <jus@bitgrid.net>
nextcloud · Apr 30, 2024 · ca84d61 · ca84d61
1 parent 75bfff6
commit ca84d61
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/lib/Controller/WopiController.php b/lib/Controller/WopiController.php
@@ -202,11 +202,11 @@ public function checkFileInfo($fileId, $access_token) {
 			'UserFriendlyName' => $userDisplayName,
 			'UserExtraInfo' => [],
 			'UserCanWrite' => (bool)$wopi->getCanwrite(),
-			'UserCanNotWriteRelative' => $this->encryptionManager->isEnabled() || $isPublic || $wopi->getHideDownload(),
+			'UserCanNotWriteRelative' => $this->encryptionManager->isEnabled() || $isPublic || $wopi->getHideDownload() || $wopi->isRemoteToken(),
 			'PostMessageOrigin' => $wopi->getServerHost(),
 			'LastModifiedTime' => Helper::toISO8601($file->getMTime()),
-			'SupportsRename' => !$isVersion,
-			'UserCanRename' => !$isPublic && !$isVersion,
+			'SupportsRename' => !$isVersion && !$wopi->isRemoteToken(),
+			'UserCanRename' => !$isPublic && !$isVersion && !$wopi->isRemoteToken(),
 			'EnableInsertRemoteImage' => !$isPublic,
 			'EnableShare' => $file->isShareable() && !$isVersion && !$isPublic,
 			'HideUserList' => '',