Merge pull request #19982 from owncloud/fix-link-sharing-regression-master

Ensure the password is only hashed in case it's changed on the client…
10 years ago · d4d954b2d9
5 changed files with 60 additions and 18 deletions
--- a/core/ajax/share.php
+++ b/core/ajax/share.php
@ -48,9 +48,28 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo
 					$shareType = (int)$_POST['shareType'];
 					$shareWith = $_POST['shareWith'];
 					$itemSourceName = isset($_POST['itemSourceName']) ? (string)$_POST['itemSourceName'] : null;
-					if ($shareType === OCP\Share::SHARE_TYPE_LINK && $shareWith == '') {
-						$shareWith = null;
+
+					/*
+					 * Nasty nasty fix for https://github.com/owncloud/core/issues/19950
+					 */
+					$passwordChanged = null;
+					if (is_array($shareWith)) {
+						$passwordChanged = ($shareWith['passwordChanged'] === 'true');
+						if ($shareType === OCP\Share::SHARE_TYPE_LINK && $shareWith['password'] === '') {
+							$shareWith = null;
+						} else {
+							$shareWith = $shareWith['password'];
+						}
+					} else {
+						/*
+						 * We need this branch since the calendar and contacts also use this
+						 * endpoint
+						 */
+						if ($shareType === OCP\Share::SHARE_TYPE_LINK && $shareWith === '') {
+							$shareWith = null;
+						}
 					}
+
 					$itemSourceName=(isset($_POST['itemSourceName'])) ? (string)$_POST['itemSourceName']:'';

 					$token = OCP\Share::shareItem(
@ -60,7 +79,8 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo
 						$shareWith,
 						$_POST['permissions'],
 						$itemSourceName,
-						(!empty($_POST['expirationDate']) ? new \DateTime((string)$_POST['expirationDate']) : null)
+						(!empty($_POST['expirationDate']) ? new \DateTime((string)$_POST['expirationDate']) : null),
+						$passwordChanged
 					);

 					if (is_string($token)) {
--- a/core/js/shareitemmodel.js
+++ b/core/js/shareitemmodel.js
@ -116,7 +116,8 @@

 			// TODO: use backbone's default value mechanism once this is a separate model
 			var requiredAttributes = [
-				{ name: 'password',	   defaultValue: '' },
+				{ name: 'password', defaultValue: '' },
+				{ name: 'passwordChanged', defaultValue: false },
 				{ name: 'permissions', defaultValue: OC.PERMISSION_READ },
 				{ name: 'expiration', defaultValue: this.configModel.getDefaultExpirationDateString() }
 			];
@ -136,11 +137,16 @@
 				}
 			});

+			var password = {
+				password: attributes.password,
+				passwordChanged: attributes.passwordChanged
+			};
+
 			OC.Share.share(
 				itemType,
 				itemSource,
 				OC.Share.SHARE_TYPE_LINK,
-				attributes.password,
+				password,
 				attributes.permissions,
 				this.fileInfoModel.get('name'),
 				attributes.expiration,
@ -208,6 +214,7 @@
 		 */
 		setPassword: function(password) {
 			this.get('linkShare').password = password;
+			this.get('linkShare').passwordChanged = true;
 		},

 		addShare: function(attributes, options) {
--- a/core/js/tests/specs/sharedialogviewSpec.js
+++ b/core/js/tests/specs/sharedialogviewSpec.js
@ -146,7 +146,8 @@ describe('OC.Share.ShareDialogView', function() {

 			expect(fakeServer.requests[1].method).toEqual('POST');
 			var body = OC.parseQueryString(fakeServer.requests[1].requestBody);
-			expect(body.shareWith).toEqual('foo');
+			expect(body['shareWith[password]']).toEqual('foo');
+			expect(body['shareWith[passwordChanged]']).toEqual('true');

 			fetchStub.reset();

@ -185,7 +186,8 @@ describe('OC.Share.ShareDialogView', function() {

 			expect(fakeServer.requests[1].method).toEqual('POST');
 			var body = OC.parseQueryString(fakeServer.requests[1].requestBody);
-			expect(body.shareWith).toEqual('foo');
+			expect(body['shareWith[password]']).toEqual('foo');
+			expect(body['shareWith[passwordChanged]']).toEqual('true');

 			fetchStub.reset();

--- a/lib/private/share/share.php
+++ b/lib/private/share/share.php
@ -597,11 +597,12 @@ class Share extends Constants {
 	 * @param int $permissions CRUDS
 	 * @param string $itemSourceName
 	 * @param \DateTime $expirationDate
+	 * @param bool $passwordChanged
 	 * @return boolean|string Returns true on success or false on failure, Returns token on success for links
 	 * @throws \OC\HintException when the share type is remote and the shareWith is invalid
 	 * @throws \Exception
 	 */
-	public static function shareItem($itemType, $itemSource, $shareType, $shareWith, $permissions, $itemSourceName = null, \DateTime $expirationDate = null) {
+	public static function shareItem($itemType, $itemSource, $shareType, $shareWith, $permissions, $itemSourceName = null, \DateTime $expirationDate = null, $passwordChanged = null) {

 		$backend = self::getBackend($itemType);
 		$l = \OC::$server->getL10N('lib');
@ -775,14 +776,25 @@ class Share extends Constants {
 					$updateExistingShare = true;
 				}

-				// Generate hash of password - same method as user passwords
-				if (is_string($shareWith) && $shareWith !== '') {
-					self::verifyPassword($shareWith);
-					$shareWith = \OC::$server->getHasher()->hash($shareWith);
+				if ($passwordChanged === null) {
+					// Generate hash of password - same method as user passwords
+					if (is_string($shareWith) && $shareWith !== '') {
+						self::verifyPassword($shareWith);
+						$shareWith = \OC::$server->getHasher()->hash($shareWith);
+					} else {
+						// reuse the already set password, but only if we change permissions
+						// otherwise the user disabled the password protection
+						if ($checkExists && (int)$permissions !== (int)$oldPermissions) {
+							$shareWith = $checkExists['share_with'];
+						}
+					}
 				} else {
-					// reuse the already set password, but only if we change permissions
-					// otherwise the user disabled the password protection
-					if ($checkExists && (int)$permissions !== (int)$oldPermissions) {
+					if ($passwordChanged === true) {
+						if (is_string($shareWith) && $shareWith !== '') {
+							self::verifyPassword($shareWith);
+							$shareWith = \OC::$server->getHasher()->hash($shareWith);
+						}
+					} else if ($updateExistingShare) {
 						$shareWith = $checkExists['share_with'];
 					}
 				}
--- a/lib/public/share.php
+++ b/lib/public/share.php
@ -255,13 +255,14 @@ class Share extends \OC\Share\Constants {
 	 * @param int $permissions CRUDS
 	 * @param string $itemSourceName
 	 * @param \DateTime $expirationDate
+	 * @param bool $passwordChanged
 	 * @return bool|string Returns true on success or false on failure, Returns token on success for links
 	 * @throws \OC\HintException when the share type is remote and the shareWith is invalid
 	 * @throws \Exception
-	 * @since 5.0.0 - parameter $itemSourceName was added in 6.0.0, parameter $expirationDate was added in 7.0.0
+	 * @since 5.0.0 - parameter $itemSourceName was added in 6.0.0, parameter $expirationDate was added in 7.0.0, paramter $passwordChanged added in 9.0.0
 	 */
-	public static function shareItem($itemType, $itemSource, $shareType, $shareWith, $permissions, $itemSourceName = null, \DateTime $expirationDate = null) {
-		return \OC\Share\Share::shareItem($itemType, $itemSource, $shareType, $shareWith, $permissions, $itemSourceName, $expirationDate);
+	public static function shareItem($itemType, $itemSource, $shareType, $shareWith, $permissions, $itemSourceName = null, \DateTime $expirationDate = null, $passwordChanged = null) {
+		return \OC\Share\Share::shareItem($itemType, $itemSource, $shareType, $shareWith, $permissions, $itemSourceName, $expirationDate, $passwordChanged);
 	}

 	/**