fix(Authorizer): Don't give WRITE permissions by default

Signed-off-by: Marcel Klehr <[email protected]>

lib/Controller/FoldersController.php

@@ -247,8 +247,8 @@ public function addToFolder($folderId, $bookmarkId): JSONResponse {
 	 * @PublicPage
 	 */
 	public function removeFromFolder($folderId, $bookmarkId): JSONResponse {
-		if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $this->authorizer->getPermissionsForFolder($folderId, $this->request)) &&
-			!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForFolder($bookmarkId, $this->request))) {
+		if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $this->authorizer->getPermissionsForFolder($folderId, $this->request)) ||
+			!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForBookmark($bookmarkId, $this->request))) {
 			return new JSONResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
 		}
 		try {

lib/Service/Authorizer.php

@@ -263,7 +263,7 @@ private function findPermissionsByUserAndItem(string $userId, string $type, int
 			if ($share->getFolderId() === $itemId && $type === TreeMapper::TYPE_FOLDER) {
 				// If the sought folder is the root folder of the share, we give EDIT permissions + optionally RESHARE
 				// because the user can edit the shared folder
-				$perms = $this->getMaskFromFlags(true, $share->getCanShare()) | self::PERM_EDIT;
+				$perms = $this->getMaskFromFlags(false, $share->getCanShare()) | self::PERM_EDIT;
 			} elseif ($this->treeMapper->hasDescendant($share->getFolderId(), $type, $itemId)) {
 				$perms = $this->getMaskFromFlags($share->getCanWrite(), $share->getCanShare());
 			} else {