From 3e797e3fe1ea662b308ec2797172eed65a4ce532 Mon Sep 17 00:00:00 2001
From: steckbrief <steckbrief@chefmail.de>
Date: Sun, 21 Aug 2016 12:23:19 +0200
Subject: added possibility to restrict deletion to the user who originally
 uploaded the file

---
 storage-backend/config/config.inc.php | 2 ++
 storage-backend/index.php             | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/storage-backend/config/config.inc.php b/storage-backend/config/config.inc.php
index 9a96ad9..3b2f80a 100644
--- a/storage-backend/config/config.inc.php
+++ b/storage-backend/config/config.inc.php
@@ -12,5 +12,7 @@ return [
   'invalid_characters_in_filename' => ['/'],
   // Validity time of a delete token in seconds
   'delete_token_validity' => 5 * 60,
+  // Flag to whether deletion is only allowed by creator or anybody
+  'delete_only_by_creator' => true,
 ];
 ?>
\ No newline at end of file
diff --git a/storage-backend/index.php b/storage-backend/index.php
index 8639499..eae06ef 100644
--- a/storage-backend/index.php
+++ b/storage-backend/index.php
@@ -81,6 +81,13 @@ switch ($method) {
           sendHttpReturnCodeAndJson(403, "The slot does not exist.");
         }
         
+        if ($config['delete_only_by_creator']) {
+          $slotParameters = loadSlotParameters($slotUUID, $config);
+          if ($slotParameters['user_jid'] != $userJid) {
+            sendHttpReturnCodeAndJson(403, "Deletion of that file is only allowed by the user created it.");
+          }
+        }
+        
         // generate delete token, register delete token
         $deleteToken = generate_uuid();
         registerDeleteToken($slotUUID, $filename, $deleteToken, $config);
-- 
cgit v1.2.3