aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorsteckbrief <steckbrief@chefmail.de>2016-08-21 12:23:19 +0200
committersteckbrief <steckbrief@chefmail.de>2016-08-21 12:23:19 +0200
commit3e797e3fe1ea662b308ec2797172eed65a4ce532 (patch)
treebd80e6e180f17f346abb695279660c6c82b32d52
parent15090fe1bede4e1ad5672c6a645db1a56a777610 (diff)
added possibility to restrict deletion to the user who originally uploaded the file
-rw-r--r--storage-backend/config/config.inc.php2
-rw-r--r--storage-backend/index.php7
2 files changed, 9 insertions, 0 deletions
diff --git a/storage-backend/config/config.inc.php b/storage-backend/config/config.inc.php
index 9a96ad9..3b2f80a 100644
--- a/storage-backend/config/config.inc.php
+++ b/storage-backend/config/config.inc.php
@@ -12,5 +12,7 @@ return [
'invalid_characters_in_filename' => ['/'],
// Validity time of a delete token in seconds
'delete_token_validity' => 5 * 60,
+ // Flag to whether deletion is only allowed by creator or anybody
+ 'delete_only_by_creator' => true,
];
?> \ No newline at end of file
diff --git a/storage-backend/index.php b/storage-backend/index.php
index 8639499..eae06ef 100644
--- a/storage-backend/index.php
+++ b/storage-backend/index.php
@@ -81,6 +81,13 @@ switch ($method) {
sendHttpReturnCodeAndJson(403, "The slot does not exist.");
}
+ if ($config['delete_only_by_creator']) {
+ $slotParameters = loadSlotParameters($slotUUID, $config);
+ if ($slotParameters['user_jid'] != $userJid) {
+ sendHttpReturnCodeAndJson(403, "Deletion of that file is only allowed by the user created it.");
+ }
+ }
+
// generate delete token, register delete token
$deleteToken = generate_uuid();
registerDeleteToken($slotUUID, $filename, $deleteToken, $config);