From 3e797e3fe1ea662b308ec2797172eed65a4ce532 Mon Sep 17 00:00:00 2001 From: steckbrief Date: Sun, 21 Aug 2016 12:23:19 +0200 Subject: added possibility to restrict deletion to the user who originally uploaded the file --- storage-backend/config/config.inc.php | 2 ++ storage-backend/index.php | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/storage-backend/config/config.inc.php b/storage-backend/config/config.inc.php index 9a96ad9..3b2f80a 100644 --- a/storage-backend/config/config.inc.php +++ b/storage-backend/config/config.inc.php @@ -12,5 +12,7 @@ return [ 'invalid_characters_in_filename' => ['/'], // Validity time of a delete token in seconds 'delete_token_validity' => 5 * 60, + // Flag to whether deletion is only allowed by creator or anybody + 'delete_only_by_creator' => true, ]; ?> \ No newline at end of file diff --git a/storage-backend/index.php b/storage-backend/index.php index 8639499..eae06ef 100644 --- a/storage-backend/index.php +++ b/storage-backend/index.php @@ -81,6 +81,13 @@ switch ($method) { sendHttpReturnCodeAndJson(403, "The slot does not exist."); } + if ($config['delete_only_by_creator']) { + $slotParameters = loadSlotParameters($slotUUID, $config); + if ($slotParameters['user_jid'] != $userJid) { + sendHttpReturnCodeAndJson(403, "Deletion of that file is only allowed by the user created it."); + } + } + // generate delete token, register delete token $deleteToken = generate_uuid(); registerDeleteToken($slotUUID, $filename, $deleteToken, $config); -- cgit v1.2.3