fix: Also safeguard generating tokens for group membership

Signed-off-by: Julius Härtl <jus@bitgrid.net>
2023-01-12 08:52:27 +01:00 · 2023-01-12 08:52:27 +01:00 · bb89b7971e
--- a/lib/TokenManager.php
+++ b/lib/TokenManager.php
@ -187,6 +187,11 @@ class TokenManager {
 			throw new NotPermittedException();
 		}

+		// Safeguard that users without required group permissions cannot create a token
+		if (!$this->permissionManager->isEnabledForUser($owneruid) && !$this->permissionManager->isEnabledForUser($editoruid)) {
+			throw new NotPermittedException();
+		}
+
 		// force read operation to trigger possible audit logging
 		\OC_Hook::emit(
 			Filesystem::CLASSNAME,