From 0f39bd055efdadc15abd2f8146cf5da3793f8318 Mon Sep 17 00:00:00 2001
From: Ariel Leyva <msomnium.info@gmail.com>
Date: Sat, 4 Apr 2026 03:11:21 -0400
Subject: [PATCH] fix: check download permission when sharing permission is
 enabled (#5875)

---
 errors/errors.go                                 |  1 +
 frontend/src/components/settings/Permissions.vue | 16 +++++++++++++++-
 frontend/src/i18n/en.json                        |  2 +-
 http/users.go                                    | 12 ++++++++++++
 4 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/errors/errors.go b/errors/errors.go
index f6b86caf..99236ec1 100644
--- a/errors/errors.go
+++ b/errors/errors.go
@@ -23,6 +23,7 @@ var (
 	ErrSourceIsParent           = errors.New("source is parent")
 	ErrRootUserDeletion         = errors.New("the sole admin can't be deleted")
 	ErrCurrentPasswordIncorrect = errors.New("the current password is incorrect")
+	ErrShareRequiresDownload    = errors.New("permission to share requires permission to download")
 )
 
 type ErrShortPassword struct {
diff --git a/frontend/src/components/settings/Permissions.vue b/frontend/src/components/settings/Permissions.vue
index 13d2b936..33296af2 100644
--- a/frontend/src/components/settings/Permissions.vue
+++ b/frontend/src/components/settings/Permissions.vue
@@ -17,7 +17,11 @@
       {{ $t("settings.perm.delete") }}
     </p>
     <p>
-      <input type="checkbox" :disabled="admin" v-model="perm.download" />
+      <input
+        type="checkbox"
+        :disabled="admin || perm.share"
+        v-model="perm.download"
+      />
       {{ $t("settings.perm.download") }}
     </p>
     <p>
@@ -61,5 +65,15 @@ export default {
     },
     isExecEnabled: () => enableExec,
   },
+  watch: {
+    perm: {
+      deep: true,
+      handler() {
+        if (this.perm.share === true) {
+          this.perm.download = true;
+        }
+      },
+    },
+  },
 };
 </script>
diff --git a/frontend/src/i18n/en.json b/frontend/src/i18n/en.json
index dcbedcef..933c2e32 100644
--- a/frontend/src/i18n/en.json
+++ b/frontend/src/i18n/en.json
@@ -245,7 +245,7 @@
       "execute": "Execute commands",
       "modify": "Edit files",
       "rename": "Rename or move files and directories",
-      "share": "Share files"
+      "share": "Share files (require download permission)"
     },
     "permissions": "Permissions",
     "permissionsHelp": "You can set the user to be an administrator or choose the permissions individually. If you select \"Administrator\", all of the other options will be automatically checked. The management of users remains a privilege of an administrator.\n",
diff --git a/http/users.go b/http/users.go
index be1edf91..e61ab00b 100644
--- a/http/users.go
+++ b/http/users.go
@@ -156,6 +156,10 @@ var userPostHandler = withAdmin(func(w http.ResponseWriter, r *http.Request, d *
 		return http.StatusBadRequest, err
 	}
 
+	if req.Data.Perm.Share && !req.Data.Perm.Download {
+		return http.StatusBadRequest, fberrors.ErrShareRequiresDownload
+	}
+
 	userHome, err := d.settings.MakeUserDir(req.Data.Username, req.Data.Scope, d.server.Root)
 	if err != nil {
 		log.Printf("create user: failed to mkdir user home dir: [%s]", userHome)
@@ -204,6 +208,14 @@ var userPutHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request
 		return http.StatusBadRequest, nil
 	}
 
+	for _, field := range req.Which {
+		if strings.ToLower(field) == "perm" || strings.ToLower(field) == "all" {
+			if req.Data.Perm.Share && !req.Data.Perm.Download {
+				return http.StatusBadRequest, fberrors.ErrShareRequiresDownload
+			}
+		}
+	}
+
 	if len(req.Which) == 0 || (len(req.Which) == 1 && req.Which[0] == "all") {
 		if !d.user.Perm.Admin {
 			return http.StatusForbidden, nil