Anonymous users can unlock a file shared to them through a public link if they get the lock token

[SwikritiT]

Describe the bug

Public can unlock a file shared to them through a public link if they get the lock token.

Steps to reproduce

1. As user einstein creates a file hello/newtest.txt
2. As user einstein create a public link of folder hello with all permission
3. As user einstein Lock the file newtest.txt

 curl -ueinstein:relativity -XLOCK "https://localhost:9200/remote.php/dav/files/einstein/hello/newtest.txt" -H "Content-Type: application/json" -d"<?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'><d:lockscope><d:exclusive/></d:lockscope></d:lockinfo>" -vk 

4. As anonymous user try to Unlock te file with token from Einstein user

curl -XUNLOCK 'https://localhost:9200/remote.php/dav/public-files/<public-link-token>/newtest.txt' \
--header 'Lock-Token: <lock-token>' -upublic:#Passw0rd -vk

Expected behavior

Even though the anonymous user has the Lock token they should not be able to unlock the file. The server should throw some appropriate status code and error message.

Actual behavior

The anonymous user can unlock the file.

curl --location --request UNLOCK 'https://localhost:9200/remote.php/dav/public-files/EcQTKexBySBoGPd/newtest.txt' \
--header 'Lock-Token: urn:uuid:e7f7f8b1-c2d7-41c1-93c9-ee9f90ae5189' -upublic:#Passw0rd -vk
*   Trying 127.0.0.1:9200...
* Connected to localhost (127.0.0.1) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: O=Acme Corp; CN=OCIS
*  start date: Nov 20 10:41:12 2023 GMT
*  expire date: Nov 19 10:41:12 2024 GMT
*  issuer: O=Acme Corp; CN=OCIS
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Server auth using Basic with user 'public'
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> UNLOCK /remote.php/dav/public-files/EcQTKexBySBoGPd/newtest.txt HTTP/1.1
> Host: localhost:9200
> Authorization: Basic cHVibGljOiNQYXNzdzByZA==
> User-Agent: curl/7.81.0
> Accept: */*
> Lock-Token: urn:uuid:e7f7f8b1-c2d7-41c1-93c9-ee9f90ae5189
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 204 No Content
< Access-Control-Allow-Origin: *
< Content-Security-Policy: default-src 'none';
< Date: Mon, 20 Nov 2023 11:07:37 GMT
< Vary: Origin
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Request-Id: swikriti-OptiPlex-3070/lvJs9WE2WD-005643
< X-Robots-Tag: none
< X-Xss-Protection: 1; mode=block
< 
* Connection #0 to host localhost left intact

Setup

Please describe how you started the server and provide a list of relevant environment variables or configuration files.

OCIS_COMMITID=5c8c29ca0e80ec4ea65c9f904100ad0c2b89c9da