send PUT requests to another user's webDav endpoints as normal user

[SwikritiT]

Describe the bug

Sending PUT request to another users' WebDav endpoints as normal user gives different status code for oc10 and ocis

Steps to reproduce

Steps to reproduce the behavior:

1. Create user Alice and Brian
2. As Alice create a folder PARENT
3. As Alice create file /PARENT/parent.txt and textfile1.txt
4. Send PUT request to endpoint /remote.php/dav/files/Alice/textfile1.txt as user Brian with body doesnotmatter
5. Then the HTTP status code should be "403". This is the same for both oc10 and ocis
6. Now again sent PUT request to endpoint /remote.php/dav/files/Alice/PARENT/parent.txt as user Brian with body doesnotmatter
7. HTTP status code is 403 for ocis and 409 for oc10.

Expected behavior

The status code should be 403 like that in OCIS

PUT /remote.php/dav/files/Alice/PARENT/parent.txt HTTP/1.1
Host: localhost:9200
User-Agent: GuzzleHttp/7
Content-Length: 13
Authorization: basic QnJpYW46MTIzNA==
Ocs-Apirequest: true
X-Access-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXZhIiwiZXhwIjoxNjM5NTQxMzI5LCJpYXQiOjE2Mzk1NDEyNjksImlzcyI6Imh0dHBzOi8vbG9jYWxob3N0OjkyMDAiLCJ1c2VyIjp7ImlkIjp7ImlkcCI6Imh0dHBzOi8vbG9jYWxob3N0OjkyMDAiLCJvcGFxdWVfaWQiOiJCcmlhbiJ9LCJ1c2VybmFtZSI6IkJyaWFuIiwibWFpbCI6ImJyaWFuQGV4YW1wbGUub3JnIiwibWFpbF92ZXJpZmllZCI6dHJ1ZSwiZGlzcGxheV9uYW1lIjoiQnJpYW4gTXVycGh5IiwiZ3JvdXBzIjpbInVzZXJzIl0sIm9wYXF1ZSI6eyJtYXAiOnsicm9sZXMiOnsiZGVjb2RlciI6Impzb24iLCJ2YWx1ZSI6Ild5SmtOMkpsWldWaE9DMDRabVkwTFRRd05tSXRPR1ppTmkxaFlqSmtaRGd4WlRaaU1URWlYUT09In19fSwidWlkX251bWJlciI6MjAwMDYsImdpZF9udW1iZXIiOjMwMDAwfSwic2NvcGUiOnsidXNlciI6eyJyZXNvdXJjZSI6eyJkZWNvZGVyIjoianNvbiIsInZhbHVlIjoiZXlKd1lYUm9Jam9pTHlKOSJ9LCJyb2xlIjoxfX19.U3QSfjUaNjaMVcgkZeX1agYAzRBC8bfaJvBdUFbxSe0
X-Request-Id: 8f24113f-3b61-47fc-9a76-136f60866fe0
Accept-Encoding: gzip

doesnotmatter

HTTP/1.1 403 Forbidden
Access-Control-Allow-Origin: *
Content-Security-Policy: default-src 'none';
Vary: Origin
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-Xss-Protection: 1; mode=block
Date: Wed, 15 Dec 2021 04:07:49 GMT
Content-Length: 0

Actual behavior

This is current OC10 behaviour

PUT /core/remote.php/dav/files/Alice/PARENT/parent.txt HTTP/1.1
Host: 172.17.0.1
User-Agent: GuzzleHttp/7
Authorization: basic QnJpYW46MTIzNA==
OCS-APIREQUEST: true
Content-Length: 13

doesnotmatter

HTTP/1.1 409 Conflict
Date: Wed, 15 Dec 2021 04:03:13 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
X-Robots-Tag: none
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Set-Cookie: oc5soe2gvutv=su3hhdcs3jnpitq5r3lk9kg2qt; path=/core; HttpOnly; SameSite=Strict
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=NHBE%2FZgB8m4r%2BEZVu%2Bp81QCk1rT43BdsKYnoxOaZM%2Ftifyx3DwsVSl89nN5snANormsaQjVKljRDrCSrqzJQnC3pOLFybXjqbCgfFphxEJKmhsqmu5k3760rBLkAdOaX; path=/core; HttpOnly; SameSite=Strict
Content-Security-Policy: default-src 'none';
Set-Cookie: oc5soe2gvutv=49giikrdsi0ut101hnl5qoltrv; path=/core; HttpOnly; SameSite=Strict
Set-Cookie: cookie_test=test; expires=Wed, 15-Dec-2021 05:03:13 GMT; Max-Age=3600
Content-Length: 243
Content-Type: application/xml; charset=utf-8

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\Conflict</s:exception>
  <s:message>Files cannot be created in non-existent collections</s:message>
</d:error>

[phil-davis]

Bug demo scenario is in #39514 and will be merged to master after 10.9.0 is out.