From 3a256056e200f558f8ddf62ec43edd76558e9318 Mon Sep 17 00:00:00 2001
From: nfebe <fenn25.fn@gmail.com>
Date: Wed, 22 Apr 2026 04:38:27 +0100
Subject: [PATCH] fix(shares): Team shares are reached via membership mount
 only

Resolving a Team share by its token now returns not-found. Members
access Team shares through the mount they receive from their Team
membership, never through the public share token route. The token
field is still populated on the share row because it is reused as
an internal key for federated Team mounts.
---
 lib/ShareByCircleProvider.php | 24 ++++++------------------
 1 file changed, 6 insertions(+), 18 deletions(-)

diff --git a/lib/ShareByCircleProvider.php b/lib/ShareByCircleProvider.php
index 32a8e5399..78a8a3372 100644
--- a/lib/ShareByCircleProvider.php
+++ b/lib/ShareByCircleProvider.php
@@ -569,30 +569,18 @@ function (ShareWrapper $wrapper) {
 	}
 
 	/**
+	 * Team shares are reached through the membership-based mount, never via the
+	 * public /s/<token> route. Refusing to resolve the token here keeps the
+	 * share out of the public share controller even though a token is still
+	 * stored on the share row (it is reused as a mount-row key elsewhere).
+	 *
 	 * @param string $token
 	 *
 	 * @return IShare
-	 * @throws IllegalIDChangeException
-	 * @throws RequestBuilderException
 	 * @throws ShareNotFound
 	 */
 	public function getShareByToken($token): IShare {
-		if (is_null($token)) {
-			throw new ShareNotFound();
-		}
-
-		try {
-			$wrappedShare = $this->shareWrapperService->getShareByToken($token);
-		} catch (ShareWrapperNotFoundException $e) {
-			throw new ShareNotFound();
-		}
-
-		$share = $wrappedShare->getShare($this->rootFolder, $this->userManager, $this->urlGenerator);
-		if ($share->getPassword() !== '') {
-			$this->logger->notice('share is protected by a password, hash: ' . $share->getPassword());
-		}
-
-		return $share;
+		throw new ShareNotFound();
 	}