Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: return 403 statuscode instead of 404 when there's not enough share permission #4086

Merged
merged 5 commits into from
Jul 31, 2023
Merged

fix: return 403 statuscode instead of 404 when there's not enough share permission #4086

merged 5 commits into from
Jul 31, 2023

Conversation

saw-jan
Copy link
Contributor

@saw-jan saw-jan commented Jul 28, 2023

When trying to reshare a resource (that doesn't have share permission), the ocs response code is 404 but instead it should be 403.

This PR fixes that issue and now the request returns 403 code.

Before:

<?xml version="1.0" encoding="UTF-8"?>
<ocs>
  <meta>
    <status>error</status>
    <statuscode>404</statuscode>
    <message>No share permission</message>
  </meta>
</ocs>

This PR:

<?xml version="1.0" encoding="UTF-8"?>
<ocs>
  <meta>
    <status>error</status>
    <statuscode>403</statuscode>
    <message>No share permission</message>
  </meta>
</ocs>

Motivation: owncloud/ocis#5742 (comment)

In general here is a list of error codes returned by the ms graph api: https://learn.microsoft.com/en-us/graph/errors

Now the 401 Unauthorized vs 403 Forbidden vs 404 Not Found status code may look tricky, but hara are the guidelines:

  • we don't want to expose existence of resources if a user has no access to them, so we return a 404 Not Found instead of a 403 Forbidden.
  • when a user has access to a resource but tries to execute an action that he does not have enough permissions for, e.g. when he tries to write to a read only share, we return a 403 Forbidden

Issue: owncloud/ocis#6670

@saw-jan
Copy link
Contributor Author

saw-jan commented Jul 28, 2023

CC @2403905 @kobergj

@saw-jan
Copy link
Contributor Author

saw-jan commented Jul 28, 2023
edited

Looks like some test expectation needs to be changed.
Build: https://drone.owncloud.com/cs3org/reva/2471/20/7

  Scenario Outline: creating a public link from a share with read permission only is not allowed # /drone/src/tmp/testrunner/tests/acceptance/features/coreApiSharePublicLink2/reShareAsPublicLinkToSharesNewDav.feature:14
    Given using OCS API version "<ocs_api_version>"                                              # FeatureContext::usingOcsApiVersion()
    And user "Alice" has created folder "/test"                                                  # FeatureContext::userHasCreatedFolder()
    And user "Alice" has shared folder "/test" with user "Brian" with permissions "read"         # FeatureContext::userHasSharedFileWithUserUsingTheSharingApi()
    And user "Brian" has accepted share "/test" offered by user "Alice"                          # FeatureContext::userHasReactedToShareOfferedBy()
    When user "Brian" creates a public link share using the sharing API with settings            # FeatureContext::userCreatesAPublicLinkShareWithSettings()
      | path         | /Shares/test |
      | publicUpload | false        |
    Then the OCS status code should be "404"                                                     # OCSContext::theOCSStatusCodeShouldBe()
    And the HTTP status code should be "<http_status_code>"                                      # FeatureContext::thenTheHTTPStatusCodeShouldBe()

    Examples:
      | ocs_api_version | http_status_code |
      | 1               | 200              |
        Failed step: Then the OCS status code should be "404"
        OCS status code is not any of the expected values 404 got 403
        Failed asserting that an array contains '403'.

I would think, for this scenario, the status code should be 403 instead of 404.

kobergj
kobergj approved these changes Jul 28, 2023
View reviewed changes
Copy link
Contributor

@kobergj kobergj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Awesome

@saw-jan saw-jan mentioned this pull request Jul 31, 2023
Merged
@saw-jan
Copy link
Contributor Author

saw-jan commented Jul 31, 2023

I will test it in ocis (owncloud/ocis#6919), update expected failure list, merge it and then bump the ocis (after owncloud/ocis#6919)

@phil-davis
Copy link
Contributor

I suppose that test expectations need to be adjusted. Maybe you could adjust the test scenarios in ocis so they have the expected results. They will fail in the current ocis. Add them to expected-failures in ocis. Then bump ocis here in this reva PR - the tests should pass here. Then bump reva into ocis (removing the test scenarios from expected-failures in ocis)
Unless you have a better way to do this sequence of code and test changes.

@saw-jan
Copy link
Contributor Author

saw-jan commented Jul 31, 2023

I suppose that test expectations need to be adjusted. Maybe you could adjust the test scenarios in ocis so they have the expected results. They will fail in the current ocis. Add them to expected-failures in ocis. Then bump ocis here in this reva PR - the tests should pass here. Then bump reva into ocis (removing the test scenarios from expected-failures in ocis) Unless you have a better way to do this sequence of code and test changes.

I was thinking of adding failures to expected-failure list here, merge it and bump reva in ocis, update test expectation (passing tests), merge it and then bump ocis here, remove tests from expected-failure list. Just the opposite 😅

@phil-davis
Copy link
Contributor

Yes, that's fine to do it that way.

@saw-jan saw-jan marked this pull request as ready for review July 31, 2023 04:54
@saw-jan saw-jan requested review from a team, labkode, ishank011 and glpatcern as code owners July 31, 2023 04:54
@saw-jan saw-jan requested a review from wkloucek as a code owner July 31, 2023 04:55
@saw-jan saw-jan requested a review from kobergj July 31, 2023 04:57
@cs3org cs3org deleted a comment from update-docs bot Jul 31, 2023
@saw-jan
Copy link
Contributor Author

saw-jan commented Jul 31, 2023
edited

changelog is failing. I don't know why. fixed

@saw-jan saw-jan changed the title fix: return 403 statuscode instead of 404 when there's no share permission fix: return 403 statuscode instead of 404 when there's not enough share permission Jul 31, 2023
@phil-davis phil-davis merged commit 2c2e370 into cs3org:edge Jul 31, 2023
9 checks passed
@saw-jan saw-jan deleted the fix/issue-6670-sajan branch July 31, 2023 06:23
@saw-jan saw-jan restored the fix/issue-6670-sajan branch July 31, 2023 06:23
@saw-jan
Copy link
Contributor Author

saw-jan commented Jul 31, 2023

Tested in https://drone.owncloud.com/owncloud/ocis/24901

@saw-jan saw-jan deleted the fix/issue-6670-sajan branch July 31, 2023 06:38
@saw-jan saw-jan mentioned this pull request Jul 31, 2023
Merged
@kobergj kobergj mentioned this pull request Mar 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@phil-davis phil-davis phil-davis approved these changes

@labkode labkode Awaiting requested review from labkode labkode is a code owner

@ishank011 ishank011 Awaiting requested review from ishank011

@glpatcern glpatcern Awaiting requested review from glpatcern glpatcern is a code owner

@wkloucek wkloucek Awaiting requested review from wkloucek

@kobergj kobergj Awaiting requested review from kobergj

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@saw-jan @phil-davis @kobergj