Sharing in iOS App does not work with password enforcement #1780
Description
Steps to reproduce
With the following settings in the admin settings:
- Open iOS app
- click on the sharing icon right to the folder I want to sahre
- enter e-mail address
- click on share
Expected behaviour
An individual link with a generated password is created and an email is sent to the recipient.
Actual behaviour
The App shows an error 403 saying no permission to do that. In Browser and and Android it is working. It has worked until a couple of versions before.
Screenshots
Logs
2021-11-30 12:52:41 Clear log with level 1 Nextcloud Liquid for iOS 4.0.6.0 © 2021
2021-11-30 12:52:45 Network request started: PROPFIND https://mydomain.de/remote.php/webdav/Temp
2021-11-30 12:52:45 Network request headers: ["User-Agent": "Mozilla/5.0 (iOS) Nextcloud-iOS/4.0.6", "Authorization": "Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXX=", "Depth": "0", "OCS-APIRequest": "true", "Content-Type": "application/xml"]
2021-11-30 12:52:45 Network request body: <?xml version="1.0" encoding="UTF-8"?>
<d:propfind xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns" xmlns:nc="http://nextcloud.org/ns">
<d:prop>
<d:getlastmodified />
<d:getetag />
<d:getcontenttype />
<d:resourcetype />
<d:quota-available-bytes />
<d:quota-used-bytes />
<permissions xmlns="http://owncloud.org/ns"/>
<id xmlns="http://owncloud.org/ns"/>
<fileid xmlns="http://owncloud.org/ns"/>
<size xmlns="http://owncloud.org/ns"/>
<favorite xmlns="http://owncloud.org/ns"/>
<share-types xmlns="http://owncloud.org/ns"/>
<owner-id xmlns="http://owncloud.org/ns"/>
<owner-display-name xmlns="http://owncloud.org/ns"/>
<comments-unread xmlns="http://owncloud.org/ns"/>
<checksums xmlns="http://owncloud.org/ns"/>
<downloadURL xmlns="http://owncloud.org/ns"/>
<data-fingerprint xmlns="http://owncloud.org/ns"/>
<creation_time xmlns="http://nextcloud.org/ns"/>
<upload_time xmlns="http://nextcloud.org/ns"/>
<is-encrypted xmlns="http://nextcloud.org/ns"/>
<has-preview xmlns="http://nextcloud.org/ns"/>
<mount-type xmlns="http://nextcloud.org/ns"/>
<rich-workspace xmlns="http://nextcloud.org/ns"/>
<note xmlns="http://nextcloud.org/ns"/>
<share-permissions xmlns="http://open-collaboration-services.org/ns"/>
<share-permissions xmlns="http://open-cloud-mesh.org/ns"/>
</d:prop>
</d:propfind>
2021-11-30 12:52:45 Network response result: 2021-11-30 12:52:45 [Request]: PROPFIND https://mydomain.de/remote.php/webdav/Temp
[Headers]:
Authorization: Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXX=
Content-Type: application/xml
Depth: 0
OCS-APIRequest: true
User-Agent: Mozilla/5.0 (iOS) Nextcloud-iOS/4.0.6
[Body]:
<?xml version="1.0" encoding="UTF-8"?>
<d:propfind xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns" xmlns:nc="http://nextcloud.org/ns">
<d:prop>
<d:getlastmodified />
<d:getetag />
<d:getcontenttype />
<d:resourcetype />
<d:quota-available-bytes />
<d:quota-used-bytes />
<permissions xmlns="http://owncloud.org/ns"/>
<id xmlns="http://owncloud.org/ns"/>
<fileid xmlns="http://owncloud.org/ns"/>
<size xmlns="http://owncloud.org/ns"/>
<favorite xmlns="http://owncloud.org/ns"/>
<share-types xmlns="http://owncloud.org/ns"/>
<owner-id xmlns="http://owncloud.org/ns"/>
<owner-display-name xmlns="http://owncloud.org/ns"/>
<comments-unread xmlns="http://owncloud.org/ns"/>
<checksums xmlns="http://owncloud.org/ns"/>
<downloadURL xmlns="http://owncloud.org/ns"/>
<data-fingerprint xmlns="http://owncloud.org/ns"/>
<creation_time xmlns="http://nextcloud.org/ns"/>
<upload_time xmlns="http://nextcloud.org/ns"/>
<is-encrypted xmlns="http://nextcloud.org/ns"/>
<has-preview xmlns="http://nextcloud.org/ns"/>
<mount-type xmlns="http://nextcloud.org/ns"/>
<rich-workspace xmlns="http://nextcloud.org/ns"/>
<note xmlns="http://nextcloud.org/ns"/>
<share-permissions xmlns="http://open-collaboration-services.org/ns"/>
<share-permissions xmlns="http://open-cloud-mesh.org/ns"/>
</d:prop>
</d:propfind>
[Response]:
[Status Code]: 207
[Headers]:
Cache-Control: no-store, no-cache, must-revalidate
content-security-policy: default-src 'none';
Content-Type: application/xml; charset=utf-8
Date: Tue, 30 Nov 2021 11:52:45 GMT
dav: 1, 3, extended-mkcol
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
referrer-policy: no-referrer
Server: Apache
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
Vary: Brief,Prefer
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-xss-protection: 1; mode=block
[Body]:
<?xml version="1.0"?>
<d:multistatus xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:oc="http://owncloud.org/ns" xmlns:nc="http://nextcloud.org/ns"><d:response><d:href>/remote.php/webdav/Temp/</d:href><d:propstat><d:prop><d:getlastmodified>Mon, 29 Nov 2021 16:54:15 GMT</d:getlastmodified><d:getetag>"61a505b7a7788"</d:getetag><d:resourcetype><d:collection/></d:resourcetype><d:quota-available-bytes>-3</d:quota-available-bytes><d:quota-used-bytes>28133384</d:quota-used-bytes><oc:permissions>RGDNVCK</oc:permissions><oc:id>00021949ocyk0qp2jocq</oc:id><oc:fileid>21949</oc:fileid><oc:size>28133384</oc:size><oc:favorite>0</oc:favorite><oc:share-types/><oc:owner-id>suze</oc:owner-id><oc:owner-display-name>Shuzhe Yang</oc:owner-display-name><oc:comments-unread>0</oc:comments-unread><oc:data-fingerprint></oc:data-fingerprint><nc:is-encrypted>0</nc:is-encrypted><nc:has-preview>false</nc:has-preview><nc:mount-type></nc:mount-type><nc:rich-workspace></nc:rich-workspace><nc:note></nc:note><x1:share-permissions xmlns:x1="http://open-collaboration-services.org/ns">31</x1:share-permissions><x2:share-permissions xmlns:x2="http://open-cloud-mesh.org/ns">["share","read","write"]</x2:share-permissions></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:getcontenttype/><oc:checksums/><oc:downloadURL/><nc:creation_time/><nc:upload_time/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response></d:multistatus>
[Network Duration]: 0.11591804027557373s
[Serialization Duration]: 3.5833800211548805e-06s
[Result]: success(1505 bytes)
2021-11-30 12:52:45 Network response all headers: 2021-11-30 12:52:45 Optional([AnyHashable("content-security-policy"): default-src 'none';, AnyHashable("x-permitted-cross-domain-policies"): none, AnyHashable("Strict-Transport-Security"): max-age=15768000; includeSubDomains; preload, AnyHashable("x-content-type-options"): nosniff, AnyHashable("Vary"): Brief,Prefer, AnyHashable("x-robots-tag"): none, AnyHashable("x-xss-protection"): 1; mode=block, AnyHashable("referrer-policy"): no-referrer, AnyHashable("x-frame-options"): SAMEORIGIN, AnyHashable("Server"): Apache, AnyHashable("Expires"): Thu, 19 Nov 1981 08:52:00 GMT, AnyHashable("Date"): Tue, 30 Nov 2021 11:52:45 GMT, AnyHashable("dav"): 1, 3, extended-mkcol, AnyHashable("Pragma"): no-cache, AnyHashable("Cache-Control"): no-store, no-cache, must-revalidate, AnyHashable("Content-Type"): application/xml; charset=utf-8, AnyHashable("x-download-options"): noopen])
2021-11-30 12:52:48 Network request started: GET https://mydomain.de/ocs/v2.php/apps/files_sharing/api/v1/shares?path=Temp/Ebay&reshares=false&subfiles=false
2021-11-30 12:52:48 Network request headers: ["User-Agent": "Mozilla/5.0 (iOS) Nextcloud-iOS/4.0.6", "OCS-APIRequest": "true", "Content-Type": "application/xml", "Authorization": "Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXX="]
2021-11-30 12:52:48 Network request body: None
2021-11-30 12:52:48 Network response result: 2021-11-30 12:52:48 [Request]: GET https://mydomain.de/ocs/v2.php/apps/files_sharing/api/v1/shares?path=Temp/Ebay&reshares=false&subfiles=false
[Headers]:
Authorization: Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXX=
Content-Type: application/xml
OCS-APIRequest: true
User-Agent: Mozilla/5.0 (iOS) Nextcloud-iOS/4.0.6
[Body]: None
[Response]:
[Status Code]: 200
[Headers]:
Cache-Control: no-cache, no-store, must-revalidate
Content-Encoding: gzip
Content-Length: 116
content-security-policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
Content-Type: application/xml; charset=utf-8
Date: Tue, 30 Nov 2021 11:52:48 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
feature-policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
Pragma: no-cache
referrer-policy: no-referrer
Server: Apache
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-xss-protection: 1; mode=block
[Body]:
<?xml version="1.0"?>
<ocs>
<meta>
<status>ok</status>
<statuscode>200</statuscode>
<message>OK</message>
</meta>
<data/>
</ocs>
[Network Duration]: 0.10528194904327393s
[Serialization Duration]: 3.7499703466892242e-06s
[Result]: success(138 bytes)
2021-11-30 12:52:48 Network response all headers: 2021-11-30 12:52:48 Optional([AnyHashable("content-security-policy"): default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none', AnyHashable("Cache-Control"): no-cache, no-store, must-revalidate, AnyHashable("feature-policy"): autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none', AnyHashable("Server"): Apache, AnyHashable("Content-Type"): application/xml; charset=utf-8, AnyHashable("x-frame-options"): SAMEORIGIN, AnyHashable("x-xss-protection"): 1; mode=block, AnyHashable("Content-Encoding"): gzip, AnyHashable("referrer-policy"): no-referrer, AnyHashable("Strict-Transport-Security"): max-age=15768000; includeSubDomains; preload, AnyHashable("Date"): Tue, 30 Nov 2021 11:52:48 GMT, AnyHashable("x-permitted-cross-domain-policies"): none, AnyHashable("Pragma"): no-cache, AnyHashable("Expires"): Thu, 19 Nov 1981 08:52:00 GMT, AnyHashable("x-download-options"): noopen, AnyHashable("x-content-type-options"): nosniff, AnyHashable("x-robots-tag"): none, AnyHashable("Content-Length"): 116])
2021-11-30 12:52:54 Network request started: GET https://mydomain.de/ocs/v2.php/apps/files_sharing/api/v1/sharees?format=json&itemType=file&lookup=false&page=1&perPage=200&search=sharing@myemail.de
2021-11-30 12:52:54 Network request headers: ["User-Agent": "Mozilla/5.0 (iOS) Nextcloud-iOS/4.0.6", "Content-Type": "application/x-www-form-urlencoded", "OCS-APIRequest": "true", "Authorization": "Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXX="]
2021-11-30 12:52:54 Network request body: None
2021-11-30 12:52:54 Network response result: 2021-11-30 12:52:54 [Request]: GET https://mydomain.de/ocs/v2.php/apps/files_sharing/api/v1/sharees?format=json&itemType=file&lookup=false&page=1&perPage=200&search=sharing@myemail.de
[Headers]:
Authorization: Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXX=
Content-Type: application/x-www-form-urlencoded
OCS-APIRequest: true
User-Agent: Mozilla/5.0 (iOS) Nextcloud-iOS/4.0.6
[Body]: None
[Response]:
[Status Code]: 200
[Headers]:
Cache-Control: no-cache, no-store, must-revalidate
Content-Encoding: gzip
Content-Length: 266
content-security-policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
Content-Type: application/json; charset=utf-8
Date: Tue, 30 Nov 2021 11:52:54 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
feature-policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
Link: <https://mydomain.de/ocs/v2.php/apps/files_sharing/api/v1/sharees?search=sharing@myemail.de&itemType=file&shareType%5B0%5D=0&shareType%5B1%5D=1&shareType%5B2%5D=4&shareType%5B3%5D=6&shareType%5B4%5D=7&shareType%5B5%5D=9&perPage=25&page=2>; rel="next"
Pragma: no-cache
referrer-policy: no-referrer
Server: Apache
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-xss-protection: 1; mode=block
[Body]:
{"ocs":{"meta":{"status":"ok","statuscode":200,"message":"OK"},"data":{"exact":{"users":[],"groups":[],"remotes":[{"label":"myname (gmx.net)","uuid":"myname","name":"myname","value":{"shareType":6,"shareWith":"sharing@myemail.de","server":"gmx.net"}}],"remote_groups":[{"label":"myname (gmx.net)","guid":"myname","name":"myname","value":{"shareType":9,"shareWith":"sharing@myemail.de","server":"gmx.net"}}],"emails":[{"label":"sharing@myemail.de","uuid":"sharing@myemail.de","value":{"shareType":4,"shareWith":"sharing@myemail.de"}}],"circles":[],"rooms":[],"deck":[]},"users":[],"groups":[],"remotes":[],"remote_groups":[],"emails":[],"lookup":[],"circles":[],"rooms":[],"deck":[],"lookupEnabled":true}}}
[Network Duration]: 0.160086989402771s
[Serialization Duration]: 0.00022466666996479034s
[Result]: success({
ocs = {
data = {
circles = (
);
deck = (
);
emails = (
);
exact = {
circles = (
);
deck = (
);
emails = (
{
label = "sharing@myemail.de";
uuid = "sharing@myemail.de";
value = {
shareType = 4;
shareWith = "sharing@myemail.de";
};
}
);
groups = (
);
"remote_groups" = (
{
guid = myname;
label = "myname (gmx.net)";
name = myname;
value = {
server = "gmx.net";
shareType = 9;
shareWith = "sharing@myemail.de";
};
}
);
remotes = (
{
label = "myname (gmx.net)";
name = myname;
uuid = myname;
value = {
server = "gmx.net";
shareType = 6;
shareWith = "sharing@myemail.de";
};
}
);
rooms = (
);
users = (
);
};
groups = (
);
lookup = (
);
lookupEnabled = 1;
"remote_groups" = (
);
remotes = (
);
rooms = (
);
users = (
);
};
meta = {
message = OK;
status = ok;
statuscode = 200;
};
};
})
2021-11-30 12:52:54 Network response all headers: 2021-11-30 12:52:54 Optional([AnyHashable("x-frame-options"): SAMEORIGIN, AnyHashable("x-permitted-cross-domain-policies"): none, AnyHashable("x-robots-tag"): none, AnyHashable("Server"): Apache, AnyHashable("Content-Encoding"): gzip, AnyHashable("Cache-Control"): no-cache, no-store, must-revalidate, AnyHashable("feature-policy"): autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none', AnyHashable("content-security-policy"): default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none', AnyHashable("Expires"): Thu, 19 Nov 1981 08:52:00 GMT, AnyHashable("Pragma"): no-cache, AnyHashable("referrer-policy"): no-referrer, AnyHashable("Strict-Transport-Security"): max-age=15768000; includeSubDomains; preload, AnyHashable("Link"): <https://mydomain.de/ocs/v2.php/apps/files_sharing/api/v1/sharees?search=sharing@myemail.de&itemType=file&shareType%5B0%5D=0&shareType%5B1%5D=1&shareType%5B2%5D=4&shareType%5B3%5D=6&shareType%5B4%5D=7&shareType%5B5%5D=9&perPage=25&page=2>; rel="next", AnyHashable("Content-Length"): 266, AnyHashable("x-xss-protection"): 1; mode=block, AnyHashable("Content-Type"): application/json; charset=utf-8, AnyHashable("x-download-options"): noopen, AnyHashable("x-content-type-options"): nosniff, AnyHashable("Date"): Tue, 30 Nov 2021 11:52:54 GMT])
2021-11-30 12:52:54 Network request started: GET https://mydomain.de/index.php/avatar/sharing@myemail.de/512
2021-11-30 12:52:54 Network request headers: ["User-Agent": "Mozilla/5.0 (iOS) Nextcloud-iOS/4.0.6", "Authorization": "Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXX=", "OCS-APIRequest": "true", "Content-Type": "application/x-www-form-urlencoded"]
2021-11-30 12:52:54 Network request body: None
2021-11-30 12:52:54 Network request started: GET https://mydomain.de/index.php/avatar/sharing@myemail.de/512
2021-11-30 12:52:54 Network request headers: ["User-Agent": "Mozilla/5.0 (iOS) Nextcloud-iOS/4.0.6", "Authorization": "Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXX=", "OCS-APIRequest": "true", "Content-Type": "application/x-www-form-urlencoded"]
2021-11-30 12:52:54 Network request body: None
2021-11-30 12:52:54 Network request started: GET https://mydomain.de/index.php/avatar/sharing@myemail.de/512
2021-11-30 12:52:54 Network request headers: ["User-Agent": "Mozilla/5.0 (iOS) Nextcloud-iOS/4.0.6", "Authorization": "Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXX=", "OCS-APIRequest": "true", "Content-Type": "application/x-www-form-urlencoded"]
2021-11-30 12:52:54 Network request body: None
2021-11-30 12:52:56 Network request started: POST https://mydomain.de/ocs/v2.php/apps/files_sharing/api/v1/shares?format=json
2021-11-30 12:52:56 Network request headers: ["Content-Type": "application/x-www-form-urlencoded", "OCS-APIRequest": "true", "User-Agent": "Mozilla/5.0 (iOS) Nextcloud-iOS/4.0.6", "Authorization": "Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXX="]
2021-11-30 12:52:56 Network request body: hideDownload=false&path=Temp/Ebay&permissions=31&publicUpload=false&shareType=4&shareWith=sharing@myemail.de
2021-11-30 12:52:56 Network response result: 2021-11-30 12:52:56 [Request]: POST https://mydomain.de/ocs/v2.php/apps/files_sharing/api/v1/shares?format=json
[Headers]:
Authorization: Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXX=
Content-Type: application/x-www-form-urlencoded
OCS-APIRequest: true
User-Agent: Mozilla/5.0 (iOS) Nextcloud-iOS/4.0.6
[Body]: 108 bytes
[Response]:
[Status Code]: 403
[Headers]:
Cache-Control: no-cache, no-store, must-revalidate
Content-Length: 124
content-security-policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
Content-Type: application/json; charset=utf-8
Date: Tue, 30 Nov 2021 11:52:56 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
feature-policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
Pragma: no-cache
referrer-policy: no-referrer
Server: Apache
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-xss-protection: 1; mode=block
[Body]:
{"ocs":{"meta":{"status":"failure","statuscode":403,"message":"Passwords are enforced for link and mail shares"},"data":[]}}
[Network Duration]: 0.19295108318328857s
[Serialization Duration]: 2.2666645236313343e-05s
[Result]: failure(Alamofire.AFError.responseValidationFailed(reason: Alamofire.AFError.ResponseValidationFailureReason.unacceptableStatusCode(code: 403)))
2021-11-30 12:52:56 Network response all headers: 2021-11-30 12:52:56 Optional([AnyHashable("Server"): Apache, AnyHashable("x-xss-protection"): 1; mode=block, AnyHashable("referrer-policy"): no-referrer, AnyHashable("x-content-type-options"): nosniff, AnyHashable("Pragma"): no-cache, AnyHashable("Date"): Tue, 30 Nov 2021 11:52:56 GMT, AnyHashable("Expires"): Thu, 19 Nov 1981 08:52:00 GMT, AnyHashable("x-robots-tag"): none, AnyHashable("x-frame-options"): SAMEORIGIN, AnyHashable("x-permitted-cross-domain-policies"): none, AnyHashable("feature-policy"): autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none', AnyHashable("x-download-options"): noopen, AnyHashable("Content-Type"): application/json; charset=utf-8, AnyHashable("Cache-Control"): no-cache, no-store, must-revalidate, AnyHashable("Strict-Transport-Security"): max-age=15768000; includeSubDomains; preload, AnyHashable("content-security-policy"): default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none', AnyHashable("Content-Length"): 124])
Reasoning or why should it be changed/implemented?
Environment data
iOS version: e.g. iOS 15.1.1
Nextcloud iOS app version: 4.1.0
Server operating system: Debian 10 / NextCloudPi on Docker
Web server: Apache
Database: MariaDB
PHP version: 7.3
Nextcloud version: 22.2.2