Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create Share API not honoring "permissions" parameter #17504

Open
asadsnowman opened this issue Oct 10, 2019 · 4 comments
Open

Create Share API not honoring "permissions" parameter #17504

asadsnowman opened this issue Oct 10, 2019 · 4 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 26-feedback bug feature: sharing

Comments

@asadsnowman
Copy link

Steps to reproduce

  1. Create a new Share on a folder through the API with the following parameters: shareType=3, publicUpload=true, and permissions=4.
  2. Check new Share permissions in browser or through API.

###Expected behaviour
Share permissions should be 4: "File drop (upload only)"

###Actual behaviour
Share permissions are 15: "Allow upload and editing"

Server configuration

Operating system:
Ubuntu 18.04.1
Web server:
Apache/2.4.38 (Debian)
Database:
sqlite3 3.28.0
PHP version:
7.3.10
Nextcloud version:
17.0.0.9

Updated from an older Nextcloud/ownCloud or fresh install:
fresh install
Where did you install Nextcloud from:
docker
Signing status:

Signing status 
No errors have been found.

List of activated apps:

App list 
Enabled:
  - accessibility: 1.3.0
  - activity: 2.10.1
  - admin_audit: 1.7.0
  - cloud_federation_api: 1.0.0
  - comments: 1.7.0
  - dav: 1.13.0
  - federatedfilesharing: 1.7.0
  - federation: 1.7.0
  - files: 1.12.0
  - files_accesscontrol: 1.7.0
  - files_external: 1.8.0
  - files_pdfviewer: 1.6.0
  - files_rightclick: 0.14.2
  - files_sharing: 1.9.0
  - files_trashbin: 1.7.0
  - files_versions: 1.10.0
  - files_videoplayer: 1.6.0
  - firstrunwizard: 2.6.0
  - gallery: 18.4.0
  - group_everyone: 0.1.3
  - logreader: 2.2.0
  - lookup_server_connector: 1.5.0
  - nextcloud_announcements: 1.6.0
  - notifications: 2.5.0
  - oauth2: 1.5.0
  - password_policy: 1.7.0
  - privacy: 1.1.0
  - provisioning_api: 1.7.0
  - recommendations: 0.5.0
  - serverinfo: 1.7.0
  - sharebymail: 1.7.0
  - sharepoint: 1.5.0
  - support: 1.0.1
  - survey_client: 1.5.0
  - systemtags: 1.7.0
  - text: 1.1.0
  - theming: 1.8.0
  - twofactor_backupcodes: 1.6.0
  - updatenotification: 1.7.0
  - user_ldap: 1.7.0
  - viewer: 1.1.0
  - workflowengine: 1.7.0
Disabled:
  - encryption

Nextcloud configuration:

Config report 
{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost:9999",
            "10.1.11.166:9999"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "sqlite3",
        "version": "17.0.0.9",
        "overwrite.cli.url": "http:\/\/localhost:9999",
        "installed": true,
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "mail_smtpmode": "smtp",
        "mail_smtpauth": 1,
        "mail_sendmailmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN"
    }
}

Are you using external storage, if yes which one: No

Are you using encryption: No

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)

LDAP config 
+-------------------------------+----------------------------------------------------+
| Configuration                 | s01                                                |
+-------------------------------+----------------------------------------------------+
| hasMemberOfFilterSupport      | 1                                                  |
| homeFolderNamingRule          |                                                    |
| lastJpegPhotoLookup           | 0                                                  |
| ldapAgentName                 |REMOVED         |
| ldapAgentPassword             | ***                                                |
| ldapAttributesForGroupSearch  |                                                    |
| ldapAttributesForUserSearch   |                                                    |
| ldapBackupHost                |                                                    |
| ldapBackupPort                |                                                    |
| ldapBase                      | REMOVED                                  |
| ldapBaseGroups                | REMOVED                                  |
| ldapBaseUsers                 |REMOVED                                  |
| ldapCacheTTL                  | 600                                                |
| ldapConfigurationActive       | 1                                                  |
| ldapDefaultPPolicyDN          |                                                    |
| ldapDynamicGroupMemberURL     |                                                    |
| ldapEmailAttribute            | mail                                               |
| ldapExperiencedAdmin          | 0                                                  |
| ldapExpertUUIDGroupAttr       |                                                    |
| ldapExpertUUIDUserAttr        |                                                    |
| ldapExpertUsernameAttr        | samaccountname                                     |
| ldapExtStorageHomeAttribute   |                                                    |
| ldapGidNumber                 | gidNumber                                          |
| ldapGroupDisplayName          | cn                                                 |
| ldapGroupFilter               |                                                    |
| ldapGroupFilterGroups         |                                                    |
| ldapGroupFilterMode           | 0                                                  |
| ldapGroupFilterObjectclass    |                                                    |
| ldapGroupMemberAssocAttr      | member                                             |
| ldapHost                      | REMOVED                                         |
| ldapIgnoreNamingRules         |                                                    |
| ldapLoginFilter               | (&(&(|(objectclass=person)))(samaccountname=%uid)) |
| ldapLoginFilterAttributes     |                                                    |
| ldapLoginFilterEmail          | 0                                                  |
| ldapLoginFilterMode           | 0                                                  |
| ldapLoginFilterUsername       | 1                                                  |
| ldapNestedGroups              | 0                                                  |
| ldapOverrideMainServer        |                                                    |
| ldapPagingSize                | 500                                                |
| ldapPort                      | 389                                                |
| ldapQuotaAttribute            |                                                    |
| ldapQuotaDefault              |                                                    |
| ldapTLS                       | 0                                                  |
| ldapUserAvatarRule            | default                                            |
| ldapUserDisplayName           | displayname                                        |
| ldapUserDisplayName2          | samaccountname                                     |
| ldapUserFilter                | (&(!(objectclass=computer))(objectclass=person))   |
| ldapUserFilterGroups          |                                                    |
| ldapUserFilterMode            | 1                                                  |
| ldapUserFilterObjectclass     | person                                             |
| ldapUuidGroupAttribute        | auto                                               |
| ldapUuidUserAttribute         | auto                                               |
| turnOffCertCheck              | 0                                                  |
| turnOnPasswordChange          | 0                                                  |
| useMemberOfToDetectMembership | 1                                                  |
+-------------------------------+----------------------------------------------------+

Client configuration

Browser:
Google Chrome 77.0.3865.90 (Official Build) (64-bit)
Operating system:
Windows 10 OS Version 1809 (Build 17763.678)

Logs

Web server error log

Web server error log 
Insert your webserver log here

Nextcloud log (data/nextcloud.log)

Nextcloud log 
No errors reported in log for this issue

Browser log

Browser log 
Browser not required to recreate issue
@skjnldsv skjnldsv added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug feature: sharing labels Dec 9, 2019
@bpcurse
Copy link

bpcurse commented Feb 12, 2020
edited

I can confirm this behavior for 16.0.7 and 18.0.1 RC2.

Possible workaround using HTTP PUT afterwards:
https://help.nextcloud.com/t/auto-create-public-and-drop-shares-for-each-user/70445/18

@bpcurse bpcurse mentioned this issue Feb 13, 2020
Closed
@skjnldsv
Copy link
Member

skjnldsv commented Mar 22, 2021
edited

###Expected behaviour
Share permissions should be 4: "File drop (upload only)"

###Actual behaviour
Share permissions are 15: "Allow upload and editing"

Not really

server/apps/files_sharing/lib/Controller/ShareAPIController.php

Lines 538 to 541 in f998769

$permissions = Constants::PERMISSION_READ |
Constants::PERMISSION_CREATE |
Constants::PERMISSION_UPDATE |
Constants::PERMISSION_DELETE;

If you want to be allowed to drop files, you need PERMISSION_CREATE. And any link share always have the PERMISSION_READ too. So if you give permissions:4, it will at least require 5.

Nonetheless, a proper file drop does not require PERMISSION_UPDATE nor PERMISSION_DELETE.

Manually changing the permissions to 4 afterwards works AND return 4, meaning we don't check the READ anymore 🤔

@rullzer @MorrisJobke what is this about the READ permissions, should we allow file drop without PERMISSION_READ ?
We should definitely fix the createShare api method then :)

@skjnldsv skjnldsv added 1. to develop Accepted and waiting to be taken care of and removed 0. Needs triage Pending check for reproducibility or if it fits our roadmap labels Mar 22, 2021
@julien-nc julien-nc mentioned this issue Oct 8, 2021
Closed
@szaimen
Copy link
Contributor

szaimen commented Jan 9, 2023

Hi, please update to 24.0.8 or better 25.0.2 and report back if it fixes the issue. Thank you!

@szaimen szaimen added needs info 0. Needs triage Pending check for reproducibility or if it fits our roadmap and removed 1. to develop Accepted and waiting to be taken care of labels Jan 9, 2023
@tobiasKaminsky
Copy link
Member

Corresponding PR is not yet merged, so this cannot work yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 26-feedback bug feature: sharing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tobiasKaminsky @skjnldsv @bpcurse @asadsnowman @szaimen