Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Under NC17 it is impossible for normal user to reach user settings page when user is enabled as groupadmin same time #18793

Closed
linuxpete opened this issue Jan 9, 2020 · 5 comments
Closed

Under NC17 it is impossible for normal user to reach user settings page when user is enabled as groupadmin same time #18793

linuxpete opened this issue Jan 9, 2020 · 5 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug needs info

Comments

@linuxpete
Copy link

See also, problem is discussed here : https://help.nextcloud.com/t/under-nc17-it-is-impossible-for-normal-user-to-reach-user-settings-page-when-user-is-enabled-as-groupadmin-same-time/66687

In this support page the issuer uses LDAP and sees this problem. I use native useradmin of Nextcloud. So this is not LDAP related.

Current behaviour:

  • Make a user groupadmin of a group
  • Let the user navigate to his settingspage
  • The user is presented the first app that is listed in the nextcloud menu (can be changed by app "apporder"

Desired behaviour

  • Make a user group admin
  • navigate user's settingspage
  • nextcloud shows settingspage

workaround

  • remove groupadminship of user

Server configuration detail

Operating system: Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64

Webserver: nginx/1.14.0 (fpm-fcgi)

Database: mysql 5.7.28

PHP version: 7.2.24-0ubuntu0.18.04.1

Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, sodium, session, standard, cgi-fcgi, mysqlnd, PDO, xml, apcu, bz2, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, imagick, intl, json, exif, mysqli, pdo_mysql, Phar, posix, readline, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 17.0.2 - 17.0.2.1

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from: unknown

Signing status

Array
(
)

List of activated apps 
Enabled:
 - accessibility: 1.3.0
 - activity: 2.10.1
 - admin_audit: 1.7.0
 - audioplayer: 2.8.4
 - bookmarks: 2.3.4
 - bruteforcesettings: 1.4.0
 - calendar: 1.7.1
 - carnet: 0.19.1
 - checksum: 0.4.3
 - cloud_federation_api: 1.0.0
 - comments: 1.7.0
 - contacts: 3.1.6
 - dav: 1.13.0
 - deck: 0.7.0
 - dicomviewer: 1.2.1
 - dropit: 0.3.0
 - encryption: 2.5.0
 - event_update_notification: 1.0.0
 - external: 3.4.1
 - federatedfilesharing: 1.7.0
 - federation: 1.7.0
 - files: 1.12.0
 - files_accesscontrol: 1.7.0
 - files_automatedtagging: 1.7.0
 - files_downloadactivity: 1.6.0
 - files_external: 1.8.0
 - files_markdown: 2.1.0
 - files_mindmap: 0.0.15
 - files_pdfviewer: 1.6.0
 - files_rightclick: 0.15.1
 - files_sharing: 1.9.0
 - files_trackdownloads: 1.6.0
 - files_trashbin: 1.7.0
 - files_versions: 1.10.0
 - files_videoplayer: 1.6.0
 - gallery: 18.4.0
 - gpxedit: 0.0.12
 - gpxmotion: 0.0.10
 - gpxpod: 4.1.0
 - impersonate: 1.4.0
 - logreader: 2.2.0
 - lookup_server_connector: 1.5.0
 - mail: 0.21.0
 - metadata: 0.10.0
 - music: 0.11.1
 - news: 14.1.0
 - nextcloud_announcements: 1.6.0
 - notes: 3.1.0
 - notifications: 2.5.0
 - oauth2: 1.5.0
 - password_policy: 1.7.0
 - passwords: 2019.12.1
 - previewgenerator: 2.2.0
 - provisioning_api: 1.7.0
 - qownnotesapi: 19.9.0
 - rainloop: 6.0.4
 - richdocuments: 3.5.0
 - serverinfo: 1.7.0
 - sharebymail: 1.7.0
 - spreed: 7.0.2
 - support: 1.0.1
 - survey_client: 1.5.0
 - systemtags: 1.7.0
 - tasks: 0.11.3
 - text: 1.1.1
 - theming: 1.8.0
 - twofactor_backupcodes: 1.6.0
 - twofactor_nextcloud_notification: 2.2.0
 - twofactor_totp: 4.1.1
 - updatenotification: 1.7.0
 - viewer: 1.2.0
 - workflowengine: 1.7.0
Disabled:
 - caniupdate
 - end_to_end_encryption
 - firstrunwizard
 - privacy
 - recommendations
 - user_ldap
Configuration (config/config.php) 
{
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "localhost",
        "nextcloud.example.com"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "overwrite.cli.url": "nextcloud.example.com",
    "dbtype": "mysql",
    "version": "17.0.2.1",
    "logtimezone": "UTC",
    "installed": true,
    "memcache.local": "\\OC\\Memcache\\APCu",
    "loglevel": 1,
    "defaultapp": "apporder",
    "knowledgebaseenabled": "true",
    "custom_csp_policy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' data: blob:; frame-src *; img-src *; font-src 'self' data: blob:; media-src *",
    "maintenance": false,
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "theme": "",
    "data-fingerprint": "ja;lfj;alja;lkfja;lkdfj",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpmode": "smtp",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpauthtype": "LOGIN",
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpauth": 1,
    "mail_smtpport": "465",
    "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
    "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpsecure": "ssl",
    "enabledPreviewProviders": [
        "OC\\Preview\\Image",
        "OC\\Preview\\MP3",
        "OC\\Preview\\TXT",
        "OC\\Preview\\MarkDown",
        "OC\\Preview\\Epub",
        "OC\\Preview\\PDF",
        "OC\\Preview\\OpenDocument",
        "OC\\Preview\\StarOffice",
        "OC\\Preview\\MSOfficeDoc",
        "OC\\Preview\\MSOffice2003",
        "OC\\Preview\\MSOffice2007",
        "OC\\Preview\\FB2"
    ],
    "mysql.utf8mb4": true,
    "updater.release.channel": "stable",
    "has_rebuilt_cache": true,
    "app_install_overwrite": [
        "calendar"
    ]
}

External storages: yes

External storage configuration 
+----------+---------------+---------+---------------------+-------------------------+---------------------------------------------+------------------+-------------------+-------+
| Mount ID | Mount Point   | Storage | Authentication Type | Configuration           | Options                                     | Applicable Users | Applicable Groups | Type  |
+----------+---------------+---------+---------------------+-------------------------+---------------------------------------------+------------------+-------------------+-------+
| 5        | /dlna         | Local   | None                | datadir: "\/srv\/dlna"  | encrypt: false, filesystem_check_changes: 0 |                  | mdlna             | Admin |
| 8        | /FotosFamilie | Local   | None                | datadir: "\/srv\/fotos" |                                             |                  | wolters           | Admin |
+----------+---------------+---------+---------------------+-------------------------+---------------------------------------------+------------------+-------------------+-------+

Encryption: no

User-backends:

  • OC\User\Database

Browser: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
@linuxpete linuxpete added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels Jan 9, 2020
@kesselb
Copy link
Contributor

kesselb commented Jan 9, 2020

I remember another report here about this issue but can't find it anymore. That seems to be related to the rainloop app: pierre-alain-b/rainloop-nextcloud#121

@linuxpete
Copy link
Author

Hi @kesselb : you are right, after switching off rainloop my user can enter the settings the settings page.

this is a duplicate of : pierre-alain-b/rainloop-nextcloud#121

@linuxpete linuxpete mentioned this issue Jan 10, 2020
Closed
@noci2012
Copy link

noci2012 commented Jan 14, 2020
edited
Loading

I have an instance where a group admin cannot access settings even if rainloop is not enabled.
So there are other items that may block the use of /settings/user and redirects to /
(there are no errors/warnings/info being logged during this access).

@noci2012
Copy link

Also ocDownloader: #17899

@noci2012
Copy link

noci2012 commented Jan 14, 2020
edited
Loading

These are the only redirects references directly to / i could find:
core/templates/404.php:if(!isset($)) {//standalone page is not supported anymore - redirect to /
core/templates/403.php:if(!isset($)) {//standalone page is not supported anymore - redirect to /

And this calls 403:
settings/Middleware/SubadminMiddleware.php:

        /**
         * Return 403 page in case of an exception
         * @param Controller $controller
         * @param string $methodName
         * @param \Exception $exception
         * @return TemplateResponse
         * @throws \Exception
         */
        public function afterException($controller, $methodName, \Exception $exception) {
                if($exception instanceof NotAdminException) {
                        $response = new TemplateResponse('core', '403', array(), 'guest');
                        $response->setStatus(Http::STATUS_FORBIDDEN);
                        return $response;
                }

                throw $exception;
        }

I lack sufficient details info on settings & authorisation inside this to investigate this further.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug needs info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@noci2012 @kesselb @linuxpete