OC 7.0.3 Enabling app for specific group does not prevent to access it via URL

[ppaysant]

Hi owncloud people,

Steps to reproduce

1. Fresh install from github, use stable7 branch
   git clone https://github.com/owncloud/core.git owncloud ; git checkout stable7 ; git submodule ...
   Install (mysql) owncloud as usual
2. Fresh install of app gallery (or other app that can be enabled for specific group)
   cd apps ; git clone https://github.com/owncloud/gallery.git
3. Loggued as admin, create two users user1 (with no group) and user2 (with group users)
4. As admin, enable the previously installed app (gallery) only for group "users", so as user1 should not be able to access it.
5. Log on with user1

Expected behaviour

Icon is not visible
App gallery can't be accessed

Actual behaviour

Icon is not visible (ok)
App gallery can be accessed (ko) via url index.php/apps/gallery/

Server configuration

Operating system: centos 6.5

Web server: apache 2.2.15

Database: mariadb 5.5.38

PHP version: 5.4.30

ownCloud version: (see ownCloud admin page) stable7 branch on git

Updated from an older ownCloud or fresh install: fresh install

List of activated apps: core one from git install

The content of config/config.php:

$CONFIG = array (
  'instanceid' => 'octw6zolf9tj',
  'passwordsalt' => 'XXX',
  'secret' => 'XXX',
  'trusted_domains' => 
  array (
    0 => 'owncore.chez.moi',
  ),
  'datadirectory' => '/data/owncloud',
  'overwrite.cli.url' => 'https://owncore.chez.moi',
  'dbtype' => 'mysql',
  'version' => '7.8.1.0',
  'dbname' => 'owncloud7',
  'dbhost' => 'localhost',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'owncore',
  'dbpassword' => 'XXX',
  'installed' => true,
);

Are you using external storage, if yes which one: No

Are you using encryption: no

Client configuration

Browser: Firefox or Chromium

Operating system: Debian unstable

[LukasReschke]

@icewind1991 I think this is caused because of the <types><filesystem/></types> entry in the gallery app. Right?

[ppaysant]

I've test it with other apps (like https://github.com/ppaysant/helloworld) with same (buggy, IMHO) result.

[LukasReschke]

Interesting. - Seems to be an issue within the appframework.

[LukasReschke]

The problem for appframework apps should be fixed with #12189 - can you please test this one?

[ppaysant]

Hey, that seems to be much better, it now triggers ERR_TOO_MANY_REDIRECTS (and the app is no more accessible). Not very sexy, but users should not try that :)
I will do some more tests, and report back here.

Many thanks

[LukasReschke]

Hey, that seems to be much better, it now triggers ERR_TOO_MANY_REDIRECTS (and the app is no more accessible). Not very sexy, but users should not try that :)

Yes. That's technically another bug but better that than showing the app. And I didn't want to add too much additional code so I think this is "okay".

[ppaysant]

Well, seems good to me too.
Should I close the issue, or do you like best a core team member to close it ?

Thx again

[LukasReschke]

No need to close. The issue will be automatically closed once the patch is merged.

[LukasReschke]

[MorrisJobke]

will be fixed in 7.0.4

[jnfrmarks]

@ppaysant @LukasReschke

I'm having trouble reproducing the original problem. I installed 7.0.3, took the gallery app from both stable7 branch (couldn't enable by group) and the master branch (could enable by group), but was unable to get access to the app from the user not in the permitted group.

I have two users, t1 and t2. T1 is a member of "TEST"; t2 is a member of "test". I give the app access to the TEST group. When I log in as T1, I get the app. When I log in as T2 I do not get the app (so far, so good). When I go to apps/gallery as user t2, I get a white page - no access to the app content.

[LukasReschke]

@jnfrmarks This is only reproducible for apps that use the AppFramework. You can try this easiest with installing this app: https://github.com/ppaysant/helloworld

Currently EE ships no app that relies on the AppFramework in that way, however, this is going to change soon as the new apps are using it or existing ones are going to get rewritten to it. Therefore this affects EE not yet that big but it would if we wouldn't have catched this.

[jnfrmarks]

@LukasReschke @ppaysant

I still can't reproduce the original issue with either the gallery app or the helloworld app. Is there more I need to do other than copy the app into the apps directory and enable it for specific groups?

[LukasReschke]

@jnfrmarks What did you exactly try? - Let's discuss this via IRC or Skype. - Just ping me.