-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
validating rereshare permission when creating share using API make sure to check most permissive mountpoint #38625
Conversation
Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes. |
802c55a
to
33ebe6d
Compare
…sure to check subfolder parent mountpoint
33ebe6d
to
fc99209
Compare
Kudos, SonarCloud Quality Gate passed! |
I think I'd vote for a won't fix without major changes. For me, each share has its own permissions, which are independent of each other share. At least, I think it was designed that way. This means that accessing the file via "simple-folder/simple-inner-folder/test.txt" has a different set of permissions than accessing via "simple-inner-folder/test.txt", and as such, you can do different things depending where you come from. If we're going to change things, I think the current approach could make sense. Evaluating the inner permissions usually takes precedence over the parent permissions. I guess this is what is happening, which could be fine. The problem is that we still think that, since we're accessing through the parent share, it's the parent share's permissions the ones that should be applied, which is wrong. Evaluating the parent permissions seems unnatural. For me there are 2 solutions:
As said, for me the second option seems more natural, so we could evaluate the changes we need to do in order to decide if it's worthy or not. |
@jvillafanez the problem is in validation permissions, not in mount creation logic! What you mentioned is solved as part of shared mount logic. Here the problem is that where this code is executed you have no idea from which exactly folder you share. You only know ORIGINAL node id, share-by and share-owner. Thus idea is to find most permissive while validating permissions. |
I guess I'll ping @pmaier1 to decide. For me, the PR brings a change in the behaviour that needs to be discussed because it will make impossible to restrict permissions. Case 1:
What are the permissions that user1 should have over "some-folder/inner-folder/test.txt"? Note that user1 can access to the file via "some-folder/inner-folder/test.txt" and "inner-folder/test.txt"
Case 2:
What are the permissions that user1 should have over "some-folder/inner-folder/test.txt"? Note that user1 can access to the file via "some-folder/inner-folder/test.txt" and "inner-folder/test.txt"
The problem of choosing the least restrictive option is that we won't be able to restrict permissions, which I think is a valid use case. My point here is that the current behaviour the code has is the second option for both cases (correct me if I'm wrong), but the user expects the fourth option because they have 2 different shares. For me, the problem is this mismatch between the user's expectations and what the code is doing, so for me it's ok to treat the problem as a visualization issue and change the user's expectations (by showing only one share) but not the code behaviour.
Yes, I know. That's why I'm saying that showing 2 different shares there is obsolete and doesn't match the current behaviour. Bringing that back properly isn't possible without major changes because we have to know the path the user is using to access to the share, which isn't possible at the moment. |
@jvillafanez what about screenshare session ? The problem is really that permissions are validated WHEN CREATING SHARE for wrong mountpoint for THE SAME FILE (node), that just got reshared via e.g. subfolder again. In screenshare I could demo a problem looking with debug in codelines. There is no permission escalation, and UI looks better. Note you cannot reproduce with current implementation UI behaviour translatong to API (up to my understanding) |
If I'm not mistaken, my expectation is aligned with what @jvillafanez points out in here. Correct me if I'm wrong but we never "merged" shares or permissions in the past. Each share is independent in terms of it's mount point and permissions. While I see benefits of merging shares and permissions, I see this as a major change that we should not make at this time in oC 10. Also, I don't see the relation to the original support issue (resharing a received share with a group). @micbar what do you think? |
I guess that was the idea, but it isn't working like that. Bringing back true share independence would require major changes because we don't know where the user is accessing to the share from, and this is a requirement to fix the problem this way.
To clarify a bit my position, I'm for keeping the current behaviour and merge both shares into one. Maybe the easiest option would be to skip the inner share from showing up, this way the user would only see the share on "some-folder" but the permissions would be based on the containing share, which is what we have now. |
@jvillafanez @pmaier1 updated description with screenshots and clearer explanation of the issue. |
I'm not sure if this is a different problem or not...
@mrow4a shouldn't steps 6 and 8 show more permissions? I'm not sure if this is a problem in the web UI or in the server... It's possible for user2 to change the permissions shown. |
@jvillafanez the issue that I try to fix is related to failure while createShare. What you describe are problems with share mount creation, completely not related to this issue. Still valid point and we probably should target it, as it could cause similar problem to the one described here. |
// - longest file node path indicates reshare originates | ||
// from parent folder, and is not reshared subfolder that would contain lower or equal permission by design | ||
\usort($shareFileNodes, function (\OCP\Files\Node $first, \OCP\Files\Node $second) { | ||
if (\strcmp($first->getPath(), $second->getPath()) < 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return \strcmp($first->getPath(), $second->getPath())
? Might need a comment, but ok
Should we fix it here or in another PR? |
@jvillafanez another PR. The issue you found is is mounting logic, not in share creation while validating permissions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check if #38625 (review) is worthy. Other than that, I think this is good enough.
Description
What happens:
fixes: https://github.com/owncloud/enterprise/issues/4497
How Has This Been Tested?
Integration Tests, Manually
Screenshots (if appropriate):
BACKGROUND:
BEFORE:
AFTER:
Types of changes
Checklist: