anonymous user with viewer role in public link of a folder can lock a file inside it

[SwikritiT]

Describe the bug

Anonymous user that received a public link share of a folder with viewer role can lock the files inside the shared folder

Steps to reproduce

1. As user Einstein create file Parent/test.txt
2. Create a public link share with view only permission
3. As an anonymous user try to lock the file test.txt inside the folder

curl -upublic:#Passw0rd -XLOCK "https://localhost:9200/remote.php/dav/public-files/<public-link-token>/test.txt" -H "Content-Type: application/json" -d"<?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'><d:lockscope><d:exclusive/></d:lockscope></d:lockinfo>" -vk

Expected behavior

The request should fail with 403 as the anonymous user doesn't have enough permission to lock the file.

Actual behavior

The file gets locked

> LOCK /remote.php/dav/public-files/wTuSoMstyUivDlp/test.txt HTTP/1.1
> Host: localhost:9200
> Authorization: Basic cHVibGljOiNQYXNzdzByZA==
> User-Agent: curl/7.81.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 119
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Content-Length: 565
< Content-Security-Policy: default-src 'none';
< Content-Type: application/xml; charset=utf-8
< Date: Thu, 23 Nov 2023 06:27:05 GMT
< Lock-Token: <urn:uuid:befb9a40-00b2-42a4-ad81-520e45a2d6dd>
< Vary: Origin
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Request-Id: swikriti-OptiPlex-3070/fF7oNVLVsT-002275
< X-Robots-Tag: none
< X-Xss-Protection: 1; mode=block
< 
<?xml version="1.0" encoding="UTF-8"?>
<d:prop xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:lockdiscovery><d:activelock>
  <d:locktype><d:write/></d:locktype>
  <d:lockscope><d:exclusive/></d:lockscope>
  <d:depth>infinity</d:depth>
  <d:timeout>Infinite</d:timeout>
  <d:locktoken><d:href>urn:uuid:befb9a40-00b2-42a4-ad81-520e45a2d6dd</d:href></d:locktoken>
  <d:lockroot><d:href>./test.txt</d:href></d:lockroot>
  <oc:ownername>Albert Einstein</oc:ownername>
  <oc:locktime>2023-11-23T12:12:05+05:45</oc:locktime>
* Connection #0 to host localhost left intact
</d:activelock></d:lockdiscovery></d:prop>%         

Setup

ocis started with

PROXY_ENABLE_BASIC_AUTH=true OCIS_INSECURE=true OCIS_ASYNC_UPLOADS=true IDM_CREATE_DEMO_USERS=true OCIS_LOG_LEVEL=error ./bin/ocis server

OCIS_COMMITID=6ac5ac534dc29223d68604e7c647f3457a02cec2

[2403905]

@SwikritiT Please validate and close if it is already resolved.

[phil-davis]

@saw-jan please ask someone to check this.

[SagarGi]

Putting this to current sprint @saw-jan.

[SagarGi]

@2403905 The test for this has been already covered

ocis/tests/acceptance/features/apiLocks/lockFiles.feature

Line 414 in 8556318

Scenario Outline: lock a file inside a folder shared by a link as anonymous user with edit permission

Also checked it manually and seems to be working. So closing this issue: