Bug/Feature request ? - The search shows results from folders with restricted access to users who are not part of who can access those folders

[VegethB]

video showc

Very simple, a user who doesn't have permission to download should also NOT view the contents of the folder in question. He actually gets a 401 error trying to access the folder. However, using the "deep Search" function it is able to find files and folders that were supposed to remain hidden.
This may be intentional (since it refers to a simple "disable downloading for the contents of this folder" instead of an actual "hide this folder and its contents and prevent viewing/downloading").
Anyway, thanks again 👍

Environment (please complete the following information):

• OS: Windows 10 x64 22h2
• Browser chrome
• Version 0.26.3

[rejetto]

I couldn't reproduce the problem you say.
Please provide exact step by step instructions or another video if you like

[VegethB]

I couldn't reproduce the problem you say. Please provide exact step by step instructions or another video if you like

video2

steps:

• Create 2 users, 1 guest & 1 John;
• Create a folder (real) with 10 txt files which 3 of them have "rakuen" in the name;
• To this folder specify which users can download, only John (do not add guest);
• Log in with guest, try to access the (real) folder with the 10 txt files inside... HFS (rightly) blocks you (because guest doesn't have permission to download and therefore not even permission to view the contents of that folder);
• Go back to Home, do "deep search" and use the keyword "rakuen"...
  The search will give results (the 3 txt with rakuen in the name);

and this makes the fact that the folder and its contents are hidden useless, because a user who does not have permission to download cannot navigate in that folder (error 401 in fact).
But, if by doing a search he can see things that should be hidden from him... it's not exactly the best.

I'm referring to the fact that the "who can download" permission blocks the download and prevents access to that folder... but allows anyone doing a global search to view the contents of that folder even though they don't have permission to do so.

Suppose I have 2 folders:

Invoices;
Games;

and that I gave user John "download" permission for both while guest has "download" permission only for the Games folder,
Guest will be able to see files and folders contained in "invoices" using "deep search".

But I expected that Guest could in no way see and know that there is a folder called "Invoices" and the folder files.

That's why I wrote: "Bug / feature request ?"
Because I don't understand if it's intentional or a bug and if it is intentional: I would like this issue to be considered as a Feature request.
The feature request would be to be able to completely hide certain folders (real and virtual) from specific users.

I hope I was clear and sorry for not using the template fully (I thought the video was clear)

[rejetto]

what you are seeing it's a bug.
Your instructions are not enough to reproduce the problem, but luckily you made the video, and I saw an important detail in the video: the problem is surely related to the configuration of the root.
Also, I saw you are italian too, so feel free to write in Italian.
I will work on this problem, but in the meantime let me know how you configured the root, just to be sure.

[rejetto]

are you running the "hfs.exe" version or through npm?

[VegethB]

what you are seeing it's a bug. Your instructions are not enough to reproduce the problem, but luckily you made the video, and I saw an important detail in the video: the problem is surely related to the configuration of the root. Also, I saw you are italian too, so feel free to write in Italian. I will work on this problem, but in the meantime let me know how you configured the root, just to be sure.

La home è configurata con il permesso che tutti possono accedervi (login richiesto).
Il concetto è che dentro la home vengono racchiuse tutte le cartelle sparse che voglio pubblicare: per poi limitarne l'accesso (e quindi anche la visibilità).
Ma dal tuo commento ho realizzato ora che ho sbagliato a interpretare le homes e la struttura gerarchica (mi sono giusto accorto che se faccio "+add" in "Anime Backups", la cartella che aggiungo finisce li dentro e non nella root dir) scovando però un bug alquanto inaspettato.

The home is configured with the permission that everyone can access it (login required).
The concept is that all the scattered folders that I want to publish are enclosed within the home: to then limit access (and therefore also visibility).
But from your comment I realized now that I made a mistake in interpreting the homes and the hierarchical structure (I just realized that if I do "+add" in "Anime Backups", the folder I add ends up there and not in the root dir) finding a somewhat unexpected bug.

are you running the "hfs.exe" version or through npm?

hfs.exe lanciato come servizio.

hfs.exe launched as a service

[rejetto]

fixed in latest release
https://github.com/rejetto/hfs/releases/tag/v0.26.7

la tua configurazione era legittima, ma i permessi della home facevano funzionare male le cartelle, ma ripeto: era un bug di hfs, non doveva funzionare così

[VegethB]

Grazie ancora nonostante l'ora 😂👍.
Domani aggiorno all'ultima release sia da me (per la questione delle velocità di ricerca) che dal hfs del mio amico (dove ho scovato questo bug).

Thanks again despite the hour 😂👍.
Tomorrow I update to the latest release both from me (for the search speed issue) and from my friend's hfs (where I found this bug).