Open gonzalo opened 1 year ago
I can confirm that using occ commad has the same resul
xxxxx@xxxxx:/_my_path/www/nextcloud/config# occ circles:members:list xxxxxxxxxxxxxxxsQZCkS1abjQKl5qM
+---------------------------------+---------------------------------+---------------------------------+---------------------------------+------+-------------------+------------------------------+-----------+-------------------+
| Circle Id | Circle Name | Member Id | Single Id | Type | Source | Username | Level | Invited By |
+---------------------------------+---------------------------------+---------------------------------+---------------------------------+------+-------------------+------------------------------+-----------+-------------------+
| xxxxxxxxxxxxxxxsQZCkS1abjQKl5qM | UC_xxxxxxxxxxxxxxxloud_miembros | xxxxxxxxxxxxxxxxxxxxxxxxxzyhxJS | xxxxxxxxxxxxxxxxxxxxxxxxxxsnbwy | user | Nextcloud Account | UC_xxxxxxxxxxxxxxxloud | Owner | occ |
| xxxxxxxxxxxxxxxsQZCkS1abjQKl5qM | UC_xxxxxxxxxxxxxxxloud_miembros | xxxxxxxxxxxxxxxxxxxxxxxxxeFKFS4 | xxxxxxxxxxxxxxxxxxxxxxxxxxPP1n2 | user | Nextcloud Account | yyyyy.yy@yy.yy | Admin | occ |
| xxxxxxxxxxxxxxxsQZCkS1abjQKl5qM | UC_xxxxxxxxxxxxxxxloud_miembros | xxxxxxxxxxxxxxxxxxxxxxxxxGz5Cra | xxxxxxxxxxxxxxxxxxxxxxxxxxLS7wb | user | Nextcloud Account | xxxxxxxxxx@xxxxx | Moderator | yyyyy.yy@yy.yy |
+---------------------------------+---------------------------------+---------------------------------+---------------------------------+------+-------------------+------------------------------+-----------+-------------------+
xxxxx@xxxxx:/_my_path/www/nextcloud/config# occ circles:members:remove xxxxxxxxxxxxxxxxxxxxxxxxxGz5Cra
xxxxx@xxxxx:/_my_path/www/nextcloud/config# occ circles:members:list xxxxxxxxxxxxxxxsQZCkS1abjQKl5qM
+---------------------------------+---------------------------------+---------------------------------+---------------------------------+------+-------------------+------------------------------+-----------+-------------------+
| Circle Id | Circle Name | Member Id | Single Id | Type | Source | Username | Level | Invited By |
+---------------------------------+---------------------------------+---------------------------------+---------------------------------+------+-------------------+------------------------------+-----------+-------------------+
| xxxxxxxxxxxxxxxsQZCkS1abjQKl5qM | UC_xxxxxxxxxxxxxxxloud_miembros | xxxxxxxxxxxxxxxxxxxxxxxxxzyhxJS | xxxxxxxxxxxxxxxxxxxxxxxxxxsnbwy | user | Nextcloud Account | UC_xxxxxxxxxxxxxxxloud | Owner | occ |
| xxxxxxxxxxxxxxxsQZCkS1abjQKl5qM | UC_xxxxxxxxxxxxxxxloud_miembros | xxxxxxxxxxxxxxxxxxxxxxxxxeFKFS4 | xxxxxxxxxxxxxxxxxxxxxxxxxxPP1n2 | user | Nextcloud Account | yyyyy.yy@yy.yy | Admin | occ |
| xxxxxxxxxxxxxxxsQZCkS1abjQKl5qM | UC_xxxxxxxxxxxxxxxloud_miembros | xxxxxxxxxxxxxxxxxxxxxxxxxGz5Cra | xxxxxxxxxxxxxxxxxxxxxxxxxxLS7wb | user | Nextcloud Account | xxxxxxxxxx@xxxxx | Moderator | yyyyy.yy@yy.yy |
+---------------------------------+---------------------------------+---------------------------------+---------------------------------+------+-------------------+------------------------------+-----------+-------------------+
As we have a similar instance without the same problem I was able to find and fix the issue, but I still consider this is a bug. The problem seems to come from the loopback address. Initially it was set to "mydomain.xxx/nextcloud" but after a while we move it "mydomain.xxx". Despite we set it properly in config.php, circles app is not using it.
I used occ circles:check command to detect & fix the issue
$ occ circles:check
### Checking loopback address.
. The loopback setting is mandatory and can be checked locally.
. The address you need to define here must be a reachable url of your Nextcloud from the hosting server itself.
. By default, the App will use the entry 'overwrite.cli.url' from 'config/config.php'. <- WRONG "overwrite.cli.url" is properly set in config.php**
* testing current address: https://MYDOMAIN.XXX/nextcloud <- WRONG/OLD URL
- GET request on https://MYDOMAIN.XXX/nextcloud/index.php/csrftoken: 302
- You do not have a valid loopback address setup right now.
Please write down a new loopback address to test: https://MYDOMAIN.XXX <- HERE I SET THE RIGHT URL
* testing address: https://MYDOMAIN.XXX
- GET request on https://MYDOMAIN.XXX/index.php/csrftoken: 200
- POST request on https://MYDOMAIN.XXX/index.php/apps/circles/async/test-dummy-token/: 200
- Creating async FederatedEvent f166bd2d-e3c6-43f9-9cf6-9e64c56ceab9 (took 57ms)
- Waiting for async process to finish (5s)
- Checking status on FederatedEvent verify=17 manage=42
- Do you want to save https://MYDOMAIN.XXX as your loopback address ? (y/N) y. <- STORE NEW URL
- Address https://MYDOMAIN.XXX is now used as loopback
### Testing internal address.
. The internal setting should only be enabled if you are willing to use Circles in a GlobalScale setup on a local network.
. The address you need to define here is the local address of your Nextcloud, reachable by all other instances of our GlobalScale.
- Do you want to enable this feature ? (y/N) n
skipping.
So finally happy end, BUT I still we have an important security issue here. I observed during this incident that you can try to delete the user member and the circle and rececive 200 codes and apparently have it removed. But if you don't verify, both user membership and circles remain active: so shared resources, etc. A complete nightmare for an organization.
@gonzalo How were you able to enter the loopback address with only the domain? Every time I ommit a path in the URL it will automatically append "/nextcloud".
### Checking loopback address.
. The loopback setting is mandatory and can be checked locally.
. The address you need to define here must be a reachable url of your Nextcloud from the hosting server itself.
. By default, the App will use the entry 'overwrite.cli.url' from 'config/config.php'.
* testing current address: http://localhost/nextcloud
- GET request on http://localhost/nextcloud/index.php/csrftoken: 404
- You do not have a valid loopback address setup right now.
Please write down a new loopback address to test: https://HOST.MY.DOMAIN/
* testing address: https://HOST.MY.DOMAIN
- GET request on https://HOST.MY.DOMAIN/nextcloud/index.php/csrftoken: 302
Please write down a new loopback address to test: https://HOST.MY.DOMAIN
* testing address: https://HOST.MY.DOMAIN
- GET request on https://HOST.MY.DOMAIN/nextcloud/index.php/csrftoken: 302
Please write down a new loopback address to test: ^C
exiting.
When entering a bogus path it will try using that instead of "nextcloud" but it won't accept a missing path
Please write down a new loopback address to test: https://HOST.MY.DOMAIN/index.php
* testing address: https://HOST.MY.DOMAIN/index.php
- GET request on https://HOST.MY.DOMAIN/index.php/index.php/csrftoken: 302
Please write down a new loopback address to test: https://HOST.MY.DOMAIN/
* testing address: https://HOST.MY.DOMAIN
- GET request on https://HOST.MY.DOMAIN/nextcloud/index.php/csrftoken: 302
The only way I could get occ circles:check
to work correctly was changing the vhost to make nextcloud reachable on "https://HOST.MY.DOMAIN/nextcloud".
I just entered "https://MYDOMAIN.XXX", have you checked if this url is aligned with the ones on config.php and vhosts? (also for overwrite.cli.url)
I tried again and made sure that overwrite.cli.url in config.php is set to the same address I want to use for loopback address but no chance.
But looking through some other open issues I found you can set app configs directly with occ config:app:set
So I did:
occ config:app:set circles loopback_cloud_path
occ config:app:set --value https circles loopback_cloud_scheme
occ config:app:set --value HOST.MY.DOMAIN circles loopback_cloud_id
And now the circles app seems to be working properly being able to delete a circle, remove members and share files with regular members instead of only circle moderators.
Also after setting the loopback address manually occ circles:check
is detecting the current configuration as valid without asking for input.
I REMOVE user from circle and share is still available, user can read, add or remove files and folders.
Tested with current release v29 and this does not happen today. Are you still able to reproduce this behavior today in >=28?
By default, the App will use the entry 'overwrite.cli.url' from 'config/config.php'. <- WRONG "overwrite.cli.url" is properly set in config.php** * testing current address: https://MYDOMAIN.XXX/nextcloud <- WRONG/OLD URL
It's accurate in the sense that the overwrite.cli.url
value is what is used during the initial setup. After that, the app polls it's own configuration.
I can see there may be some room for improvement here in terms of language + documentation.
⚠️ This issue respects the following points: ⚠️
Bug description
Using Nextcloud 25.0.6.1 almost fresh installation. Create a Circle and add users to it as members, create a folder and share with circle members. Then access with regular member of a circle…and share is not shown in user space.
Then promote user to “Moderator” and check again, share is now shown. Then the most worrying part comes: demote the user again to “Member” and the share is still shown! But things can even go worse!! I REMOVE user from circle and share is still available, user can read, add or remove files and folders.
I consider this is an extremely severe security issue as user can alter contents.
This behaviour has been reported in the past to the github repository but never answered.
(FYI I’ve found that despite the “delete user” from circle request returns a 200 code and removes it from the UI, the user is not truly removed. Refresh page shows it again with same level, no errors shown in nextcloud log)
Our only “strange” app that we use is SSO & SAML authentication.
Steps to reproduce
Expected behavior
Installation method
Community Web installer on a VPS or web space
Nextcloud Server version
25
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.1
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
Configuration report
List of activated Apps
Nextcloud Signing status
Nextcloud Logs
Additional info
--