search

nextcloud / files_accesscontrol

🚫 App to manage access control for files
https://apps.nextcloud.com/apps/files_accesscontrol
51 stars 21 forks source link

Rename folders "OCP\Files\ForbiddenException: Access denied" #210

Closed aleadco closed 6 months ago

aleadco commented 3 years ago

Steps to reproduce

A flow has been created inside a folder that has an invisible label. The rule is as follows:

  1. If it's tagged with X rule:
  2. Lock non-office files
  3. Lock non-PDF files
  4. Lock files other than folders
  5. Block files that do not match ZIP.

Apparently everything works execpt when you try to rename a created folder.

The files can be renamed without difficulty.

Expected behaviour

Being able to rename the folders created within the flow.

Actual behaviour

[webdav] Fatal: Access denied

MOVE /remote.php/dav/files/fqsoporte/Asignaturas/Carpeta%20de%20Prueba
from xxx.xxx.xxx.xxx by fqsoporte at 2021-08-24T16:09:48-04:00

{"reqId":"7Ui2ewE5EZ8Gep1uAUmF","level":4,"time":"2021-08-24T16:09:48-04:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"fqsoporte","app":"webdav","method":"MOVE","url":"/remote.php/dav/files/fqsoporte/Asignaturas/Carpeta%20de%20Prueba","message":"Access denied","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.73","version":"22.1.0.1","exception":{"Exception":"OCP\\Files\\ForbiddenException","Message":"Access denied","Code":0,"Trace":[{"file":"/var/www/nextcloud/apps/files_accesscontrol/lib/StorageWrapper.php","line":61,"function":"checkFileAccess","class":"OCA\\FilesAccessControl\\Operation","type":"->"},{"file":"/var/www/nextcloud/apps/files_accesscontrol/lib/StorageWrapper.php","line":208,"function":"checkFileAccess","class":"OCA\\FilesAccessControl\\StorageWrapper","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/Storage/Wrapper/Wrapper.php","line":279,"function":"rename","class":"OCA\\FilesAccessControl\\StorageWrapper","type":"->"},{"file":"/var/www/nextcloud/apps/ransomware_protection/lib/StorageWrapper.php","line":275,"function":"rename","class":"OC\\Files\\Storage\\Wrapper\\Wrapper","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/View.php","line":826,"function":"rename","class":"OCA\\RansomwareProtection\\StorageWrapper","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/Node.php","line":140,"function":"rename","class":"OC\\Files\\View","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Tree.php","line":153,"function":"setName","class":"OCA\\DAV\\Connector\\Sabre\\Node","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":612,"function":"move","class":"Sabre\\DAV\\Tree","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpMove","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Server.php","line":333,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/remote.php","line":166,"args":["/var/www/nextcloud/apps/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/var/www/nextcloud/apps/files_accesscontrol/lib/Operation.php","Line":87,"CustomMessage":"--"},"id":"6125522256785"}

Server configuration

Operating system:

Web server: Ubuntu 20.04

Database: MariaDB 10.6.3

PHP version: 7.4.22

Nextcloud version: 22.1.0

Where did you install Nextcloud from: tar

Signing status: ok

nickvergessen commented 1 year ago

Can you post a screenshot of the rules so we can more easily rebuild them locally?

jasond2020 commented 8 months ago

this seems to be still an issue. NC 28.0.2 (docker version with apache) on ubuntu 22.04 files access control with multiple restrictions for different groups creating and deleting folders is possible renaming triggers "access forbidden"

nickvergessen commented 8 months ago

Can you post a screenshot of the rules so we can more easily rebuild them locally?

jasond2020 commented 8 months ago

"more easily rebuild" ... hmm ... you asked for it ... it is a really long ruleset in this case. But it is failing because of the "folders" part - i am sure. The problem occured after the update to nc28.0.2

here is an outtake of the database entries: oc_flow_operations: "9" "OCA\FilesAccessControl\Operation" "" "[8,29,34,35,38,39,40,41,42,43,44,45,46,47,48,49,50,56,57,63,64,65,66,67,68,69,85,112,113,111,115]" "deny" "OCA\WorkflowEngine\Entity\File" "[]" "11" "OCA\FilesAccessControl\Operation" "" "[29,34,35,45,8,44,46,47,48,49,50,43,38,39,40,41,42,56,57,63,64,65,66,67,68,69,112,113,77,111,115]" "deny" "OCA\WorkflowEngine\Entity\File" "[]" "12" "OCA\FilesAccessControl\Operation" "" "[29,34,35,45,8,44,46,47,48,49,50,43,38,39,40,41,42,56,57,63,64,65,66,67,68,69,36,37,51,52,71,72,73,75,88,107,108,111,112,113]" "deny" "OCA\WorkflowEngine\Entity\File" "[]" "13" "OCA\FilesAccessControl\Operation" "" "[29,34,35,45,8,44,46,47,48,49,50,43,38,39,40,41,42,56,57,63,64,65,66,67,68,69,73,72,71,36,37,51,52,75,107,108,111,112,113,89,116,117]" "deny" "OCA\WorkflowEngine\Entity\File" "[]" "14" "OCA\FilesAccessControl\Operation" "" "[34,35,45,8,44,46,47,48,49,50,43,38,39,40,41,42,56,57,63,64,65,66,67,68,69,73,72,71,36,37,51,52,75,107,108,111,112,113,90,29]" "deny" "OCA\WorkflowEngine\Entity\File" "[]" "15" "OCA\FilesAccessControl\Operation" "" "[8,35,34,29,111,115,118]" "deny" "OCA\WorkflowEngine\Entity\File" "[]"

oc_flow_checks Column1;Column2;Column3;Column4 9;OCA\WorkflowEngine\Check\FileMimeType;!is;"""application/coreldraw""" 17;OCA\WorkflowEngine\Check\FileMimeType;!is;"""application/msword""" 24;OCA\WorkflowEngine\Check\FileMimeType;!is;"""application/pdf""" 31;OCA\WorkflowEngine\Check\FileMimeType;!matches;"""application/pdf""" 20;OCA\WorkflowEngine\Check\FileMimeType;!is;"""application/vnd.ms-excel""" 22;OCA\WorkflowEngine\Check\FileMimeType;!is;"""application/vnd.ms-powerpoint""" 23;OCA\WorkflowEngine\Check\FileMimeType;!is;"""application/vnd.openxmlformats-officedocument.presentationml.presentation""" 21;OCA\WorkflowEngine\Check\FileMimeType;!is;"""application/vnd.openxmlformats-officedocument.spreadsheetml.sheet""" 18;OCA\WorkflowEngine\Check\FileMimeType;!is;"""application/vnd.openxmlformats-officedocument.wordprocessingml.document""" 19;OCA\WorkflowEngine\Check\FileMimeType;!is;"""application/vnd.openxmlformats-officedocument.wordprocessingml.template""" 26;OCA\WorkflowEngine\Check\FileMimeType;!is;"""application/x-7z-compressed""" 27;OCA\WorkflowEngine\Check\FileMimeType;!is;"""application/x-rar-compressed""" 10;OCA\WorkflowEngine\Check\FileMimeType;!is;"""application/zip""" 15;OCA\WorkflowEngine\Check\FileMimeType;!is;"""image/bmp""" 16;OCA\WorkflowEngine\Check\FileMimeType;!is;"""image/gif""" 13;OCA\WorkflowEngine\Check\FileMimeType;!is;"""image/heic""" 11;OCA\WorkflowEngine\Check\FileMimeType;!is;"""image/jpeg""" 33;OCA\WorkflowEngine\Check\FileMimeType;!is;"""image/jpg""" 12;OCA\WorkflowEngine\Check\FileMimeType;!is;"""image/png""" 14;OCA\WorkflowEngine\Check\FileMimeType;!is;"""image/tiff""" 25;OCA\WorkflowEngine\Check\FileMimeType;!is;"""text/rtf""" 58;OCA\WorkflowEngine\Check\FileName;is;.bmp 59;OCA\WorkflowEngine\Check\FileName;!is;.bmp 4;OCA\WorkflowEngine\Check\FileMimeType;matches;/(vnd.(ms-|openxmlformats-|oasis.opendocument).)$/ 7;OCA\WorkflowEngine\Check\FileMimeType;!is;/(vnd.(ms-|openxmlformats-|oasis.opendocument).)$/ 78;OCA\WorkflowEngine\Check\FileMimeType;!matches;/(vnd.(ms-|openxmlformats-|oasis.opendocument).)$/ 79;OCA\WorkflowEngine\Check\FileMimeType;is;/(vnd.(ms-|openxmlformats-|oasis.opendocument).)$/ 53;OCA\WorkflowEngine\Check\FileName;is;/.bmp/ 54;OCA\WorkflowEngine\Check\FileName;!is;/.bmp/ 106;OCA\WorkflowEngine\Check\FileName;!is;/..xml$/ 108;OCA\WorkflowEngine\Check\FileName;!matches;/..dxf$/ 110;OCA\WorkflowEngine\Check\FileName;!is;/..dxf$/ 115;OCA\WorkflowEngine\Check\FileName;!matches;/..file$/ 111;OCA\WorkflowEngine\Check\FileName;!matches;/..part$/ 105;OCA\WorkflowEngine\Check\FileName;!is;/..xml$/ 107;OCA\WorkflowEngine\Check\FileName;!matches;/..xml$/ 30;OCA\WorkflowEngine\Check\FileMimeType;!is;/^application\/(zip|x-zip-compressed)$/i 55;OCA\WorkflowEngine\Check\FileMimeType;!is;/image\/./ 87;OCA\WorkflowEngine\Check\FileMimeType;matches;/image\/.*/ 109;OCA\WorkflowEngine\Check\FileSize;less;10 MB 28;OCA\WorkflowEngine\Check\UserGroupMembership;!is;Nutzergruppe1 82;OCA\WorkflowEngine\Check\UserGroupMembership;is;Nutzergruppe1 114;OCA\WorkflowEngine\Check\UserGroupMembership;is;Nuzergruppe2 62;OCA\WorkflowEngine\Check\UserGroupMembership;!is;Nutzergruppe3 88;OCA\WorkflowEngine\Check\UserGroupMembership;is;Nutzergruppe3 77;OCA\WorkflowEngine\Check\UserGroupMembership;is;Nutzergruppe4 84;OCA\WorkflowEngine\Check\UserGroupMembership;!is;Nutzergruppe4 89;OCA\WorkflowEngine\Check\UserGroupMembership;is;Nutzergruppe5 85;OCA\WorkflowEngine\Check\UserGroupMembership;is;Nutzergruppe5 1;OCA\WorkflowEngine\Check\UserGroupMembership;!is;Nutzergruppe6 90;OCA\WorkflowEngine\Check\UserGroupMembership;is;Nutzergruppe6 2;OCA\WorkflowEngine\Check\UserGroupMembership;is;Nutzergruppe7 5;OCA\WorkflowEngine\Check\UserGroupMembership;!is;Nutzergruppe7 3;OCA\WorkflowEngine\Check\UserGroupMembership;is;Nutzergruppe8 6;OCA\WorkflowEngine\Check\UserGroupMembership;!is;Nutzergruppe8 74;OCA\WorkflowEngine\Check\FileMimeType;!is;application/acad 96;OCA\WorkflowEngine\Check\FileMimeType;!is;application/akn+xml 92;OCA\WorkflowEngine\Check\FileMimeType;!is;application/atom+xml 63;OCA\WorkflowEngine\Check\FileMimeType;!is;application/bmp 75;OCA\WorkflowEngine\Check\FileMimeType;!is;application/dxf 95;OCA\WorkflowEngine\Check\FileMimeType;!is;application/mathml+xml 44;OCA\WorkflowEngine\Check\FileMimeType;!is;application/msword 81;OCA\WorkflowEngine\Check\FileMimeType;is;application/msword 8;OCA\WorkflowEngine\Check\FileMimeType;!is;application/pdf 32;OCA\WorkflowEngine\Check\FileMimeType;is;application/pdf 102;OCA\WorkflowEngine\Check\FileMimeType;!is;application/rdf+xml 97;OCA\WorkflowEngine\Check\FileMimeType;!is;application/rif+xml 98;OCA\WorkflowEngine\Check\FileMimeType;!is;application/rss+xml 104;OCA\WorkflowEngine\Check\FileMimeType;!is;application/soap+xml 47;OCA\WorkflowEngine\Check\FileMimeType;!is;application/vnd.ms-excel 49;OCA\WorkflowEngine\Check\FileMimeType;!is;application/vnd.ms-powerpoint 50;OCA\WorkflowEngine\Check\FileMimeType;!is;application/vnd.openxmlformats-officedocument.presentationml.presentation 48;OCA\WorkflowEngine\Check\FileMimeType;!is;application/vnd.openxmlformats-officedocument.spreadsheetml.sheet 45;OCA\WorkflowEngine\Check\FileMimeType;!is;application/vnd.openxmlformats-officedocument.wordprocessingml.document 80;OCA\WorkflowEngine\Check\FileMimeType;is;application/vnd.openxmlformats-officedocument.wordprocessingml.document 46;OCA\WorkflowEngine\Check\FileMimeType;!is;application/vnd.openxmlformats-officedocument.wordprocessingml.template 51;OCA\WorkflowEngine\Check\FileMimeType;!is;application/x-7z-compressed 69;OCA\WorkflowEngine\Check\FileMimeType;!is;application/x-bmp 52;OCA\WorkflowEngine\Check\FileMimeType;!is;application/x-rar-compressed 70;OCA\WorkflowEngine\Check\FileMimeType;!is;application/x-win-bitmap 37;OCA\WorkflowEngine\Check\FileMimeType;!is;application/x-zip-compressed 91;OCA\WorkflowEngine\Check\FileMimeType;!is;application/xhtml+xml 71;OCA\WorkflowEngine\Check\FileMimeType;!is;application/xml 101;OCA\WorkflowEngine\Check\FileMimeType;!is;application/xml-dtd 100;OCA\WorkflowEngine\Check\FileMimeType;!is;application/xml-external-parsed-entity 93;OCA\WorkflowEngine\Check\FileMimeType;!is;application/xslt+xml 36;OCA\WorkflowEngine\Check\FileMimeType;!is;application/zip 118;OCA\WorkflowEngine\Check\UserGroupMembership;is;Nutzergruppe9 29;OCA\WorkflowEngine\Check\FileMimeType;!is;httpd/unix-directory 61;OCA\WorkflowEngine\Check\FileMimeType;is;httpd/unix-directory 41;OCA\WorkflowEngine\Check\FileMimeType;!is;image/bmp 42;OCA\WorkflowEngine\Check\FileMimeType;!is;image/gif 39;OCA\WorkflowEngine\Check\FileMimeType;!is;image/heic 35;OCA\WorkflowEngine\Check\FileMimeType;!is;image/jpeg 86;OCA\WorkflowEngine\Check\FileMimeType;is;image/jpeg 34;OCA\WorkflowEngine\Check\FileMimeType;!is;image/jpg 83;OCA\WorkflowEngine\Check\FileMimeType;is;image/jpg 68;OCA\WorkflowEngine\Check\FileMimeType;!is;image/ms-bmp 38;OCA\WorkflowEngine\Check\FileMimeType;!is;image/png 94;OCA\WorkflowEngine\Check\FileMimeType;!is;image/svg+xml 40;OCA\WorkflowEngine\Check\FileMimeType;!is;image/tiff 64;OCA\WorkflowEngine\Check\FileMimeType;!is;image/x-bitmap 56;OCA\WorkflowEngine\Check\FileMimeType;!is;image/x-bmp 57;OCA\WorkflowEngine\Check\FileMimeType;!is;image/x-ms-bmp 60;OCA\WorkflowEngine\Check\FileMimeType;is;image/x-ms-bmp 66;OCA\WorkflowEngine\Check\FileMimeType;!is;image/x-win-bitmap 67;OCA\WorkflowEngine\Check\FileMimeType;!is;image/x-windows-bmp 65;OCA\WorkflowEngine\Check\FileMimeType;!is;image/x-xbitmap 103;OCA\WorkflowEngine\Check\FileMimeType;!is;model/x3d+xml 116;OCA\WorkflowEngine\Check\FileMimeType;!is;text/csv 72;OCA\WorkflowEngine\Check\FileMimeType;!is;text/markdown 117;OCA\WorkflowEngine\Check\FileMimeType;!is;text/plain 43;OCA\WorkflowEngine\Check\FileMimeType;!is;text/rtf 73;OCA\WorkflowEngine\Check\FileMimeType;!is;text/xml 76;OCA\WorkflowEngine\Check\FileMimeType;is;text/xml 99;OCA\WorkflowEngine\Check\FileMimeType;!is;text/xml-external-parsed-entity 113;OCA\WorkflowEngine\Check\FileMimeType;!is;video/mp4 112;OCA\WorkflowEngine\Check\FileMimeType;!is;video/quicktime

kortom23 commented 8 months ago

Same here: Nextcloud Docker v.28.0.2.5 Virtualization: vmware Operating System: Ubuntu 20.04.6 LTS Kernel: Linux 5.4.0-164-generic Architecture: x86-64 Docker Engine - Communit Version: 24.0.6

Can't rename the newly created folder or any existing folder. Only if the user is member of the admins group

{ "reqId": "tSsboPh8L7Ttbc2XTyC4", "level": 0, "time": "2024-02-27T08:22:24+00:00", "remoteAddr": "xxx.xxx.xxx.xxx", "user": "test-user", "app": "encryption", "method": "MOVE", "url": "/remote.php/dav/files/test-user/New%20Folder", "message": "/appinfo/app.php is deprecated, use \OCP\AppFramework\Bootstrap\IBootstrap on the application class instead.", "userAgent": "Mozilla/ ", "version": "28.0.2.5", "data": { "app": "encryption" } } { "reqId": "tSsboPh8L7Ttbc2XTyC4", "level": 0, "time": "2024-02-27T08:22:24+00:00", "remoteAddr": "xxx.xxx.xxx.xxx", "user": "test-user", "app": "workflowengine", "method": "MOVE", "url": "/remote.php/dav/files/test-user/New%20Folder", "message": "Flow activation: rules were requested for operation Zugriff auf Datei verhindern", "userAgent": "Mozilla/ ", "version": "28.0.2.5", "data": { "app": "workflowengine", "level": "0" } } { "reqId": "tSsboPh8L7Ttbc2XTyC4", "level": 0, "time": "2024-02-27T08:22:24+00:00", "remoteAddr": "xxx.xxx.xxx.xxx", "user": "test-user", "app": "workflowengine", "method": "MOVE", "url": "/remote.php/dav/files/test-user/New%20Folder", "message": "No flow configurations is going to run Zugriff auf Datei verhindern", "userAgent": "Mozilla/ ", "version": "28.0.2.5", "data": { "app": "workflowengine", "level": "0" } } { "reqId": "tSsboPh8L7Ttbc2XTyC4", "level": 0, "time": "2024-02-27T08:22:24+00:00", "remoteAddr": "xxx.xxx.xxx.xxx", "user": "test-user", "app": "workflowengine", "method": "MOVE", "url": "/remote.php/dav/files/test-user/New%20Folder", "message": "Flow activation: rules were requested for operation Zugriff auf Datei verhindern", "userAgent": "Mozilla/ ", "version": "28.0.2.5", "data": { "app": "workflowengine", "level": "0" } } { "reqId": "tSsboPh8L7Ttbc2XTyC4", "level": 0, "time": "2024-02-27T08:22:24+00:00", "remoteAddr": "xxx.xxx.xxx.xxx", "user": "test-user", "app": "workflowengine", "method": "MOVE", "url": "/remote.php/dav/files/test-user/New%20Folder", "message": "No flow configurations is going to run Zugriff auf Datei verhindern", "userAgent": "Mozilla/ ", "version": "28.0.2.5", "data": { "app": "workflowengine", "level": "0" } } { "reqId": "tSsboPh8L7Ttbc2XTyC4", "level": 0, "time": "2024-02-27T08:22:24+00:00", "remoteAddr": "xxx.xxx.xxx.xxx", "user": "test-user", "app": "workflowengine", "method": "MOVE", "url": "/remote.php/dav/files/test-user/New%20Folder", "message": "Flow activation: rules were requested for operation Zugriff auf Datei verhindern", "userAgent": "Mozilla/ ", "version": "28.0.2.5", "data": { "app": "workflowengine", "level": "0" } } { "reqId": "tSsboPh8L7Ttbc2XTyC4", "level": 0, "time": "2024-02-27T08:22:24+00:00", "remoteAddr": "xxx.xxx.xxx.xxx", "user": "test-user", "app": "workflowengine", "method": "MOVE", "url": "/remote.php/dav/files/test-user/New%20Folder", "message": "No flow configurations is going to run Zugriff auf Datei verhindern", "userAgent": "Mozilla/ ", "version": "28.0.2.5", "data": { "app": "workflowengine", "level": "0" } } { "reqId": "tSsboPh8L7Ttbc2XTyC4", "level": 0, "time": "2024-02-27T08:22:24+00:00", "remoteAddr": "xxx.xxx.xxx.xxx", "user": "test-user", "app": "workflowengine", "method": "MOVE", "url": "/remote.php/dav/files/test-user/New%20Folder", "message": "Flow activation: rules were requested for operation Zugriff auf Datei verhindern", "userAgent": "Mozilla/ ", "version": "28.0.2.5", "data": { "app": "workflowengine", "level": "0" } } { "reqId": "tSsboPh8L7Ttbc2XTyC4", "level": 0, "time": "2024-02-27T08:22:24+00:00", "remoteAddr": "xxx.xxx.xxx.xxx", "user": "test-user", "app": "workflowengine", "method": "MOVE", "url": "/remote.php/dav/files/test-user/New%20Folder", "message": "No flow configurations is going to run Zugriff auf Datei verhindern", "userAgent": "Mozilla/ ", "version": "28.0.2.5", "data": { "app": "workflowengine", "level": "0" } } { "reqId": "tSsboPh8L7Ttbc2XTyC4", "level": 0, "time": "2024-02-27T08:22:24+00:00", "remoteAddr": "xxx.xxx.xxx.xxx", "user": "test-user", "app": "workflowengine", "method": "MOVE", "url": "/remote.php/dav/files/test-user/New%20Folder", "message": "Flow activation: rules were requested for operation Zugriff auf Datei verhindern", "userAgent": "Mozilla/ ", "version": "28.0.2.5", "data": { "app": "workflowengine", "level": "0" } } { "reqId": "tSsboPh8L7Ttbc2XTyC4", "level": 0, "time": "2024-02-27T08:22:24+00:00", "remoteAddr": "xxx.xxx.xxx.xxx", "user": "test-user", "app": "workflowengine", "method": "MOVE", "url": "/remote.php/dav/files/test-user/New%20Folder", "message": "Flow rule qualified to run Zugriff auf Datei verhindern, config: {\"id\":13,\"class\":\"OCA\FilesAccessControl\Operation\",\"name\":\"\",\"checks\":\"[29,34,35,45,8,44,46,47,48,49,50,43,38,39,40,41,42,56,57,63,64,65,66,67,68,69,73,72,71,36,37,51,52,75,107,108,111,112,113,89,116,117]\",\"operation\":\"deny\",\"entity\":\"OCA\WorkflowEngine\Entity\File\",\"events\":\"[]\",\"scope_type\":0,\"scope_actor_id\":\"\"}", "userAgent": "Mozilla/ ", "version": "28.0.2.5", "data": { "app": "workflowengine", "level": "0" } } { "reqId": "tSsboPh8L7Ttbc2XTyC4", "level": 1, "time": "2024-02-27T08:22:24+00:00", "remoteAddr": "xxx.xxx.xxx.xxx", "user": "test-user", "app": "workflowengine", "method": "MOVE", "url": "/remote.php/dav/files/test-user/New%20Folder", "message": "Last qualified flow configuration is going to run Zugriff auf Datei verhindern", "userAgent": "Mozilla/ ", "version": "28.0.2.5", "data": { "app": "workflowengine", "level": "1" } } { "reqId": "tSsboPh8L7Ttbc2XTyC4", "level": 0, "time": "2024-02-27T08:22:24+00:00", "remoteAddr": "xxx.xxx.xxx.xxx", "user": "test-user", "app": "files_accesscontrol", "method": "MOVE", "url": "/remote.php/dav/files/test-user/New%20Folder", "message": "Access denied for path files/Neuer Ordner-1 that is not a directory and matches rules: {\"id\":13,\"class\":\"OCA\\FilesAccessControl\\Operation\",\"name\":\"\",\"checks\":\"[29,34,35,45,8,44,46,47,48,49,50,43,38,39,40,41,42,56,57,63,64,65,66,67,68,69,73,72,71,36,37,51,52,75,107,108,111,112,113,89,116,117]\",\"operation\":\"deny\",\"entity\":\"OCA\\WorkflowEngine\\Entity\\File\",\"events\":\"[]\",\"scope_type\":0,\"scope_actor_id\":\"\"}", "userAgent": "Mozilla/ ", "version": "28.0.2.5", "exception": { "Exception": "RuntimeException", "Message": "Access denied for path files/Neuer Ordner-1 that is not a directory and matches rules: {\"id\":13,\"class\":\"OCA\\FilesAccessControl\\Operation\",\"name\":\"\",\"checks\":\"[29,34,35,45,8,44,46,47,48,49,50,43,38,39,40,41,42,56,57,63,64,65,66,67,68,69,73,72,71,36,37,51,52,75,107,108,111,112,113,89,116,117]\",\"operation\":\"deny\",\"entity\":\"OCA\\WorkflowEngine\\Entity\\File\",\"events\":\"[]\",\"scope_type\":0,\"scope_actor_id\":\"\"}", "Code": 0, "Trace": [{ "file": "/var/www/html/custom_apps/files_accesscontrol/lib/StorageWrapper.php", "line": 60, "function": "checkFileAccess", "class": "OCA\FilesAccessControl\Operation", "type": "->", "args": [ ["OCA\FilesAccessControl\StorageWrapper", null, ["OC\Files\Cache\Scanner"], null, null, null, "/test-user/"], "files/Neuer Ordner-1", false ] }, { "file": "/var/www/html/custom_apps/files_accesscontrol/lib/StorageWrapper.php", "line": 207, "function": "checkFileAccess", "class": "OCA\FilesAccessControl\StorageWrapper", "type": "->", "args": ["files/Neuer Ordner-1"] }, { "file": "/var/www/html/lib/private/Files/View.php", "line": 804, "function": "rename", "class": "OCA\FilesAccessControl\StorageWrapper", "type": "->", "args": ["files/Neuer Ordner", "files/Neuer Ordner-1"] }, { "file": "/var/www/html/apps/dav/lib/Connector/Sabre/Node.php", "line": 159, "function": "rename", "class": "OC\Files\View", "type": "->", "args": ["/Neuer Ordner", "/Neuer Ordner-1"] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Tree.php", "line": 159, "function": "setName", "class": "OCA\DAV\Connector\Sabre\Node", "type": "->", "args": ["Neuer Ordner-1"] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/CorePlugin.php", "line": 612, "function": "move", "class": "Sabre\DAV\Tree", "type": "->", "args": ["files/test-user/Neuer Ordner", "files/test-user/Neuer Ordner-1"] }, { "file": "/var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php", "line": 89, "function": "httpMove", "class": "Sabre\DAV\CorePlugin", "type": "->", "args": [ ["Sabre\HTTP\Request"], ["Sabre\HTTP\Response"] ] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php", "line": 472, "function": "emit", "class": "Sabre\DAV\Server", "type": "->", "args": ["method:MOVE", [ ["Sabre\HTTP\Request"], ["Sabre\HTTP\Response"] ]] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php", "line": 253, "function": "invokeMethod", "class": "Sabre\DAV\Server", "type": "->", "args": [ ["Sabre\HTTP\Request"], ["Sabre\HTTP\Response"] ] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php", "line": 321, "function": "start", "class": "Sabre\DAV\Server", "type": "->", "args": [] }, { "file": "/var/www/html/apps/dav/lib/Server.php", "line": 370, "function": "exec", "class": "Sabre\DAV\Server", "type": "->", "args": [] }, { "file": "/var/www/html/apps/dav/appinfo/v2/remote.php", "line": 35, "function": "exec", "class": "OCA\DAV\Server", "type": "->", "args": [] }, { "file": "/var/www/html/remote.php", "line": 172, "args": ["/var/www/html/apps/dav/appinfo/v2/remote.php"], "function": "require_once" }], "File": "/var/www/html/custom_apps/files_accesscontrol/lib/Operation.php", "Line": 103, "message": "Access denied for path files/Neuer Ordner-1 that is not a directory and matches rules: {\"id\":13,\"class\":\"OCA\\FilesAccessControl\\Operation\",\"name\":\"\",\"checks\":\"[29,34,35,45,8,44,46,47,48,49,50,43,38,39,40,41,42,56,57,63,64,65,66,67,68,69,73,72,71,36,37,51,52,75,107,108,111,112,113,89,116,117]\",\"operation\":\"deny\",\"entity\":\"OCA\\WorkflowEngine\\Entity\\File\",\"events\":\"[]\",\"scope_type\":0,\"scope_actor_id\":\"\"}", "exception": {}, "CustomMessage": "Access denied for path files/Neuer Ordner-1 that is not a directory and matches rules: {\"id\":13,\"class\":\"OCA\\FilesAccessControl\\Operation\",\"name\":\"\",\"checks\":\"[29,34,35,45,8,44,46,47,48,49,50,43,38,39,40,41,42,56,57,63,64,65,66,67,68,69,73,72,71,36,37,51,52,75,107,108,111,112,113,89,116,117]\",\"operation\":\"deny\",\"entity\":\"OCA\\WorkflowEngine\\Entity\\File\",\"events\":\"[]\",\"scope_type\":0,\"scope_actor_id\":\"\"}" } } { "reqId": "tSsboPh8L7Ttbc2XTyC4", "level": 3, "time": "2024-02-27T08:22:24+00:00", "remoteAddr": "xxx.xxx.xxx.xxx", "user": "test-user", "app": "webdav", "method": "MOVE", "url": "/remote.php/dav/files/test-user/New%20Folder", "message": "Access denied", "userAgent": "Mozilla/ ", "version": "28.0.2.5", "exception": { "Exception": "OCP\Files\ForbiddenException", "Message": "Access denied", "Code": 0, "Trace": [{ "file": "/var/www/html/custom_apps/files_accesscontrol/lib/StorageWrapper.php", "line": 60, "function": "checkFileAccess", "class": "OCA\FilesAccessControl\Operation", "type": "->", "args": [ ["OCA\FilesAccessControl\StorageWrapper", null, ["OC\Files\Cache\Scanner"], null, null, null, "/test-user/"], "files/Neuer Ordner-1", false ] }, { "file": "/var/www/html/custom_apps/files_accesscontrol/lib/StorageWrapper.php", "line": 207, "function": "checkFileAccess", "class": "OCA\FilesAccessControl\StorageWrapper", "type": "->", "args": ["files/Neuer Ordner-1"] }, { "file": "/var/www/html/lib/private/Files/View.php", "line": 804, "function": "rename", "class": "OCA\FilesAccessControl\StorageWrapper", "type": "->", "args": ["files/Neuer Ordner", "files/Neuer Ordner-1"] }, { "file": "/var/www/html/apps/dav/lib/Connector/Sabre/Node.php", "line": 159, "function": "rename", "class": "OC\Files\View", "type": "->", "args": ["/Neuer Ordner", "/Neuer Ordner-1"] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Tree.php", "line": 159, "function": "setName", "class": "OCA\DAV\Connector\Sabre\Node", "type": "->", "args": ["Neuer Ordner-1"] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/CorePlugin.php", "line": 612, "function": "move", "class": "Sabre\DAV\Tree", "type": "->", "args": ["files/test-user/Neuer Ordner", "files/test-user/Neuer Ordner-1"] }, { "file": "/var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php", "line": 89, "function": "httpMove", "class": "Sabre\DAV\CorePlugin", "type": "->", "args": [ ["Sabre\HTTP\Request"], ["Sabre\HTTP\Response"] ] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php", "line": 472, "function": "emit", "class": "Sabre\DAV\Server", "type": "->", "args": ["method:MOVE", [ ["Sabre\HTTP\Request"], ["Sabre\HTTP\Response"] ]] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php", "line": 253, "function": "invokeMethod", "class": "Sabre\DAV\Server", "type": "->", "args": [ ["Sabre\HTTP\Request"], ["Sabre\HTTP\Response"] ] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php", "line": 321, "function": "start", "class": "Sabre\DAV\Server", "type": "->", "args": [] }, { "file": "/var/www/html/apps/dav/lib/Server.php", "line": 370, "function": "exec", "class": "Sabre\DAV\Server", "type": "->", "args": [] }, { "file": "/var/www/html/apps/dav/appinfo/v2/remote.php", "line": 35, "function": "exec", "class": "OCA\DAV\Server", "type": "->", "args": [] }, { "file": "/var/www/html/remote.php", "line": 172, "args": ["/var/www/html/apps/dav/appinfo/v2/remote.php"], "function": "require_once" }], "File": "/var/www/html/custom_apps/files_accesscontrol/lib/Operation.php", "Line": 106, "message": "Access denied", "exception": {}, "CustomMessage": "Access denied" } }

julien-nc commented 6 months ago

@nickvergessen I can reproduce on NC master (30).

Log from the exception: rename.txt

Maybe $isDir could be set in files_accesscontrol/lib/StorageWrapper.php in the rename method. https://github.com/nextcloud/files_accesscontrol/blob/main/lib/StorageWrapper.php#L206-L207

nickvergessen commented 6 months ago

Maybe $isDir could be set in files_accesscontrol/lib/StorageWrapper.php in the rename method.

https://www.youtube.com/watch?v=2lz4ipB168A How would we know it's not renaming a file/executable without an extension?

I guess same problem applies to copy, copyFromStorage, moveFromStorage and many more...

julien-nc commented 6 months ago

@nickvergessen Isn't there a way to get the node from the path and check if it's a folder? I guess you're implying that it's not possible to do so in StorageWrapper...

Any idea how this issue could be solved?

nickvergessen commented 6 months ago

Don't create a rule which only allows folders... I know it's not the solution and guess the problem can be created with more complex rules that actually make sense.

nickvergessen commented 6 months ago

I'll take a look soon