nextcloud / groupfolders

๐Ÿ“๐Ÿ‘ฉโ€๐Ÿ‘ฉโ€๐Ÿ‘งโ€๐Ÿ‘ฆ Admin-configured folders shared by everyone in a group. https://github.com/nextcloud-releases/groupfolders
https://apps.nextcloud.com/apps/groupfolders
284 stars 87 forks source link

Effective permissions test (`--test`) is wrong for users outside the group #974

Open Unostot opened 4 years ago

Unostot commented 4 years ago

Hello,

i'm having the efffect that the output for --test with a user outside of an allowed group shows as result always +read, + write, +create, +delete, +share

Most likely one would test it with a user who is in a group with access to the groupfolder, so this was not discovered. But since there is also the possiblity that a user has the mentioned access rights, it is misleading if users are displayed with +all when in fact they are forbidden completly.

It appears the permissions are enforced correct and only the output of occ is wrong. At least there is no groupfolder displayed for users outside of the group, but I'm not sure if there is really not some way to access it.

I think there are two possible ways to solve this:

Of course if this is not only the output from occ which is wrong, then there is a bigger problem...

Nextcloud 19.0.0 Groupfolders 6.0.6

Steps to reproduce: create a group folder, enable advanced permissions try occ groupfolders:permissions <folder_id> --user <a_user_outside_an_allowed_group> <some_path> --test output: +read, +write, +create, +delete, +share

Greetings, Uno

joshtrichards commented 1 month ago

https://github.com/nextcloud/groupfolders/blob/91c7662b43f638d0d3d6ded673ee3d3753c54227/lib/Command/ACL.php#L71-L85