search

nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
26.67k stars 4k forks source link

Create Share API not honoring "permissions" parameter #17504

Open asadsnowman opened 4 years ago

asadsnowman commented 4 years ago

Steps to reproduce

  1. Create a new Share on a folder through the API with the following parameters: shareType=3, publicUpload=true, and permissions=4.
  2. Check new Share permissions in browser or through API.

Expected behaviour

Share permissions should be 4: "File drop (upload only)"

Actual behaviour

Share permissions are 15: "Allow upload and editing"

Server configuration

Operating system: Ubuntu 18.04.1 Web server: Apache/2.4.38 (Debian) Database: sqlite3 3.28.0 PHP version: 7.3.10 Nextcloud version: 17.0.0.9

Updated from an older Nextcloud/ownCloud or fresh install: fresh install Where did you install Nextcloud from: docker Signing status:

Signing status ``` No errors have been found. ```

List of activated apps:

App list ``` Enabled: - accessibility: 1.3.0 - activity: 2.10.1 - admin_audit: 1.7.0 - cloud_federation_api: 1.0.0 - comments: 1.7.0 - dav: 1.13.0 - federatedfilesharing: 1.7.0 - federation: 1.7.0 - files: 1.12.0 - files_accesscontrol: 1.7.0 - files_external: 1.8.0 - files_pdfviewer: 1.6.0 - files_rightclick: 0.14.2 - files_sharing: 1.9.0 - files_trashbin: 1.7.0 - files_versions: 1.10.0 - files_videoplayer: 1.6.0 - firstrunwizard: 2.6.0 - gallery: 18.4.0 - group_everyone: 0.1.3 - logreader: 2.2.0 - lookup_server_connector: 1.5.0 - nextcloud_announcements: 1.6.0 - notifications: 2.5.0 - oauth2: 1.5.0 - password_policy: 1.7.0 - privacy: 1.1.0 - provisioning_api: 1.7.0 - recommendations: 0.5.0 - serverinfo: 1.7.0 - sharebymail: 1.7.0 - sharepoint: 1.5.0 - support: 1.0.1 - survey_client: 1.5.0 - systemtags: 1.7.0 - text: 1.1.0 - theming: 1.8.0 - twofactor_backupcodes: 1.6.0 - updatenotification: 1.7.0 - user_ldap: 1.7.0 - viewer: 1.1.0 - workflowengine: 1.7.0 Disabled: - encryption ```

Nextcloud configuration:

Config report ``` { "system": { "htaccess.RewriteBase": "\/", "memcache.local": "\\OC\\Memcache\\APCu", "apps_paths": [ { "path": "\/var\/www\/html\/apps", "url": "\/apps", "writable": false }, { "path": "\/var\/www\/html\/custom_apps", "url": "\/custom_apps", "writable": true } ], "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "localhost:9999", "10.1.11.166:9999" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "sqlite3", "version": "17.0.0.9", "overwrite.cli.url": "http:\/\/localhost:9999", "installed": true, "ldapIgnoreNamingRules": false, "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory", "mail_smtpmode": "smtp", "mail_smtpauth": 1, "mail_sendmailmode": "smtp", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "25", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtpauthtype": "LOGIN" } } ```

Are you using external storage, if yes which one: No

Are you using encryption: No

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)

LDAP config ``` +-------------------------------+----------------------------------------------------+ | Configuration | s01 | +-------------------------------+----------------------------------------------------+ | hasMemberOfFilterSupport | 1 | | homeFolderNamingRule | | | lastJpegPhotoLookup | 0 | | ldapAgentName |REMOVED | | ldapAgentPassword | *** | | ldapAttributesForGroupSearch | | | ldapAttributesForUserSearch | | | ldapBackupHost | | | ldapBackupPort | | | ldapBase | REMOVED | | ldapBaseGroups | REMOVED | | ldapBaseUsers |REMOVED | | ldapCacheTTL | 600 | | ldapConfigurationActive | 1 | | ldapDefaultPPolicyDN | | | ldapDynamicGroupMemberURL | | | ldapEmailAttribute | mail | | ldapExperiencedAdmin | 0 | | ldapExpertUUIDGroupAttr | | | ldapExpertUUIDUserAttr | | | ldapExpertUsernameAttr | samaccountname | | ldapExtStorageHomeAttribute | | | ldapGidNumber | gidNumber | | ldapGroupDisplayName | cn | | ldapGroupFilter | | | ldapGroupFilterGroups | | | ldapGroupFilterMode | 0 | | ldapGroupFilterObjectclass | | | ldapGroupMemberAssocAttr | member | | ldapHost | REMOVED | | ldapIgnoreNamingRules | | | ldapLoginFilter | (&(&(|(objectclass=person)))(samaccountname=%uid)) | | ldapLoginFilterAttributes | | | ldapLoginFilterEmail | 0 | | ldapLoginFilterMode | 0 | | ldapLoginFilterUsername | 1 | | ldapNestedGroups | 0 | | ldapOverrideMainServer | | | ldapPagingSize | 500 | | ldapPort | 389 | | ldapQuotaAttribute | | | ldapQuotaDefault | | | ldapTLS | 0 | | ldapUserAvatarRule | default | | ldapUserDisplayName | displayname | | ldapUserDisplayName2 | samaccountname | | ldapUserFilter | (&(!(objectclass=computer))(objectclass=person)) | | ldapUserFilterGroups | | | ldapUserFilterMode | 1 | | ldapUserFilterObjectclass | person | | ldapUuidGroupAttribute | auto | | ldapUuidUserAttribute | auto | | turnOffCertCheck | 0 | | turnOnPasswordChange | 0 | | useMemberOfToDetectMembership | 1 | +-------------------------------+----------------------------------------------------+ ```

Client configuration

Browser: Google Chrome 77.0.3865.90 (Official Build) (64-bit) Operating system: Windows 10 OS Version 1809 (Build 17763.678)

Logs

Web server error log

Web server error log ``` Insert your webserver log here ```

Nextcloud log (data/nextcloud.log)

Nextcloud log ``` No errors reported in log for this issue ```

Browser log

Browser log ``` Browser not required to recreate issue ```
bpcurse commented 4 years ago

I can confirm this behavior for 16.0.7 and 18.0.1 RC2.

Possible workaround using HTTP PUT afterwards: https://help.nextcloud.com/t/auto-create-public-and-drop-shares-for-each-user/70445/18

skjnldsv commented 3 years ago

Expected behaviour

Share permissions should be 4: "File drop (upload only)"

Actual behaviour

Share permissions are 15: "Allow upload and editing"

Not really https://github.com/nextcloud/server/blob/f99876997a9119518fe5f7ad3a3a51d33459d4cc/apps/files_sharing/lib/Controller/ShareAPIController.php#L538-L541

If you want to be allowed to drop files, you need PERMISSION_CREATE. And any link share always have the PERMISSION_READ too. So if you give permissions:4, it will at least require 5.

Nonetheless, a proper file drop does not require PERMISSION_UPDATE nor PERMISSION_DELETE.

Manually changing the permissions to 4 afterwards works AND return 4, meaning we don't check the READ anymore :thinking:

@rullzer @MorrisJobke what is this about the READ permissions, should we allow file drop without PERMISSION_READ ? We should definitely fix the createShare api method then :)

szaimen commented 1 year ago

Hi, please update to 24.0.8 or better 25.0.2 and report back if it fixes the issue. Thank you!

tobiasKaminsky commented 1 year ago

Corresponding PR is not yet merged, so this cannot work yet.

joshtrichards commented 3 weeks ago

Very related open Issues:

There have been a couple of changes in behavior in between this issue and the above. Main ones:

My guess is, since this has come up a couple times, we also should do up a doc clarification: