search

nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
27.39k stars 4.07k forks source link

[Bug]: Reference metadata fetching returns data from apps disabled for guests #34279

Open SystemKeeper opened 2 years ago

SystemKeeper commented 2 years ago

⚠️ This issue respects the following points: ⚠️

Bug description

On c.nc.c the github integration app is not enabled for guests, still when there's a github link in talk, data is returned and rendered by the link preview functionality. Is this intended or should reference metadata fetching fallback to open-graph when a guest user is not allwed to use gitub integration?

Talk PR https://github.com/nextcloud/spreed/pull/7822 Server PR https://github.com/nextcloud/server/pull/33494

Steps to reproduce

  1. Use a guest account and login to c.nc.c
  2. Join a public room and look for a link to a github issue/pr or post one
  3. Note that data is rendered as a github integration widget and not as a open graph one

Expected behavior

Not absolutely sure, but I would expect that if an user is not allowed to use an app, it should not be possible to retrieve any data from that app?!

Installation method

No response

Operating system

No response

PHP engine version

No response

Web server

No response

Database engine version

No response

Is this bug present after an update or on a fresh install?

No response

Are you using the Nextcloud Server Encryption module?

No response

What user-backends are you using?

Configuration report

No response

List of activated Apps

Enabled:
  - cloud_federation_api: 1.8.0
  - comments: 1.15.0
  - contactsinteraction: 1.6.0
  - dashboard: 7.5.0
  - dav: 1.24.0
  - federatedfilesharing: 1.15.0
  - federation: 1.15.0
  - files: 1.20.0
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - files_versions: 1.18.0
  - integration_github: 1.0.6
  - lookup_server_connector: 1.13.0
  - oauth2: 1.13.0
  - provisioning_api: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - spreed: 15.0.0-beta.4
  - systemtags: 1.15.0
  - theming: 2.0.0
  - twofactor_backupcodes: 1.14.0
  - updatenotification: 1.15.0
  - user_status: 1.5.0
  - weather_status: 1.5.0
  - workflowengine: 2.7.0
Disabled:
  - admin_audit
  - encryption
  - files_external
  - testing
  - user_ldap

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

szaimen commented 2 years ago

Cc @juliushaertl @eneiluj

realuserok commented 2 years ago

Research shows that 86.5 million Americans (or 42% of the adult population) have used on-demand service. More and more young people are stepping into the game: 51% percent of those using on-demand services are under 35 years of age. I was shocked when I read this information here https://www.helpware.com/blog/whats-the-future-of-the-on-demand-economy you should take a look at it

juliusknorr commented 2 years ago

Right, the IBootstrap registration is called for all users, so maybe we indeed should implement some filtering for that in the bootstrap registration for reference widgets.

TommiHil commented 1 year ago

Based on the provided information, it appears that the bug being described relates to the GitHub integration app on c.nc.c (presumably a Nextcloud instance). The bug states that even though the GitHub integration app is not enabled for guests, when there's a GitHub link mentioned in a conversation, the link preview functionality still retrieves and displays the data. The question being raised is whether this behavior is intentional or if the reference metadata fetching should fallback to open-graph when guest users are not allowed to use the GitHub integration. It is important to ensure that the bug has not already been reported on Github and that the Nextcloud Server is up to date. Additionally, the bug report states that the Nextcloud Server should be running on a 64-bit capable CPU, PHP, and OS. Finally, the bug reporter agrees to follow Nextcloud's Code of Conduct.