search

nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
26.92k stars 4.01k forks source link

[Bug]: Remote group share persists after user loses group membership #35159

Open smesterheide opened 1 year ago

smesterheide commented 1 year ago

⚠️ This issue respects the following points: ⚠️

Bug description

In a federated setting a remote group share remains available to the user once the share is accepted but the group membership is lost to the user, eg. by leaving said group. This behavior differs from local groups where group membership determines access to the group share.

Steps to reproduce

  1. On two instances A and B enable remote group sharing (sending and receiving)
  2. On instance B create a user alice and add the user to a group users
  3. Create a remote group share to group users on instance B from instance A
  4. As user alice accept the share
  5. As user alice leave group users
  6. The share remains available

Expected behavior

The share should be lost to user alice when the group membership is dissolved. The behavior for group shares should be the same for local and remote group shares.

Installation method

Other Community project

Operating system

Debian/Ubuntu

PHP engine version

PHP 7.4

Web server

Apache (supported)

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

No response

What user-backends are you using?

Configuration report

{
    "system": {
        "debug": true,
        "profiler": true,
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/apps-extra",
                "url": "\/apps-extra",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/apps-writable",
                "url": "\/apps-writable",
                "writable": true
            }
        ],
        "allow_local_remote_servers": true,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "1025",
        "skeletondirectory": "\/skeleton",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "loglevel": 2,
        "log_query": false,
        "query_log_file": "\/var\/www\/html\/data\/query.log",
        "diagnostics.logging": false,
        "diagnostics.logging.threshold": 0,
        "log.condition": {
            "apps": [
                "diagnostics",
                "admin_audit"
            ]
        },
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "nextcloud2.home.arpa",
            "172.20.0.6",
            "localhost"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "26.0.0.0",
        "overwrite.cli.url": "https:\/\/nextcloud2.home.arpa",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "app_install_overwrite": [
            "vo_federation"
        ],
        "theme": "",
        "maintenance": false,
        "overwriteprotocol": "https"
    }
}

List of activated Apps

Enabled:
  - cloud_federation_api: 1.9.0
  - comments: 1.16.0
  - contactsinteraction: 1.7.0
  - dashboard: 7.6.0
  - dav: 1.25.0
  - federatedfilesharing: 1.16.0
  - federation: 1.16.0
  - files: 1.21.0
  - files_sharing: 1.18.0
  - files_trashbin: 1.16.0
  - files_versions: 1.19.0
  - lookup_server_connector: 1.14.0
  - oauth2: 1.14.0
  - provisioning_api: 1.16.0
  - settings: 1.8.0
  - sharebymail: 1.16.0
  - systemtags: 1.16.0
  - theming: 2.1.0
  - twofactor_backupcodes: 1.15.0
  - updatenotification: 1.16.0
  - user_status: 1.6.0
  - viewer: 1.10.0
  - vo_federation: 0.0.4
  - weather_status: 1.6.0
  - workflowengine: 2.8.0
Disabled:
  - admin_audit
  - encryption
  - files_external
  - testing
  - user_ldap
  - user_oidc

Nextcloud Signing status

Integrity checker has been disabled. Integrity cannot be verified.

Nextcloud Logs

No response

Additional info

No response

szaimen commented 1 year ago

Hi, please update to 24.0.9 or better 25.0.3 and report back if it fixes the issue. Thank you!

My goal is to add a label like e.g. 25-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!

If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+

nextcloud-command commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

smesterheide commented 1 year ago

The bug persists in Nextcloud 26 rc1.

Some more info on the mechanism of action. When the user is removed from the group, only local group shares are removed (TYPE_USERGROUP), see here via the DefaultShareProvider.