Create a new Application and user2 is able to select this shared table/view from the resource form in Applications, even though they don't have permission to manage
Save (fails)
Editing an Application
user1 creates and shares a table/view to user2
Create a new Application and user2 is able to select this shared table/view from the resource form in Applications, even though they don't have permission to manage
Save (works)
Expected behavior
Creating an Application
Resources without adequate permission should not show up in the resource form search results.
Editing an Application
Resources without adequate permission should not show up in the resource form search results.
Without manage permissions, a user should not be able to add a table/view to a resource.
Actual behavior
Creating an Application
Permission Error, which is fine since the user does not have manage permissions. Would be better if the option to select an invalid resource is not even present for better UX.
Error Trace
nextcloud-1 | {"reqId":"jQAc3nUPf0uXyxIVjsHR","level":3,"time":"2024-06-20T12:44:42+00:00","remoteAddr":"192.168.21.3","user":"bob","app":"tables","method":"POST","url":"/ocs/v2.php/apps/tables/api/2/contexts","message":"No share for table and given user ID found.","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36","version":"30.0.0.1","exception":{"Exception":"OCA\\Tables\\Errors\\NotFoundError","Message":"No share for table and given user ID found.","Code":0,"Trace":[{"file":"/var/www/html/apps/tables/lib/Service/PermissionsService.php","line":542,"function":"getSharedPermissionsIfSharedWithMe","class":"OCA\\Tables\\Service\\PermissionsService","type":"->","args":[3,"table","*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/tables/lib/Service/PermissionsService.php","line":202,"function":"checkPermission","class":"OCA\\Tables\\Service\\PermissionsService","type":"->","args":[["OCA\\Tables\\Db\\Table",3],"table","manage","*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/tables/lib/Service/PermissionsService.php","line":222,"function":"canManageTable","class":"OCA\\Tables\\Service\\PermissionsService","type":"->","args":[["OCA\\Tables\\Db\\Table",3],"*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/tables/lib/Service/PermissionsService.php","line":125,"function":"canManageTableById","class":"OCA\\Tables\\Service\\PermissionsService","type":"->","args":[3,"*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/tables/lib/Service/ContextService.php","line":472,"function":"canManageNodeById","class":"OCA\\Tables\\Service\\PermissionsService","type":"->","args":["*** sensitive parameters replaced ***",3,"*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/tables/lib/Service/ContextService.php","line":129,"function":"insertNodesFromArray","class":"OCA\\Tables\\Service\\ContextService","type":"->","args":[["OCA\\Tables\\Db\\Context",12],"*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/public/AppFramework/Db/TTransactional.php","line":45,"function":"OCA\\Tables\\Service\\{closure}","class":"OCA\\Tables\\Service\\ContextService","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/tables/lib/Service/ContextService.php","line":132,"function":"atomic","class":"OCA\\Tables\\Service\\ContextService","type":"->","args":[["Closure"],["OC\\DB\\ConnectionAdapter"]]},{"file":"/var/www/html/apps/tables/lib/Controller/ContextController.php","line":109,"function":"create","class":"OCA\\Tables\\Service\\ContextService","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":208,"function":"create","class":"OCA\\Tables\\Controller\\ContextController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":114,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Tables\\Controller\\ContextController"],"create"]},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":161,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Tables\\Controller\\ContextController"],"create"]},{"file":"/var/www/html/lib/private/Route/Router.php","line":309,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\Tables\\Controller\\ContextController","create",["OC\\AppFramework\\DependencyInjection\\DIContainer"],["ocs.tables.context.create"]]},{"file":"/var/www/html/ocs/v1.php","line":43,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/ocsapp/apps/tables/api/2/contexts"]},{"file":"/var/www/html/ocs/v2.php","line":7,"args":["/var/www/html/ocs/v1.php"],"function":"require_once"}],"File":"/var/www/html/apps/tables/lib/Service/PermissionsService.php","Line":462,"message":"No share for table and given user ID found.","exception":{},"CustomMessage":"No share for table and given user ID found."}}
nextcloud-1 | {"reqId":"jQAc3nUPf0uXyxIVjsHR","level":2,"time":"2024-06-20T12:44:42+00:00","remoteAddr":"192.168.21.3","user":"bob","app":"tables","method":"POST","url":"/ocs/v2.php/apps/tables/api/2/contexts","message":"A permission error occurred: [0]Owner cannot manage node 3 (type 0)","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36","version":"30.0.0.1","data":{"app":"tables"}}
Editing an Application
Application saves correctly, even though the user does not have permission to manage the shared table/view. This is a security risk. Imagine this scenario:
Bob creates table
Bob shares table to Jane
Jane allowed to add table to Application as resource and share with other people. This violates Bob's privacy.
Steps to reproduce
Creating an Application
Editing an Application
Expected behavior
Creating an Application
Editing an Application
Actual behavior
Creating an Application
Permission Error, which is fine since the user does not have manage permissions. Would be better if the option to select an invalid resource is not even present for better UX.
Error Trace
nextcloud-1 | {"reqId":"jQAc3nUPf0uXyxIVjsHR","level":3,"time":"2024-06-20T12:44:42+00:00","remoteAddr":"192.168.21.3","user":"bob","app":"tables","method":"POST","url":"/ocs/v2.php/apps/tables/api/2/contexts","message":"No share for table and given user ID found.","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36","version":"30.0.0.1","exception":{"Exception":"OCA\\Tables\\Errors\\NotFoundError","Message":"No share for table and given user ID found.","Code":0,"Trace":[{"file":"/var/www/html/apps/tables/lib/Service/PermissionsService.php","line":542,"function":"getSharedPermissionsIfSharedWithMe","class":"OCA\\Tables\\Service\\PermissionsService","type":"->","args":[3,"table","*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/tables/lib/Service/PermissionsService.php","line":202,"function":"checkPermission","class":"OCA\\Tables\\Service\\PermissionsService","type":"->","args":[["OCA\\Tables\\Db\\Table",3],"table","manage","*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/tables/lib/Service/PermissionsService.php","line":222,"function":"canManageTable","class":"OCA\\Tables\\Service\\PermissionsService","type":"->","args":[["OCA\\Tables\\Db\\Table",3],"*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/tables/lib/Service/PermissionsService.php","line":125,"function":"canManageTableById","class":"OCA\\Tables\\Service\\PermissionsService","type":"->","args":[3,"*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/tables/lib/Service/ContextService.php","line":472,"function":"canManageNodeById","class":"OCA\\Tables\\Service\\PermissionsService","type":"->","args":["*** sensitive parameters replaced ***",3,"*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/tables/lib/Service/ContextService.php","line":129,"function":"insertNodesFromArray","class":"OCA\\Tables\\Service\\ContextService","type":"->","args":[["OCA\\Tables\\Db\\Context",12],"*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/public/AppFramework/Db/TTransactional.php","line":45,"function":"OCA\\Tables\\Service\\{closure}","class":"OCA\\Tables\\Service\\ContextService","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/tables/lib/Service/ContextService.php","line":132,"function":"atomic","class":"OCA\\Tables\\Service\\ContextService","type":"->","args":[["Closure"],["OC\\DB\\ConnectionAdapter"]]},{"file":"/var/www/html/apps/tables/lib/Controller/ContextController.php","line":109,"function":"create","class":"OCA\\Tables\\Service\\ContextService","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":208,"function":"create","class":"OCA\\Tables\\Controller\\ContextController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":114,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Tables\\Controller\\ContextController"],"create"]},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":161,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Tables\\Controller\\ContextController"],"create"]},{"file":"/var/www/html/lib/private/Route/Router.php","line":309,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\Tables\\Controller\\ContextController","create",["OC\\AppFramework\\DependencyInjection\\DIContainer"],["ocs.tables.context.create"]]},{"file":"/var/www/html/ocs/v1.php","line":43,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/ocsapp/apps/tables/api/2/contexts"]},{"file":"/var/www/html/ocs/v2.php","line":7,"args":["/var/www/html/ocs/v1.php"],"function":"require_once"}],"File":"/var/www/html/apps/tables/lib/Service/PermissionsService.php","Line":462,"message":"No share for table and given user ID found.","exception":{},"CustomMessage":"No share for table and given user ID found."}} nextcloud-1 | {"reqId":"jQAc3nUPf0uXyxIVjsHR","level":2,"time":"2024-06-20T12:44:42+00:00","remoteAddr":"192.168.21.3","user":"bob","app":"tables","method":"POST","url":"/ocs/v2.php/apps/tables/api/2/contexts","message":"A permission error occurred: [0]Owner cannot manage node 3 (type 0)","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36","version":"30.0.0.1","data":{"app":"tables"}}Editing an Application
Application saves correctly, even though the user does not have permission to manage the shared table/view. This is a security risk. Imagine this scenario:
Tables app version
No response
Browser
No response
Client operating system
No response
Operating system
No response
Web server
None
PHP engine version
None
Database
None
Additional info
No response