search

owncloud / core

:cloud: ownCloud web server core (Files, DAV, etc.)
https://owncloud.com
GNU Affero General Public License v3.0
8.35k stars 2.06k forks source link

Encryption not ready with guest_app shares #40441

Closed cs35-owncloud closed 1 year ago

cs35-owncloud commented 1 year ago

Steps to reproduce

  1. Upload a document
  2. Share it with a user as a guest

owncloud_guest_share

  1. Try to access the document with the guest account with your browser

owncloud_encryption_error

Expected behaviour

The document should be accessible without an error

Actual behaviour

The ownCloud server has an error about the encryption module not being ready.

Server configuration

Operating system: Devuan Chimaera (Debian 11)

Web server: nginx/1.22.0

Database: Percona MySQL 5.7.31

PHP version: 7.4.32

ownCloud version: 10.11.0.6

Updated from an older ownCloud or fresh install: fresh install

Where did you install ownCloud from: tar archive

Signing status (ownCloud 9.0 and above):

No errors have been found.

The content of config/config.php:

{
    "system": {
        "datadirectory": "\/var\/owncloud\/data",
        "version.hide": true,
        "logtimezone": "UTC",
        "installed": true,
        "upgrade.disable-web": true,
        "upgrade.automatic-app-update": false,
        "updatechecker": false,
        "updater.server.url": "127.0.0.1",
        "maintenance": false,
        "user.search_min_length": 2,
        "loglevel": 2,
        "log_type": "syslog",
        "singleuser": false,
        "filelocking.enabled": true,
        "memcache.local": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "localhost",
            "port": 6379,
            "timeout": 0
        },
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "apps_paths": [
            {
                "path": "\/var\/owncloud\/apps_orig",
                "url": "\/apps_orig",
                "writable": false
            },
            {
                "path": "\/var\/owncloud\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/owncloud\/theme",
                "url": "\/theme",
                "writable": false
            }
        ],
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "tls",
        "trashbin_retention_obligation": "30,auto",
        "versions_retention_obligation": "auto, 7",
        "trashbin_purge_limit": 25,
        "skeletondirectory": "",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "xxx"
        ],
        "overwrite.cli.url": "https:\/\/xxx",
        "dbtype": "mysql",
        "version": "10.11.0.6",
        "dbname": "demo-infra",
        "dbhost": "xxx",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "allow_user_to_change_mail_address": "",
        "instanceid": "xxx",
        "ldapIgnoreNamingRules": false
    }
}

List of activated apps:

  - activity:
    - Version: 2.7.1
    - Path: /var/owncloud/apps/activity
  - brute_force_protection:
    - Version: 1.1.0
    - Path: /var/owncloud/apps/brute_force_protection
  - calendar:
    - Version: 2.0.0
    - Path: /var/owncloud/apps/calendar
  - comments:
    - Version: 0.3.0
    - Path: /var/owncloud/apps_orig/comments
  - configreport:
    - Version: 0.2.1
    - Path: /var/owncloud/apps_orig/configreport
  - contacts:
    - Version: 1.5.5
    - Path: /var/owncloud/apps/contacts
  - dav:
    - Version: 0.7.0
    - Path: /var/owncloud/apps_orig/dav
  - encryption:
    - Version: 1.5.3
    - Path: /var/owncloud/apps_orig/encryption
  - federatedfilesharing:
    - Version: 0.5.0
    - Path: /var/owncloud/apps_orig/federatedfilesharing
  - federation:
    - Version: 0.1.0
    - Path: /var/owncloud/apps_orig/federation
  - files:
    - Version: 1.5.2
    - Path: /var/owncloud/apps_orig/files
  - files_external:
    - Version: 0.9.0
    - Path: /var/owncloud/apps_orig/files_external
  - files_external_dropbox:
    - Version: 2.0.0
    - Path: /var/owncloud/apps/files_external_dropbox
  - files_external_ftp:
    - Version: 0.2.1
    - Path: /var/owncloud/apps/files_external_ftp
  - files_mediaviewer:
    - Version: 1.0.5
    - Path: /var/owncloud/apps/files_mediaviewer
  - files_pdfviewer:
    - Version: 1.0.1
    - Path: /var/owncloud/apps/files_pdfviewer
  - files_sharing:
    - Version: 0.14.0
    - Path: /var/owncloud/apps_orig/files_sharing
  - files_trashbin:
    - Version: 0.9.1
    - Path: /var/owncloud/apps_orig/files_trashbin
  - files_versions:
    - Version: 1.3.0
    - Path: /var/owncloud/apps_orig/files_versions
  - guests:
    - Version: 0.12.0
    - Path: /var/owncloud/apps/guests
  - notifications:
    - Version: 0.5.4
    - Path: /var/owncloud/apps_orig/notifications
  - password_policy:
    - Version: 2.1.4
    - Path: /var/owncloud/apps/password_policy
  - provisioning_api:
    - Version: 0.5.0
    - Path: /var/owncloud/apps_orig/provisioning_api
  - richdocuments:
    - Version: 3.0.0
    - Path: /var/owncloud/apps/richdocuments
  - systemtags:
    - Version: 0.3.0
    - Path: /var/owncloud/apps_orig/systemtags
  - tasks:
    - Version: 0.9.7
    - Path: /var/owncloud/apps/tasks
  - twofactor_totp:
    - Version: 0.7.4
    - Path: /var/owncloud/apps/twofactor_totp
  - user_ldap:
    - Version: 0.16.0
    - Path: /var/owncloud/apps/user_ldap

Are you using external storage, if yes which one: none

Are you using encryption: yes

Are you using an external user-backend, if yes which one: no

Client configuration

Not relevant but:

Browser: Version 101.0.4951.64 (Build officiel) Built on Ubuntu , running on LinuxMint 19.1 (64 bits)

Operating system: LinuxMint 19.1

Logs

Web server error log

x.x.x.x - - [20/Oct/2022:10:48:46 +0200] "GET /remote.php/webdav/xxx.pdf?downloadStartSecret=q6x2ah6577d HTTP/1.1" 403 1786 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36"

ownCloud log (data/owncloud.log)

nothing
pako81 commented 1 year ago

please add encryption in the guests app whitelist under /index.php/settings/admin?sectionid=sharing. This will make encryption to work for guest users.

cs35-owncloud commented 1 year ago

Hello @pako81

thanks ! That was it, and it makes sense ahah :sweat_smile: Shouldn't it be by default in the guest group app (if encryption is detected) ?

For anyone needing to enable it on several ownClouds at once:

occ config:app:set guests whitelist --value settings,avatar,files_external,files_trashbin,files_versions,files_sharing,files_texteditor,activity,firstrunwizard,gallery,notifications,password_policy,oauth2,files_pdfviewer,files_mediaviewer,richdocuments,onlyoffice,wopi,oco_selfservice,twofactor_totp,encryption

Thanks !

pako81 commented 1 year ago

hi @cs35-owncloud you are welcome. yes, this makes absolutely sense and we are working on an up-to-date guests app whitelist including encryption along with other apps which may be needed for guest users when enabled by admin. Check release notes once the next guests app version will be released.

cs35-owncloud commented 1 year ago

I will ! Thanks for your help and work, have a good one ! :)

phil-davis commented 1 year ago

Note: guests PR https://github.com/owncloud/guests/pull/527 is adding encryption (and other important apps) to the core whitelist.