guests whitelist not always respected

[phil-davis]

Steps to reproduce

1. have the guests app enabled and the config set like:

   $ php occ config:list guests
   {
   "apps": {
       "guests": {
           "enabled": "yes",
           "group": "guest_app",
           "installed_version": "0.10.0",
           "signed": "true",
           "types": "authentication",
           "usewhitelist": "true",
           "whitelist": "settings"
       }
   }
   }

   The whitelist is set to just "settings" so that guest users should just be able to see

2. Create a guest user, login as the guest user

Expected behaviour

When opening the details for a file, there should not be any Sharing, Tags or Versions panels.

There should not be any option to "create a new textfile", because files_texteditor is not whitelisted.

Actual behaviour

• there is no Versions panel - good
• the Sharing panel exists, but is a "spinner". No data is shown. Half-way good ;)
• the Tags panel exists - bad (systemtags is not whitelisted, so the guest should not be able to use it)
• the guest user can attempt to create a new text file. The text editor opens, but just has a spinner. The user is stuck. The option for the text editor should not be shown at all.

It seems that some apps themselves respect the guest whitelist, but some core UI elements still appear. And other apps, like systemtags do not respect the whitelist at all.

Server configuration

Current core master and latest master of guests, files_texteditor etc.

[phil-davis]

With PR #518 this is working OK.

[GeraldLeikam]

After only setting 'settings' in the whitelist, several problems arise:

1. All folders shared with the guest user are no longer displayed.
2. As no more shared folders are displayed, no new folder can be created (since the user does not have their own space). Files cannot be uploaded either.
3. A shared SFTP drive is still displayed as a folder. However, the files in the folder (drive) no longer work. A folder can also be created here. This also blocks the file upload. When entering the folder, the error 'Encountered problem accessing the folder /SFTP' is also displayed.

[phil-davis]

There is https://github.com/owncloud/guests/blob/master/lib/AppWhitelist.php#L33

    public const CORE_WHITELIST = ',core,files,guests';

files_sharing is not in that list. So, if the admin does not put files_sharing in the specified whitelist, then sharing is not available to guests, and so guests do not see the received shares - which means they see nothing.

What is the requirement?

Maybe there is a requirement that the admin can prevent guests from doing any resharing, from creating public links etc. - the admin requires that guests cannot do any new sharing actions. But guests should be able to see and work with the resources that are shared with them? IMO sorting out some more specifically-defined requirements will need to happen in the future.

In practice, to be useful, an admin needs to always put files_sharing in the whitelist. IMO things work OK then?

[jnweiger]

Great findings, Gerald. Thank you! I agree with Phil: if the admin narrows down things to become unusable, then its his responsibility. Not a blocker for now, but good to follow up later.

[GeraldLeikam]

After adding files_sharing and files_external the functions work again. No blocker from my side

However, we should possibly write in the admin docs that it does not make sense to disable the apps setting, files_external, files_sharing and files trashbin for guest users. This is especially important for files_trashbin, because if this has been removed from the white list, a guest user can delete files directly without loading them into the trashbin of the owner.