search

owncloud / ocis-reva

:arrows_counterclockwise: reva integration for oCIS
https://owncloud.github.io/extensions/ocis_reva/
Apache License 2.0
4 stars 5 forks source link

a share with invalid permissions can be created #45

Closed individual-it closed 4 years ago

individual-it commented 4 years ago

sharing a resource with permission 0 or 32 should fail with HTTP 400

C0rby commented 4 years ago

Just some notes from my debugging sessions: In internal/http/services/owncloud/ocs/shares.go#createShare the following things happen. The persmissions 0 and 32 are mapped to the role legacy. Further down in role2CS3Permissions the role legacy is unknown so an error is returned. Now with asCS3Permissions we check if the permission is a CS3 permission. We create a new ResourcePermission instance and check if any of the CS3 permissions match, they don't but we already created a new permission instance (with default values) and return it. Now the method continues as ususal and calls CreateShare on the gateway which routes the request to the handler and from now on the permissions are never checked but the share will be created.

My guess is that the support for legacy roles is missing.

butonic commented 4 years ago

some response codes got better with https://github.com/owncloud/ocis-reva/pull/113

see https://github.com/owncloud/core/pull/37149

PVince81 commented 4 years ago

@C0rby can you close if this is fixed ?