search

owncloud / ocis

:atom_symbol: ownCloud Infinite Scale Stack
https://doc.owncloud.com/ocis/next/
Apache License 2.0
1.4k stars 182 forks source link

files cannot be deleted using only the fileId #6736

Closed individual-it closed 3 months ago

individual-it commented 1 year ago

Describe the bug

A lot of file-operations can be done by only knowing the fileId. E.g

but its impossible to delete a file only by the fileId

Steps to reproduce

Steps to reproduce the behavior:

  1. create a file in any folder
  2. get the fileId of the file
  3. try a PROPFIND using that fileId. e.g. curl -uadmin:admin -k 'https://localhost:9200/remote.php/dav/spaces/33c9baa8-450f-4873-a049-7beb8227face$136ffc9b-d317-4219-a0c3-084d5e070c60!0b8eff1a-8401-4bda-a7e7-8333e44e4ded' -XPROPFIND
  4. try to DELETE the file using the fileId: curl -uadmin:admin -k 'https://localhost:9200/remote.php/dav/spaces/33c9baa8-450f-4873-a049-7beb8227face$136ffc9b-d317-4219-a0c3-084d5e070c60!0b8eff1a-8401-4bda-a7e7-8333e44e4ded' -XDELETE

Expected behavior

File should be deleted

Actual behavior

confusing error message is shown:

<?xml version="1.0" encoding="UTF-8"?>
<d:error xmlns:d="DAV" xmlns:s="http://sabredav.org/ns"><s:exception>Sabre\DAV\Exception\MethodNotAllowed</s:exception><s:message>deleting spaces via dav is not allowed</s:message></d:error>

Setup

Please describe how you started the server and provide a list of relevant environment variables or configuration files.

```console PROXY_ENABLE_BASIC_AUTH=true ocis/bin/ocis server ```

kobergj commented 1 year ago

The webdav delete handler expects a relative path since https://github.com/cs3org/reva/pull/2828 This was probably an easy way to block deleting spaces via dav.

Even though I have written it it doesn't seem right to me any more. We should accept ids as for the other endpoints. We should still block deleting spaces via dav but we need another way to identify them

nirajacharya2 commented 3 months ago

duplicate of https://github.com/owncloud/ocis/issues/9619