Limiting access to this app, temporary passwords does not work

[BurtGummer]

Hello,

i limit the access to the app to the existing LDAP-Group "spreedme-users" and just user in this group see the spreed.me-App button in Nextcloud, good. I put a user i the group "spreedme-users" and "Spreed.me" so i can generate a temporary password and URL. If i visit this URL, i got

Zugriff verboten App is not enabled

if i disable the "spreedme-user" group, so every user can see the spreed.me-Button, the temp-link works perfect.

The output from the browser console:

https://SERVER.de/cloud/index.php/apps/spreedme?tp=MTQ2OTUxNjY0MDpleHQvZG…g0NzY6MjpVZmxMZmdDMWR1T2t4cTB2OVJFZlpJaDRwTkMwVXJjVoydlphSnFFeGtrPQ%3D%3D Failed to load resource: the server responded with a status of 412 (Precondition failed)

i think its a bug?

Edit: i upgrade the App to the latest version (download the master.zip from github), but its the same error.

[leonklingele]

To me this looks like a limitation of NC/oC.

@karlitschek can you help?

[karlitschek]

@MorrisJobke What do you think?

[BurtGummer]

Hello,

maybe the version from nextcloud is important: 9.0.52

anything else?

[MorrisJobke]

@BurtGummer I don't get the steps you did.

1. create a group and limit access to the spreedme app to that group
2. group members could see the spreedme app and use it
3. non group members could not see the spreedme app and also when accessing the URL directly they get a 403 (Zugriff verboten)
4. disable the group restriction for the app (now everyone should be able to access the app)
5. the button is now visible in the menu, but when clicking it an error occurs

@BurtGummer Is this correct? What is a "temp link"?

[BurtGummer]

@MorrisJobke sorry, my english is a little bit rusty ;-)

5 . no. I generate a temporary password in the spreed.me App:

There is a password and a URL:

The URL is the "temp-link" (temporary link). And if i try to connect to this link with a different Browser, i get:

Zugriff verboten App is not enabled

[MorrisJobke]

The URL is the "temp-link" (temporary link). And if i try to connect to this link with a different Browser, i get:

If you have enabled the group restriction in the apps management for that app it will not be able to do anything if you are not logged in as a user that is in the groups for which this app is enabled.

This means enabling the group restriction will currently also remove any chance to have a page that is usably anonymously.

Yes. This is a current restriction of Nextcloud/ownCloud.

[BurtGummer]

oh :(

yes, this option is enabled:

maybe, can anyone change this restriction?

[MorrisJobke]

maybe, can anyone change this restriction?

That is not that easy, because then the restriction could be circumvented by logging out. 😢

[BurtGummer]

ok, i hope, this will be fixed in one of the next versions.. :-/

But thank you very much to help me to understand, what happens.

[leonklingele]

Could we add a new annotation (e.g. @NotGroupRestricted to OCP\AppFramework\Controller) so that a method can be called even if a group restriction has been set up for the app?

[MorrisJobke]

Could we add a new annotation (e.g. @NotGroupRestricted to OCP\AppFramework\Controller) so that a method can be called even if a group restriction has been set up for the app?

Possible, but currently we completely cut off the autoloader for those apps. That means, that we don't even have a chance to read the annotations.

@leonklingele Could I ask you to create a ticket for this in the server repo. Then we could discuss possible implementations there.

[pieter-groeneweg]

https://help.nextcloud.com/t/something-odd-on-external-users-invite/11385?source_topic_id=11239

Seems to do "a" trick.