Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[OCM] User can share resource to federated user with permission roles that is not allowed #10824

Open
PrajwolAmatya opened this issue Jan 2, 2025 · 2 comments
Open

[OCM] User can share resource to federated user with permission roles that is not allowed #10824

PrajwolAmatya opened this issue Jan 2, 2025 · 2 comments
Labels
Type:Bug

Comments

@PrajwolAmatya
Copy link
Contributor

PrajwolAmatya commented Jan 2, 2025
edited
Loading

Describe the bug

When sharing a resource to a federated user with permissions role Secure Viewer via API, the federated user can access to the share.
When enabling all the permissions role , the enabled permissions role are not available on UI as they are filtered out and only two permissions Can View and Can edit are available.

image

But the behavior is different with API, resources can be shared with permissions role Secure Viewer.

Steps to reproduce

  1. Enable all permissions role
  2. Local user Alice creates a file textfile.txt
  3. Alilce shares the file with permissions role Secure Viewer to federated user Brian via API
  4. Brian lists the shares sharedWithMe
curl -kv -XGET https://localhost:10200/graph/v1beta1/me/drives/sharedWithMe -ubrian:1234

Expected behavior

The resource shared with permissions role Secure Viewer should not be shared with user Brian and the resource should not be listed for user Brian.

Actual behavior

The response sharedWithMe lists the shared resource.

{
    "value": [
        {
            "@UI.Hidden": false,
            "@client.synchronize": false,
            "createdBy": {
                "user": {
                    "@libre.graph.userType": "Federated",
                    "displayName": "Alice Hansen",
                    "id": "NzQ5ZDQyYzQtMDMyNy00N2M0LWI3NTktYTJhYTBlZTgyNzhmQGh0dHBzOi8vbG9jYWxob3N0OjkyMDA="
                }
            },
            "eTag": "\"f4482cf1698e402631f3e20ed292a042\"",
            "file": {
                "mimeType": "text/plain"
            },
            "id": "89f37a33-858b-45fa-8890-a1f2b27d90e1$89f37a33-858b-45fa-8890-a1f2b27d90e1!b8d7d7e5-4a55-4f3d-b076-7aad894c966d",
            "lastModifiedDateTime": "2025-01-02T15:25:55+05:45",
            "name": "textfile.txt",
            "parentReference": {
                "driveId": "a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668",
                "driveType": "virtual",
                "id": "a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668!a0ca6a90-a365-4782-871e-d44447bbc668"
            },
            "remoteItem": {
                "createdBy": {
                    "user": {
                        "@libre.graph.userType": "Federated",
                        "displayName": "Alice Hansen",
                        "id": "NzQ5ZDQyYzQtMDMyNy00N2M0LWI3NTktYTJhYTBlZTgyNzhmQGh0dHBzOi8vbG9jYWxob3N0OjkyMDA="
                    }
                },
                "eTag": "\"f4482cf1698e402631f3e20ed292a042\"",
                "file": {
                    "mimeType": "text/plain"
                },
                "id": "89f37a33-858b-45fa-8890-a1f2b27d90e1$59d9dc0e-d57d-4bfa-a10f-70dfad83924e!L3RleHRmaWxlLnR4dA==",
                "lastModifiedDateTime": "2025-01-02T15:25:55+05:45",
                "name": "textfile.txt",
                "permissions": [
                    {
                        "createdDateTime": "2025-01-02T15:25:56.322654426+05:45",
                        "grantedToV2": {
                            "user": {
                                "@libre.graph.userType": "Member",
                                "displayName": "Brian Murphy",
                                "id": "ae36eccb-8ec5-42ef-8ca9-8ad92659e4b3"
                            }
                        },
                        "id": "59d9dc0e-d57d-4bfa-a10f-70dfad83924e",
                        "invitation": {
                            "invitedBy": {
                                "user": {
                                    "@libre.graph.userType": "Federated",
                                    "displayName": "Alice Hansen",
                                    "id": "NzQ5ZDQyYzQtMDMyNy00N2M0LWI3NTktYTJhYTBlZTgyNzhmQGh0dHBzOi8vbG9jYWxob3N0OjkyMDA="
                                }
                            }
                        }
                    }
                ],
                "size": 12
            },
            "size": 12
        }
    ]
}

Also, for user Brian the share is accessed with PROPFIND request:

curl https://localhost:10200/remote.php/dav/spaces/89f37a33-858b-45fa-8890-a1f2b27d90e1%2478b71658-af19-4a88-998d-dd77438a841b\!L3RleHRmaWxlLnR4dA%3D%3D -XPROPFIND -ubrian:1234 -kv

<d:multistatus
	xmlns:s="http://sabredav.org/ns"
	xmlns:d="DAV:"
	xmlns:oc="http://owncloud.org/ns">
	<d:response>
		<d:href>/remote.php/dav/spaces/89f37a33-858b-45fa-8890-a1f2b27d90e1$78b71658-af19-4a88-998d-dd77438a841b%21L3RleHRmaWxlLnR4dA==</d:href>
		<d:propstat>
			<d:prop>
				<oc:id>89f37a33-858b-45fa-8890-a1f2b27d90e1$78b71658-af19-4a88-998d-dd77438a841b!L3RleHRmaWxlLnR4dA==</oc:id>
				<oc:fileid>89f37a33-858b-45fa-8890-a1f2b27d90e1$78b71658-af19-4a88-998d-dd77438a841b!L3RleHRmaWxlLnR4dA==</oc:fileid>
				<oc:spaceid>89f37a33-858b-45fa-8890-a1f2b27d90e1$78b71658-af19-4a88-998d-dd77438a841b</oc:spaceid>
				<oc:name>textfile.txt</oc:name>
				<d:displayname>textfile.txt</d:displayname>
				<d:getetag>"91af43b815f5adb7d53b810f4bcb844f"</d:getetag>
				<oc:permissions></oc:permissions>
				<d:resourcetype></d:resourcetype>
				<d:getcontentlength>12</d:getcontentlength>
				<d:getcontenttype>text/plain</d:getcontenttype>
				<d:getlastmodified>Thu, 02 Jan 2025 09:57:00 GMT</d:getlastmodified>
				<oc:checksums>
					<oc:checksum>SHA1:94e66df8cd09d410c62d9e0dc59d3a884e458e05 MD5:989* Connection #0 to host localhost left intact
3532233caff98cd083a116b013c0b ADLER32:1ec804d0</oc:checksum>
				</oc:checksum>
			</oc:checksums>
			<oc:favorite>0</oc:favorite>
		</d:prop>
		<d:status>HTTP/1.1 200 OK</d:status>
	</d:propstat>
	<d:propstat>
		<d:prop>
			<oc:file-parent></oc:file-parent>
		</d:prop>
		<d:status>HTTP/1.1 404 Not Found</d:status>
	</d:propstat>
</d:response>undefined</d:multistatus>

Federated user cannot download this share shared with Secure Viewer.
Reported in: #10822
@PrajwolAmatya PrajwolAmatya mentioned this issue Jan 6, 2025
Open
9 tasks
@PrajwolAmatya PrajwolAmatya mentioned this issue Jan 16, 2025
Closed
37 tasks
@kobergj
Copy link
Collaborator

kobergj commented Jan 21, 2025

@PrajwolAmatya I don't quite understand the bug, sorry 🙈

The resource shared with permissions role Secure Viewer should not be shared with user Brian and the resource should not be listed for user Brian.

Why should this be the case? Why can I not share a file with Secure Viewer permissions?

@PrajwolAmatya
Copy link
Contributor Author

PrajwolAmatya commented Jan 22, 2025
edited
Loading

@PrajwolAmatya I don't quite understand the bug, sorry 🙈

The issue here is the different behavior in UI and API. Even though the permission Secure Viewer is enabled, there are two permissions available for federated share Can View and Can Edit, which means we cannot share resource to a federated user with Secure Viewer role using web UI.

Shouldn't the behavior be same for both UI and API?

@kobergj

@kobergj kobergj moved this from Qualification to Prio 1 in Infinite Scale Team Board Jan 22, 2025
@PrajwolAmatya PrajwolAmatya mentioned this issue Feb 3, 2025
Merged
9 tasks
@prashant-gurung899 prashant-gurung899 mentioned this issue Feb 6, 2025
Open
16 tasks
@kobergj kobergj moved this to Prio 3 or less in Infinite Scale Team Board Feb 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type:Bug
Projects
Infinite Scale Team Board
Status: Prio 3 or less
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kobergj @PrajwolAmatya