Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Share API default to wrong permissions #37774

Closed
5 of 9 tasks
schiessle opened this issue Apr 17, 2023 · 4 comments
Closed
5 of 9 tasks

[Bug]: Share API default to wrong permissions #37774

schiessle opened this issue Apr 17, 2023 · 4 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 25-feedback bug feature: sharing needs review Needs review to determine if still applicable

Comments

@schiessle
Copy link
Member

schiessle commented Apr 17, 2023
edited
Loading

⚠️ This issue respects the following points: ⚠️

  • This is a bug, not a question or a configuration/webserver/proxy issue.
  • This issue is not already reported on Github (I've searched it).
  • Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
  • Nextcloud Server is running on 64bit capable CPU, PHP and OS.
  • I agree to follow Nextcloud's Code of Conduct.

Bug description

According to our documentation, when creating a public link with our API the permissions should default to "1" (read only) but it will be set to 17 (1 = read, 16= share). Luckily the combination doesn't hurt, but it is still wrong.

Also it seems that all permissions send along the request, e.g. curl -k -X POST -d "path=<path to folder>" -d "shareType=3" -d "permissions=4" -H "OCS-APIRequest: true" -u <user>:<password> http://<nc domain>/ocs/v2.php/apps/files_sharing/api/v1/shares get ignored even that "permissions" is a valid parameter and "4" would be a valid value for a folder (file drop)

Steps to reproduce

  1. Create a public link with the OCS API ( curl -k -X POST -d "path=<path to folder>" -d "shareType=3" -d "permissions=4" -H "OCS-APIRequest: true" -u <user>:<password> http://<nc domain>/ocs/v2.php/apps/files_sharing/api/v1/shares)
  2. check the result

Expected behavior

default permission is "1" if no permission is given, otherwise permission given by the user gets applied

Installation method

None

Nextcloud Server version

25

Operating system

None

PHP engine version

None

Web server

None

Database engine version

None

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

No response

List of activated Apps

-

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response
@schiessle schiessle added bug 0. Needs triage Pending check for reproducibility or if it fits our roadmap labels Apr 17, 2023
@tfboy
Copy link

tfboy commented Apr 27, 2023
edited
Loading

I found this issue, posted about it on the groups and was about to post it here as a bug but have been beaten to it! My other post here: https://help.nextcloud.com/t/ocs-share-api-options-and-defining-permissions-bug/161037

In my experimenting, I have also found out that the actual values set for permissions depends on whether, for a public share, you define publicUpload=true.

I can't understand why this variable exists when shareType allows you to define it as a public share. Maybe to be in addition?

Anyway, if the publicUpload is set to true, then the resulting permissions number is always 31, regardless of what you define.

If publicUpload isn't defined, then permissions seem to be set to 17 + whatever you define as the permission number. So, if for example, you set permissions=4, then the actual share is created with permissions set to 21.

I tried a negative number to see if I could "bring it down to 4", but that doesn't work.

@schiessle , when you say "Luckily the combination doesn't hurt, but it is still wrong.", I will have to disagree: in your case, as per mine, you want an upload only but the user gets read. That's a problem. I do not want one user being to read files in that share, only to upload. This, to me, is a big security issue!

Edit: schiessle reported this issue with NC 25. I'm having the same issue with NC 26.0.1.

@Pitastic
Copy link

I installed the update to 26.0.1 today and something has been fixed in this issue but not completly.

I am now able to mitigate this bug:

  • Create a share with arguments path=xxx , shareType=3 and permissions=4
  • Permissions will be READ and UPLOAD (which is not what I want, but it is not ALL anymore)
  • Update the share with the given ID from above with arguments path=xxx and permissions=4 and voilà 😄

@joshtrichards joshtrichards mentioned this issue Aug 19, 2024
Open
@joshtrichards
Copy link
Member

Related: #17504

@joshtrichards joshtrichards mentioned this issue Aug 19, 2024
Closed
8 tasks
@joshtrichards joshtrichards added the needs review Needs review to determine if still applicable label Sep 17, 2024
@susnux
Copy link
Contributor

susnux commented Jan 20, 2025

To give some insights what is happening here:

  • if you set publicUpload the permissions are always overwritten with READ+MODIFY+DELETE
    • This flag is legacy and should not be used anymore so just do not use it.
  • permissions will currently always contain READ

@susnux susnux closed this as completed Jan 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 25-feedback bug feature: sharing needs review Needs review to determine if still applicable
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@schiessle @joshtrichards @susnux @Pitastic @tfboy @szaimen