-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
do not leak existing spaces #3300
do not leak existing spaces #3300
Conversation
8eec6ee
to
69ad276
Compare
This pull request fixes 4 alerts when merging 69ad276 into 2dfa067 - view on LGTM.com fixed alerts:
|
This pull request fixes 4 alerts when merging b7d6cc5 into 2dfa067 - view on LGTM.com fixed alerts:
|
the only failing tests are the ones I changed in owncloud/core#40406 althoug I fear I may have to duplicate them and split between ocis & oc10 ... correct @phil-davis ? |
eccbcad
to
380378b
Compare
This pull request fixes 4 alerts when merging 380378b into 11cc78a - view on LGTM.com fixed alerts:
|
380378b
to
a2d2e6f
Compare
hm @aduffeck @dragotin, I ran into a concurrent create dir error in https://drone.cernbox.cern.ch/cs3org/reva/9181/5/3:
|
This pull request fixes 4 alerts when merging a2d2e6f into 11cc78a - view on LGTM.com fixed alerts:
|
a2d2e6f
to
8d7431c
Compare
This pull request fixes 4 alerts when merging 8d7431c into 11cc78a - view on LGTM.com fixed alerts:
|
This pull request fixes 4 alerts when merging c682b55 into 11cc78a - view on LGTM.com fixed alerts:
|
This pull request fixes 4 alerts when merging 1150199 into 560ba92 - view on LGTM.com fixed alerts:
|
This pull request fixes 4 alerts when merging 03290c8 into 560ba92 - view on LGTM.com fixed alerts:
|
ugh.... looks like a different issue than the one we fixed recently, that was about |
03290c8
to
c9675e3
Compare
This pull request fixes 4 alerts when merging c9675e3 into fe227ef - view on LGTM.com fixed alerts:
|
This pull request fixes 4 alerts when merging 87f6d32 into fe227ef - view on LGTM.com fixed alerts:
|
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
87f6d32
to
18a6eba
Compare
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
This pull request fixes 4 alerts when merging b6524fe into 9567525 - view on LGTM.com fixed alerts:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, big change. Could not test all the edge cases but the adapted unit and API tests are good.
We are now returning a not found error for more requests to not leak existence of spaces for users that do not have access to resources.
I stopped for now, because I noticed that for modifying requests we now have to differentiate between existing resources and missing write permissions. It would require an additional stat call in error cases. Something I'd like to prevent.
Furthermore, the ocdav service should not really change status codes IMO.
If you want to expose permission errors, implement a storage provider that does that. If you don't went to leak space / resource existence, do that.
if we only prevent leaking existence in ocdav the CS3 api still knows that ... so ... yeah, this should be done by storage drivers and ocdav should just transparently handle that.
Ironically, the spaces registry originally had no way of finding a space a user had no access to ...
This might actually require touching all three services. I'll dig deeper next week.
And obviously this will freak out the testsuite ... but I agree with @phil-davis oc10 should return 404 as well.
Fixes owncloud/ocis#3561