-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upload is not prevented (only store the final .file is) #211
Comments
I have the same issue. On your documentation page (https://docs.nextcloud.com/server/latest/admin_manual/file_workflows/access_control.html) you've said: "If access to a file has been denied for a user, the user can not: Create/upload the file", but this isn't true. I really need to restrict the uploadable file types to image files only. But I can upload everything - if I share the link to anonymous users it is even more important to restrict the upload possibilities! I could even upload JS files, SH files, php or sql files - everything! No setting on that File Access Control flow apply in the upload process - no file size observer, no MIME type observers, nothing. That is a real security issue! And you really need to update your manual if the upload of files can't be managed, because it doesn't work. But really this should be. A file management program - a cloud service, which has the ability to let anonymous users upload files has to be able to restrict the uploads. It's really essential. Please help us fix this. Thank you very much. Here a Screenshot of my settings I made in the flow: I could upload any file type - not just images. To your information, here are my used specs: EDIT/UPDATE: I even installed a completely new Nextcloud with only the basic applications active to prevent some applications from interfering with the functions of this File Access Control application. Nothing changed. |
The rules are "and" connected. Since you want to block uploads if one of the cases matches, and we don't have "or" connection, you need to create 3 different rule sets (which basically is the or): 1. Block non-images
2. Block smaller files
3. Block bigger files
|
About https://docs.nextcloud.com/server/latest/admin_manual/file_workflows/access_control.html#prevent-uploading-of-specific-files
Setting a rule like
Will NOT prevent the file upload >100 MB. File will be fully uploaded by the client to the server but final
MOVE
of the.file
will be denied, wasting both servertmp
ressources and client Server+Bandwidth.Upload should be prevented by checking the file size BEFORE the upload, not after.
The text was updated successfully, but these errors were encountered: