public share expiration enforcement policy

[r2evans]

The current policy of enforced expiration length for shared public links appears to be from the date the file was originally shared. I suggest that it should instead be from "now", the date that the user is re-configuring the share.

• If an admin is using this policy to prevent stale links, then by nature of a user manually updating the link's expiration date, we are confident that the shared link is still relevant and therefore not "stale".
• If an admin is using this policy to prevent a file from being shared too long (perhaps to discourage the use of this public-link-sharing), then the user need only unshare/reshare to bypass the admin's intent. (In this case, the admin should either define a "soft" company policy and/or just disable the public share functionality entirely.)

The unshare/reshare method would likely result in a different share URL, which requires re-sending the new link to all recipients (arguably undesirable).

Steps to reproduce

1. Set sharing "default expiration date" to expire after "n" days, and select "enforce expiration date".
2. Share a file publicly, note the enforced expiration date.
3. Some time later (at least a day later, but before the expiration date), update/change the expiration date.

Expected behaviour

The ability to change the expiration date to up to "n" days from the moment we are trying to make the change (i.e., max of "now" plus "n" days).

Actual behaviour

The max allowable expiration date is "n" days from the time the file was first shared, so no change possible.

Server configuration

Operating system: ubuntu xenial, 16.04.4 LTS

Web server: nginx-1.13

Database: postgresql-9.6

PHP version: PHP 7.0.27-1+ubuntu14.04.1+deb.sury.org+1

Nextcloud version: 12.0.5

Updated from an older Nextcloud/ownCloud or fresh install: updated

Where did you install Nextcloud from: over time, through 9.0.53, 11.0.1, 11.0.3, 12.0.1, 12.0.2, 12.0.4

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:
  - activity: 2.5.2
  - admin_audit: 1.2.0
  - bruteforcesettings: 1.0.3
  - calendar: 1.5.8
  - comments: 1.2.0
  - contacts: 2.1.2
  - dav: 1.3.1
  - federatedfilesharing: 1.2.0
  - federation: 1.2.0
  - files: 1.7.2
  - files_pdfviewer: 1.1.1
  - files_sharing: 1.4.0
  - files_texteditor: 2.4.1
  - files_trashbin: 1.2.0
  - files_versions: 1.5.0
  - files_videoplayer: 1.1.0
  - firstrunwizard: 2.1
  - gallery: 17.0.0
  - impersonate: 1.0.2
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - nextcloud_announcements: 1.1
  - notifications: 2.0.0
  - oauth2: 1.0.5
  - password_policy: 1.2.2
  - provisioning_api: 1.2.0
  - serverinfo: 1.2.0
  - sharebymail: 1.2.0
  - survey_client: 1.0.0
  - systemtags: 1.2.0
  - theming: 1.3.0
  - twofactor_backupcodes: 1.1.1
  - updatenotification: 1.2.0
  - user_ldap: 1.2.1
  - workflowengine: 1.2.0
Disabled:
  - encryption
  - files_external
  - user_external

Nextcloud configuration:

Config report

{
    "system": {
        "redis": {
            "host": "redis",
            "port": 6379
        },
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "12.0.5.3",
        "dbname": "nextcloud_db",
        "dbhost": "postgresql:5432",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "instanceid": "ocw0r7c4btrm",
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_from_address": "me",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtpsecure": "ssl",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "session_timeout": 7200,
        "session_keepalive": false,
        "lost_password_link": "disabled",
        "ldapIgnoreNamingRules": false,
        "appstore.experimental.enabled": true,
        "loglevel": 1,
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "maintenance": false,
        "theme": ""
    }
}

Are you using external storage, if yes which one: none

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory (samba-ad-dc)

LDAP configuration (delete this part if not used)

LDAP config

+-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration                 |                                                                                                                                                |
+-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 1                                                                                                                                              |
| hasPagedResultSupport         |                                                                                                                                                |
| homeFolderNamingRule          |                                                                                                                                                |
| lastJpegPhotoLookup           | 0                                                                                                                                              |
| ldapAgentName                 | AD\someuser                                                                                                                                    |
| ldapAgentPassword             | ***                                                                                                                                            |
| ldapAttributesForGroupSearch  |                                                                                                                                                |
| ldapAttributesForUserSearch   |                                                                                                                                                |
| ldapBackupHost                |                                                                                                                                                |
| ldapBackupPort                |                                                                                                                                                |
| ldapBase                      | cn=Users,dc=AD,dc=mydomain,dc=com                                                                                                              |
| ldapBaseGroups                | cn=Users,dc=AD,dc=mydomain,dc=com                                                                                                              |
| ldapBaseUsers                 | cn=Users,dc=AD,dc=mydomain,dc=com                                                                                                              |
| ldapCacheTTL                  | 600                                                                                                                                            |
| ldapConfigurationActive       | 1                                                                                                                                              |
| ldapDefaultPPolicyDN          |                                                                                                                                                |
| ldapDynamicGroupMemberURL     |                                                                                                                                                |
| ldapEmailAttribute            | mail                                                                                                                                           |
| ldapExperiencedAdmin          | 0                                                                                                                                              |
| ldapExpertUUIDGroupAttr       |                                                                                                                                                |
| ldapExpertUUIDUserAttr        |                                                                                                                                                |
| ldapExpertUsernameAttr        | sAMAccountName                                                                                                                                 |
| ldapGidNumber                 | gidNumber                                                                                                                                      |
| ldapGroupDisplayName          | cn                                                                                                                                             |
| ldapGroupFilter               |                                                                                                                                                |
| ldapGroupFilterGroups         |                                                                                                                                                |
| ldapGroupFilterMode           | 0                                                                                                                                              |
| ldapGroupFilterObjectclass    |                                                                                                                                                |
| ldapGroupMemberAssocAttr      | uniqueMember                                                                                                                                   |
| ldapHost                      | myserver.AD.mydomain.com                                                                                                                       |
| ldapIgnoreNamingRules         |                                                                                                                                                |
| ldapLoginFilter               | (&(&(|(objectclass=organizationalPerson))(|(|(memberof=CN=myusers,CN=Users,DC=AD,DC=mydomain,DC=com))))(samaccountname=%uid))                  |
| ldapLoginFilterAttributes     |                                                                                                                                                |
| ldapLoginFilterEmail          | 0                                                                                                                                              |
| ldapLoginFilterMode           | 0                                                                                                                                              |
| ldapLoginFilterUsername       | 1                                                                                                                                              |
| ldapNestedGroups              | 0                                                                                                                                              |
| ldapOverrideMainServer        |                                                                                                                                                |
| ldapPagingSize                | 500                                                                                                                                            |
| ldapPort                      | 389                                                                                                                                            |
| ldapQuotaAttribute            |                                                                                                                                                |
| ldapQuotaDefault              |                                                                                                                                                |
| ldapTLS                       | 0                                                                                                                                              |
| ldapUserDisplayName           | displayname                                                                                                                                    |
| ldapUserDisplayName2          |                                                                                                                                                |
| ldapUserFilter                | (&(|(objectclass=organizationalPerson))(|(|(memberof=CN=myusers,CN=Users,DC=AD,DC=mydomain,DC=com))))                                          |
| ldapUserFilterGroups          | myusers                                                                                                                                        |
| ldapUserFilterMode            | 1                                                                                                                                              |
| ldapUserFilterObjectclass     | organizationalPerson                                                                                                                           |
| ldapUuidGroupAttribute        | auto                                                                                                                                           |
| ldapUuidUserAttribute         | auto                                                                                                                                           |
| turnOffCertCheck              | 0                                                                                                                                              |
| turnOnPasswordChange          | 0                                                                                                                                              |
| useMemberOfToDetectMembership | 1                                                                                                                                              |
+-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+

Client configuration

Browser: FF-59.0

Operating system: win10

Logs

Web server error log

Web server error log

(nothing related)

Nextcloud log (data/nextcloud.log)

Nextcloud log

(nothing relevant, just a lot of "File accessed" ...)

Browser log

Browser log

(nothing relevant)

[MorrisJobke]

Makes sense ... but maybe we should finish the cleanup of the sharing code. cc @nextcloud/sharing

[szaimen]

cc @nextcloud/sharing Do we really want this? It would allow to widen the share expiration practically indefinitely...

[skjnldsv]

Yeah, it's a bug. I think there is an actual opened ticket for this 🤔
I think the backend actually checks the current date?

[szaimen]

I don't find another on either