Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regular users can create invisible or non-"userAssignable" tags #22512

Closed
LukasReschke opened this issue Feb 18, 2016 · 5 comments · Fixed by #22536
Closed

Regular users can create invisible or non-"userAssignable" tags #22512

LukasReschke opened this issue Feb 18, 2016 · 5 comments · Fixed by #22536
Assignees
@LukasReschke
Labels
feature:tags security sev2-high
Milestone
9.0

Comments

@LukasReschke
Copy link
Member

/remote.php/dav/systemtags/ allows regular users to create invisible or non-"userAssignable" tags. I assume this behaviour should be reserved for admins?

POST /remote.php/dav/systemtags/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/json
Content-Length: 70
Cookie: oc3ncedmobud=toouiju9jl90tpjk06c50grhn1; oc_sessionPassphrase=T%2FEvYm%2BBBWw9TctnL8qxbt5h77NJjmjBFKGBiRsagKT6FMzz9qNoBrrQTyQVukiHEfljuuxlcAzYy0xQDxi8rV1kQksPL0SML%2F35Ww4O21hyj9tGvzP0oklR52DplzKp; ocjcd5zbuzxl=f5stbvesjrnmsibbd7ke635jc6; och9myy6w5uq=ofa4n30ip1fend7eqvqoaff506; ocn9qnveszb6=gkspstac6vrdvtckedo9ike7d3; ocsdfaof31in=584u4s1u5ge8bispi1lprcei56; oc9ytv0hw06z=rrkadaeu0l4tf3750oalaveha4
Connection: close

{"name":"MySuperHiddenTag","userVisible":false,"userAssignable":false}

cc @PVince81 @karlitschek Expected behaviour or bug?
@LukasReschke LukasReschke added this to the 9.0-current milestone Feb 18, 2016
@LukasReschke
Copy link
Member Author

(especially since only admins can delete such tags)

@PVince81
Copy link
Contributor

You're right, only admins should be able to create such.

I think the POST operation in the system tags plugin is missing a check...

@LukasReschke
Copy link
Member Author

I'll take care of this as I'll also write authentication integration tests in style of #22511

@LukasReschke LukasReschke self-assigned this Feb 19, 2016
@LukasReschke LukasReschke mentioned this issue Feb 19, 2016
Merged
@LukasReschke
Copy link
Member Author

Patch and integration tests are at #22536

LukasReschke added a commit that referenced this issue Feb 19, 2016
@LukasReschke
Check if user has permission to create such a tag
3bd95cc 
Fixes #22512
@lock
Copy link

lock bot commented Aug 6, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Aug 6, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@LukasReschke LukasReschke

Labels
feature:tags security sev2-high
Projects
None yet
Milestone
9.0
Development

Successfully merging a pull request may close this issue.

Add integration tests for tags plus fix permissions owncloud/core
3 participants
@PVince81 @LukasReschke @DeepDiver1975