Test Results for operations that fail without lock token but succeed when lock token is passed

[davitol]

Permissions masks:

• READ = 1
• UPDATE = 2 ("can update" in web UI)
• CREATE = 4 ("can create" in web UI)
• DELETE = 8 ("can delete" in web UI)
• SHARE = 16 ("can reshare" in web UI)

File operations shorthand for the later table:

• download: download/read/get a locked file.
• upload: a new file can NOT be uploaded/created in a locked folder
• upload_overwrite: a file can NOT be overwrite an existing locked one
• rename: rename file to new name, all within the shared folder. NOT possible
• move_in: move a file from outside the shared folder into the shared folder. NOT possible
• move_in_overwrite: move a file from outside the shared folder and overwrite a file inside the shared folder (note: SabreDAV automatically deletes the target file first before moving, so requires DELETE permission too). NOT possible
• move_in_subdir: move a file already in the shared folder into a subdir within the shared folder. NOT possible
• move_in_subdir_overwrite: move a file already in the shared folder into a subdir within the shared folder and overwrite an existing file there. NOT possible.
• move_out: move a file to outside of the shared folder. NOT possible.
• move_out_subdir: move a file out of a subdir of the shared folder into the locked shared folder. NOT possible.
• copy_in: copy a file from outside the shared folder into the locked shared folder. NOT possible.
• copy_in_overwrite: copy a file from outside the shared folder and overwrite a file inside the locked shared folder (note: SabreDAV automatically deletes the target file first before copying, so requires DELETE permission too)
• delete: delete a file inside the locked shared folder. NOT possible.
• mkdir: create folder inside the locked shared folder. NOT possible.
• rmdir: delete folder inside the locked shared folder. NOT possible.

[ownclouders]

GitMate.io thinks the contributor most likely able to help you is @PVince81.

Possibly related issues are #22492 (test), #31579 (test), #22485 (test), #17243 (Lock sharing operations when file is locked), and #16794 (csync tests fail with file locking enabled).

[davitol]

DELETE A LOCKED FILE: ✅

NO lock token

curl -H 'Authorization:Basic YWRtaW46YWRtaW4=' -H 'User-Agent:Mozilla/5.0 (Android) ownCloud-android/2.7.0' -H 'Host:XXXXX' -X DELETE  'http://XXXXXX/remote.php/webdav/pepe.txt/'

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\Locked</s:exception>
  <s:message/>
  <d:lock-token-submitted>
    <d:href>pepe.txt</d:href>
  </d:lock-token-submitted>
</d:error>

{"reqId":"OGPfCIvTUZAaHwuRC3gj","level":4,"time":"2019-01-16T12:17:24+00:00","remoteAddr":"172.20.0.1","user":"admin","app":"webdav","method":"DELETE","url":"\/remote.php\/webdav\/pepe.txt\/","message":"Exception: HTTP\/1.1 423 Locked: {\"Exception\":\"Sabre\\\\DAV\\\\Exception\\\\Locked\",\"Message\":\"\",\"Code\":0,\"Trace\":\"#0 [internal function]: Sabre\\\\DAV\\\\Locks\\\\Plugin->validateTokens(Object(Sabre\\\\HTTP\\\\Request), Array)\\n#1 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#2 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(1457): Sabre\\\\Event\\\\EventEmitter->emit('validateTokens', Array)\\n#3 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(474): Sabre\\\\DAV\\\\Server->checkPreconditions(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#4 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#5 \\\/var\\\/www\\\/owncloud\\\/apps\\\/dav\\\/appinfo\\\/v1\\\/webdav.php(64): Sabre\\\\DAV\\\\Server->exec()\\n#6 \\\/var\\\/www\\\/owncloud\\\/remote.php(165): require_once('\\\/var\\\/www\\\/ownclo...')\\n#7 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Locks\\\/Plugin.php\",\"Line\":539}"}

Lock token passed

File is deleted

curl -u admin:admin -H 'If: (<opaquelocktoken:f600eb57-5a44-4fab-b8a1-ad287b356b87>)' -H 'User-Agent:Mozilla/5.0 (Android) ownCloud-android/2.7.0' -H 'Host:10.40.40.222:9681' -X DELETE 'http://10.40.40.222:9681/remote.php/webdav/pepe.txt

MOVE A LOCKED FILE ✅

Locked without Token, Moved if we pass the token

url -k -H 'Destination:http://10.40.40.222:9681/remote.php/webdav/Photos/pepe.txt' -H 'Overwrite:F' -H 'Authorization:Basic YWRtaW46YWRtaW4=' -H 'User-Agent:Mozilla/5.0 (Android) ownCloud-android/2.7.0' -H 'Host:10.40.40.222:9681' -X MOVE 'http://10.40.40.222:9681/remote.php/webdav/pepe.txt'

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\Locked</s:exception>
  <s:message/>
  <d:lock-token-submitted>
    <d:href>pepe.txt</d:href>
  </d:lock-token-submitted>
</d:error>

{"reqId":"MUf54LgrAr8XM1j0c0US","level":4,"time":"2019-01-16T14:49:58+00:00","remoteAddr":"172.20.0.1","user":"admin","app":"webdav","method":"MOVE","url":"\/remote.php\/webdav\/pepe.txt","message":"Exception: HTTP\/1.1 423 Locked: {\"Exception\":\"Sabre\\\\DAV\\\\Exception\\\\Locked\",\"Message\":\"\",\"Code\":0,\"Trace\":\"#0 [internal function]: Sabre\\\\DAV\\\\Locks\\\\Plugin->validateTokens(Object(Sabre\\\\HTTP\\\\Request), Array)\\n#1 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#2 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(1457): Sabre\\\\Event\\\\EventEmitter->emit('validateTokens', Array)\\n#3 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(474): Sabre\\\\DAV\\\\Server->checkPreconditions(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#4 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#5 \\\/var\\\/www\\\/owncloud\\\/apps\\\/dav\\\/appinfo\\\/v1\\\/webdav.php(64): Sabre\\\\DAV\\\\Server->exec()\\n#6 \\\/var\\\/www\\\/owncloud\\\/remote.php(165): require_once('\\\/var\\\/www\\\/ownclo...')\\n#7 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Locks\\\/Plugin.php\",\"Line\":539}"}

Lock token passed

curl -k -H 'Lock-Token: opaquelocktoken:0e33a-7d6b-4b79-bbcf-97f75a540faa' -H 'Destination:http://10.40.40.222:9681/remote.php/webdav/Photos/pepe.txt' -H 'Overwrite:F' -H 'Authorization:Basic YWRtaW46YWRtaW4=' -H 'User-Agent:Mozilla/5.0 (Android) ownCloud-android/2.7.0' -H 'Host:10.40.40.222:9681' -X MOVE 'http://10.40.40.222:9681/remote.php/webdav/pepe.txt'

COPY A LOCKED FILE: ✅

Locked without Token, Moved if we pass the token

curl -k -H 'Destination:http://10.40.40.222:9681/remote.php/webdav/pepe.txt' -H 'Overwrite:F' -H 'Authorization:Basic YWRtaW46YWRtaW4=' -H 'User-Agent:Mozilla/5.0 (Android) ownCloud-android/2.7.0' -H 'Host:10.40.40.222:9681' -X COPY 'http://10.40.40.222:9681/remote.php/webdav/Photos/pepe.txt

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\Locked</s:exception>
  <s:message/>
  <d:lock-token-submitted>
    <d:href>pepe.txt</d:href>
  </d:lock-token-submitted>
</d:error>

{"reqId":"aiSepEEAL2cR70aKsfuC","level":4,"time":"2019-01-16T15:00:09+00:00","remoteAddr":"172.20.0.1","user":"admin","app":"webdav","method":"COPY","url":"\/remote.php\/webdav\/Photos\/pepe.txt","message":"Exception: HTTP\/1.1 423 Locked: {\"Exception\":\"Sabre\\\\DAV\\\\Exception\\\\Locked\",\"Message\":\"\",\"Code\":0,\"Trace\":\"#0 [internal function]: Sabre\\\\DAV\\\\Locks\\\\Plugin->validateTokens(Object(Sabre\\\\HTTP\\\\Request), Array)\\n#1 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#2 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(1457): Sabre\\\\Event\\\\EventEmitter->emit('validateTokens', Array)\\n#3 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(474): Sabre\\\\DAV\\\\Server->checkPreconditions(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#4 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#5 \\\/var\\\/www\\\/owncloud\\\/apps\\\/dav\\\/appinfo\\\/v1\\\/webdav.php(64): Sabre\\\\DAV\\\\Server->exec()\\n#6 \\\/var\\\/www\\\/owncloud\\\/remote.php(165): require_once('\\\/var\\\/www\\\/ownclo...')\\n#7 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Locks\\\/Plugin.php\",\"Line\":539}"}

Lock token passed

File is moved

curl -k -H 'Destination:http://10.40.40.222:9681/remote.php/webdav/Photos/pepe.txt' -H 'If: (<opaquelocktoken:926a0267-379e-4e7b-807a-e9f8bc0d2b4d>)' -H 'Overwrite:F' -H 'Authorization:Basic YWRtaW46YWRtaW4=' -H 'User-Agent:Mozilla/5.0 (Android) ownCloud-android/2.7.0' -H 'Host:10.40.40.222:9681' -X COPY 'http://10.40.40.222:9681/remote.php/webdav/pepe.txt'

PUBLIC SHARE A LOCKED FILE ❌

Issue: #33848 (comment)

curl -k -H 'OCS-APIREQUEST:true' -H 'User-Agent:Mozilla/5.0 (Android) ownCloud-android/2.9.3' -H 'Authorization:Basic YWRtaW46YWRtaW4=' -H 'Content-Type:application/x-www-form-urlencoded' -H 'Content-Length:70' -H 'Host:10.40.40.222:9681' -H 'Connection:Keep-Alive' -X POST 'http://10.40.40.222:9681/ocs/v2.php/apps/files_sharing/api/v1/shares' --data-binary 'path=%2Fpepe.txt&shareType=3&shareWith=&name=pepe.txt%20link&permissions=1'

<?xml version="1.0"?>
<ocs>
 <meta>
  <status>ok</status>
  <statuscode>200</statuscode>
  <message/>
 </meta>
 <data>
  <id>1</id>
  <share_type>3</share_type>
  <uid_owner>admin</uid_owner>
  <displayname_owner>admin</displayname_owner>
  <permissions>1</permissions>
  <stime>1547655663</stime>
  <parent/>
  <expiration/>
  <token>bVrR6gKEbA07lMX</token>
  <uid_file_owner>admin</uid_file_owner>
  <displayname_file_owner>admin</displayname_file_owner>
  <path>/pepe.txt</path>
  <item_type>file</item_type>
  <mimetype>text/plain</mimetype>
  <storage_id>home::admin</storage_id>
  <storage>1</storage>
  <item_source>17</item_source>
  <file_source>17</file_source>
  <file_parent>9</file_parent>
  <file_target>/pepe.txt</file_target>
  <share_with/>
  <share_with_displayname/>
  <name>pepe.txt link</name>
  <url>http://10.40.40.222:9681/s/bVrR6gKEbA07lMX</url>
  <mail_send>0</mail_send>
 </data>
</ocs>

SHARE A LOCKED FILE WITH A USER ✅

curl -u user1:a -X LOCK http://10.40.40.222:9681/remote.php/webdav/lanza.txt -d "<?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:exclusive/></d:lockscope></d:lockinfo>"
<?xml version="1.0"?>

d:prop xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:oc="http://owncloud.org/ns">
 <d:lockdiscovery>
  <d:activelock>
   <d:lockscope>
    <d:exclusive/>
   </d:lockscope>
   <d:locktype>
    <d:write/>
   </d:locktype>
   <d:lockroot>
    <d:href>lanza.txt</d:href>
   </d:lockroot>
   <d:depth>infinity</d:depth>
   <d:timeout>Second-</d:timeout>
   <d:locktoken>
    <d:href>opaquelocktoken:34532c07-7d5e-4991-bbc2-74d5873f0f29</d:href>
   </d:locktoken>
   <d:owner/>
  </d:activelock>
 </d:lockdiscovery>
</d:prop>

curl -H 'OCS-APIREQUEST:true' -H 'User-Agent:Mozilla/5.0 (Android) ownCloud-android/2.9.3' -H 'http.protocol.single-cookie-header:true' -H 'Authorization:Basic dXNlcjE6YQ==' -H 'X-Request-ID:bc42ae53-4fef-4020-b065-c3fafa40e4f8' -H 'Content-Type:application/x-www-form-urlencoded' -H 'Content-Length:60' -H 'Host:10.40.40.222:9681' -H 'Connection:Keep-Alive'  -X POST 'http://10.40.40.222:9681/ocs/v2.php/apps/files_sharing/api/v1/shares' --data-binary 'path=%2Flanza.txt&shareType=0&shareWith=admin&permissions=19'

<?xml version="1.0"?>
<ocs>
 <meta>
  <status>ok</status>
  <statuscode>200</statuscode>
  <message/>
 </meta>
 <data>
  <id>7</id>
  <share_type>0</share_type>
  <uid_owner>user1</uid_owner>
  <displayname_owner>user1</displayname_owner>
  <permissions>19</permissions>
  <stime>1547806272</stime>
  <parent/>
  <expiration/>
  <token/>
  <uid_file_owner>user1</uid_file_owner>
  <displayname_file_owner>user1</displayname_file_owner>
  <path>/lanza.txt</path>
  <item_type>file</item_type>
  <mimetype>text/plain</mimetype>
  <storage_id>home::user1</storage_id>
  <storage>3</storage>
  <item_source>109</item_source>
  <file_source>109</file_source>
  <file_parent>42</file_parent>
  <file_target>/lanza.txt</file_target>
  <share_with>admin</share_with>
  <share_with_displayname>admin</share_with_displayname>
  <share_with_additional_info/>
  <mail_send>0</mail_send>
 </data>
</ocs>

TRY TO DELETE A LOCKED FILE SHARED FROM A USER ✅

curl -u admin:admin  -H 'User-Agent:Mozilla/5.0 (Android) ownCloud-android/2.7.0' -H 'Host:10.40.40.222:9681' -X DELETE  'http://10.40.40.222:9681/remote.php/webdav/lanza.txt'

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\Locked</s:exception>
  <s:message/>
  <d:lock-token-submitted>
    <d:href>/lanza.txt/</d:href>
  </d:lock-token-submitted>
</d:error>

{"reqId":"FOKvGbURUwKa5iYM5thJ","level":4,"time":"2019-01-18T11:26:10+00:00","remoteAddr":"172.20.0.1","user":"admin","app":"webdav","method":"DELETE","url":"\/remote.php\/webdav\/lanza.txt","message":"Exception: HTTP\/1.1 423 Locked: {\"Exception\":\"Sabre\\\\DAV\\\\Exception\\\\Locked\",\"Message\":\"\",\"Code\":0,\"Trace\":\"#0 [internal function]: Sabre\\\\DAV\\\\Locks\\\\Plugin->validateTokens(Object(Sabre\\\\HTTP\\\\Request), Array)\\n#1 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#2 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(1457): Sabre\\\\Event\\\\EventEmitter->emit('validateTokens', Array)\\n#3 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(474): Sabre\\\\DAV\\\\Server->checkPreconditions(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#4 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#5 \\\/var\\\/www\\\/owncloud\\\/apps\\\/dav\\\/appinfo\\\/v1\\\/webdav.php(64): Sabre\\\\DAV\\\\Server->exec()\\n#6 \\\/var\\\/www\\\/owncloud\\\/remote.php(165): require_once('\\\/var\\\/www\\\/ownclo...')\\n#7 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Locks\\\/Plugin.php\",\"Line\":539}"}

[davitol]

More scenarios to be tested:

• lock webdav root of user
• propfind lock info on public webdav endpoint while any of the parents from the link share is locked Parent share link path leaked through lock info #34225 Parent share link path leaked through lock info #34225
• Test locking for Windows

1. • Connect your ownCloud with Windows via webUI. (documentation here: https://doc.owncloud.org/server/10.0/user_manual/files/access_webdav.html#accessing-files-using-microsoft-windows)
2. • Via webUI , create a file ```pepe.txt``
3. • Lock the file

curl -u admin:admin -X LOCK https://staging/owncloud/remote.php/webdav/pepe.txt -d "<?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:exclusive/></d:lockscope></d:lockinfo>"

✅ 4.1. - Try to edit it in windows.

{"reqId":"IH6Mr2QofpsxaAfQ2JJD","level":4,"time":"2019-01-23T09:54:35+00:00","remoteAddr":"176.31.107.195","user":"admin","app":"webdav","method":"LOCK","url":"\/owncloud\/remote.php\/dav\/files\/admin\/pepe.txt","message":"Exception: HTTP\/1.1 423 Locked: {\"Exception\":\"Sabre\\\\DAV\\\\Exception\\\\ConflictingLock\",\"Message\":\"\",\"Code\":0,\"Trace\":\"#0 [internal function]: Sabre\\\\DAV\\\\Locks\\\\Plugin->httpLock(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#1 \\\/var\\\/www\\\/html\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#2 \\\/var\\\/www\\\/html\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(479): Sabre\\\\Event\\\\EventEmitter->emit('method:LOCK', Array)\\n#3 \\\/var\\\/www\\\/html\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#4 \\\/var\\\/www\\\/html\\\/owncloud\\\/apps\\\/dav\\\/lib\\\/Server.php(288): Sabre\\\\DAV\\\\Server->exec()\\n#5 \\\/var\\\/www\\\/html\\\/owncloud\\\/apps\\\/dav\\\/appinfo\\\/v2\\\/remote.php(31): OCA\\\\DAV\\\\Server->exec()\\n#6 \\\/var\\\/www\\\/html\\\/owncloud\\\/remote.php(165): require_once('\\\/var\\\/www\\\/html\\\/o...')\\n#7 {main}\",\"File\":\"\\\/var\\\/www\\\/html\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Locks\\\/Plugin.php\",\"Line\":184}"

✅ 4.2. Try to rename it

{"reqId":"nE8jpSyB1gMHPniX9SXA","level":4,"time":"2019-01-23T10:04:24+00:00","remoteAddr":"176.31.107.195","user":"admin","app":"webdav","method":"MOVE","url":"\/owncloud\/remote.php\/dav\/files\/admin\/pepe.txt","message":"Exception: HTTP\/1.1 423 Locked: {\"Exception\":\"Sabre\\\\DAV\\\\Exception\\\\Locked\",\"Message\":\"\",\"Code\":0,\"Trace\":\"#0 [internal function]: Sabre\\\\DAV\\\\Locks\\\\Plugin->validateTokens(Object(Sabre\\\\HTTP\\\\Request), Array)\\n#1 \\\/var\\\/www\\\/html\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#2 \\\/var\\\/www\\\/html\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(1457): Sabre\\\\Event\\\\EventEmitter->emit('validateTokens', Array)\\n#3 \\\/var\\\/www\\\/html\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(474): Sabre\\\\DAV\\\\Server->checkPreconditions(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#4 \\\/var\\\/www\\\/html\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#5 \\\/var\\\/www\\\/html\\\/owncloud\\\/apps\\\/dav\\\/lib\\\/Server.php(288): Sabre\\\\DAV\\\\Server->exec()\\n#6 \\\/var\\\/www\\\/html\\\/owncloud\\\/apps\\\/dav\\\/appinfo\\\/v2\\\/remote.php(31): OCA\\\\DAV\\\\Server->exec()\\n#7 \\\/var\\\/www\\\/html\\\/owncloud\\\/remote.php(165): require_once('\\\/var\\\/www\\\/html\\\/o...')\\n#8 {main}\",\"File\":\"\\\/var\\\/www\\\/html\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Locks\\\/Plugin.php\",\"Line\":539}"}

✅ 4.3. Try to move it

{"reqId":"e8anc4QIstB3FYu5UdRO","level":4,"time":"2019-01-23T10:05:40+00:00","remoteAddr":"176.31.107.195","user":"admin","app":"webdav","method":"MOVE","url":"\/owncloud\/remote.php\/dav\/files\/admin\/pepe.txt","message":"Exception: HTTP\/1.1 423 Locked: {\"Exception\":\"Sabre\\\\DAV\\\\Exception\\\\Locked\",\"Message\":\"\",\"Code\":0,\"Trace\":\"#0 [internal function]: Sabre\\\\DAV\\\\Locks\\\\Plugin->validateTokens(Object(Sabre\\\\HTTP\\\\Request), Array)\\n#1 \\\/var\\\/www\\\/html\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#2 \\\/var\\\/www\\\/html\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(1457): Sabre\\\\Event\\\\EventEmitter->emit('validateTokens', Array)\\n#3 \\\/var\\\/www\\\/html\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(474): Sabre\\\\DAV\\\\Server->checkPreconditions(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#4 \\\/var\\\/www\\\/html\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#5 \\\/var\\\/www\\\/html\\\/owncloud\\\/apps\\\/dav\\\/lib\\\/Server.php(288): Sabre\\\\DAV\\\\Server->exec()\\n#6 \\\/var\\\/www\\\/html\\\/owncloud\\\/apps\\\/dav\\\/appinfo\\\/v2\\\/remote.php(31): OCA\\\\DAV\\\\Server->exec()\\n#7 \\\/var\\\/www\\\/html\\\/owncloud\\\/remote.php(165): require_once('\\\/var\\\/www\\\/html\\\/o...')\\n#8 {main}\",\"File\":\"\\\/var\\\/www\\\/html\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Locks\\\/Plugin.php\",\"Line\":539}"}

❌ 4.4. Try to delete it.

Fake deletion happens.

1. Via webUI create a file.txt
2. Lock the file

curl -u admin:admin -X LOCK https://staging.owncloud.works/owncloud/remote.php/webdav/file.txt -d "<?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:exclusive/></d:lockscope></d:lockinfo>"

3. Go to the folder in windows and delete the file (file is 'fake deleted' visually)
4. Refresh windows folder and the file is shown again

So issue not related directly to OC but it's the client

✅ 4.5. Lock a Folder and try to add a file inside.

[davitol]

Tests Lock with Public Link

• TEST: set lock on "/public", query locks on "public.php/webdav/sub" returns lock root "public.php/webdav/"
• TEST: set lock on "/public/share", query locks on "public.php/webdav/sub" returns lock root "public.php/webdav/"
• TEST: set lock on "/public/share/sub", query locks on "public.php/webdav/sub" returns lock root "public.php/webdav/sub"
• TEST: set lock on "/public", set another lock on "public.php/webdav/sub" returns empty lock root ""
• TEST: set lock on "/public/share/sub", set another lock on "public.php/webdav/sub" returns lock root "/sub"

[davitol]

Test unlock with Public Link

• Unlock as owner using the lock token
• ❌ Try to unlock as public user using the lock token and check it is possible.

curl -u mdII53qy8WzHVIJ: -X UNLOCK -H 'Lock-Token: <opaquelocktoken:503e8acf-2d60-44c1-8463-c1ec9427f345>' http://10.40.40.222:9681/public.php/webdav/ -d "<?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:shared/></d:lockscope></d:lockinfo>"
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\LockTokenMatchesRequestUri</s:exception>
  <s:message>The locktoken supplied does not match any locks on this entity</s:message>
  <d:lock-token-matches-request-uri/>

• ❌ public cannot upload files in locks set by the public: public cannot upload files in locks set by the public #34304

curl -v -u 5M5N2dEXhsgDuNW: -H 'Lock-Token: <opaquelocktoken:57b7661b-5635-4b1e-a1ee-f56bd9e89e2e>' -H 'User-Agent:Mozilla/5.0 (Android) ownCloud-android/2.7.0' -H 'Host:10.40.40.222:9681' -X PUT 'http://10.40.40.222:9681/public.php/webdav/simio.txt'

[davitol]

Test unlock a file with Share with user ✅

• Unlock as owner using the lock token

curl -u admin:admin -X UNLOCK -H 'Lock-Token: <opaquelocktoken:834dc60b-db94-4a55-8af1-0193ab9368eb>' http://10.40.40.222:9681/remote.php/dav/files/admin/simio.txt -d "<?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:shared/></d:lockscope></d:lockinfo>"

• Try to unlock as recipient and check it is not possible.

Test steps:

1. admin user shares a file with user1
2. admin user locks the file.
3. try to unlock the file with the lock token using user1.

curl -u user1:a -X UNLOCK -H 'Lock-Token: <opaquelocktoken:834dc60b-db94-4a55-8af1-0193ab9368eb>' http://10.40.40.222:9681/remote.php/dav/files/admin/simio.txt -d "<?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:shared/></d:lockscope></d:lockinfo>"
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\LockTokenMatchesRequestUri</s:exception>
  <s:message>The locktoken supplied does not match any locks on this entity</s:message>
  <d:lock-token-matches-request-uri/>
</d:error>

• Try to unlock as public user using the lock token and check it is not possible.

[davitol]

Test unlock a folder/subfolder with Share with user ✅

[davitol]

Test WOPI + Office online

• Try to edit a locked file

Note: It was tested using oC "10.1.0 prealpha"

[davitol]

Test querying lock info on public links, always return a path relative

With "/public/share" being the link share:

• TEST: set lock on "/public", query locks on "public.php/webdav/sub" returns lock root "public.php/webdav/"
• TEST: set lock on "/public/share", query locks on "public.php/webdav/sub" returns lock root "public.php/webdav/"
• TEST: set lock on "/public/share/sub", query locks on "public.php/webdav/sub" returns lock root "public.php/webdav/sub"
• TEST: set lock on "/public", set another lock on "public.php/webdav/sub" returns empty lock root ""
• TEST: set lock on "/public/share/sub", set another lock on "public.php/webdav/sub" returns lock root "/sub"

[davitol]

Test Lock/Unlocking files with guest users

• Lock a file using a guest user

curl -u dtoledo@mail.es:a -X LOCK http://10.40.40.222:9681/remote.php/webdav/buildFromBranch.sh -d "<?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:exclusive/></d:lockscope></d:lockinfo>"
<?xml version="1.0"?>
<d:prop xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:oc="http://owncloud.org/ns">
 <d:lockdiscovery>
  <d:activelock>
   <d:lockscope>
    <d:exclusive/>
   </d:lockscope>
   <d:locktype>
    <d:write/>
   </d:locktype>
   <d:lockroot>
    <d:href>buildFromBranch.sh</d:href>
   </d:lockroot>
   <d:depth>infinity</d:depth>
   <d:timeout>Second-1800</d:timeout>
   <d:locktoken>
    <d:href>opaquelocktoken:e2b7616a-ad44-423b-ab4c-c615657dc5bd</d:href>
   </d:locktoken>
   <d:owner/>
  </d:activelock>
 </d:lockdiscovery>
</d:prop>

• Unlock a file using a guest user

curl -u dtoledo@mail.es:a -X UNLOCK -H 'Lock-Token: opaquelocktoken:e2b7616a-ad44-423b-ab4c-c615657dc5bd' http://10.40.40.222:9681/remote.php/webdav/buildFromBranch.sh -d "<?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:shared/></d:lockscope></d:lockinfo>"

• Renaming a file shared with a Guest User:

Testing steps

1 - User A shares a file with guest user creating it
2 - Guest user renames the file
3 - User A locks the file

Chech the file is locked too for guest user. (webUI with a lock icon and cannot edit/rename the file)

[davitol]

Locking with Federated Shares

• Scenario 1: Lock the file in the sharer

Current behavior:

Lock works fine but the lock icon is missed in the server B

• ❌ Scenario 2: Lock the file in the receiver

#34222

[davitol]

Test Locks in External Storage WND

• Lock / Unlock a file
• Move a locked file into a folder using the token.

curl -k -H 'If: (<opaquelocktoken:cd9598b0-7619-46b2-a839-a1366b580269>)' -H 'Destination:http://10.40.40.222:9681/remote.php/webdav/WindowsNetworkDrive/User/Videos/Nuevos.txt' -H 'Overwrite:F' -H 'Authorization:Basic YWRtaW46YWRtaW4=' -H 'User-Agent:Mozilla/5.0 (Android) ownCloud-android/2.7.0' -H 'Host:10.40.40.222:9681' -X MOVE 'http://10.40.40.222:9681/remote.php/webdav/WindowsNetworkDrive/User/Nuevos.txt'

• Move a file into a locked folder using the token.

curl -k -H 'If: (<opaquelocktoken:b3b94462-8f1e-4143-bbc6-c500156e5cca>)' -H 'Destination:http://10.40.40.222:9681/remote.php/webdav/WindowsNetworkDrive/User/Videos/asf.txt' -H 'Overwrite:F' -H 'Authorization:Basic YWRtaW46YWRtaW4=' -H 'User-Agent:Mozilla/5.0 (Android) ownCloud-android/2.7.0' -H 'Host:10.40.40.222:9681' -X MOVE 'http://10.40.40.222:9681/remote.php/webdav/WindowsNetworkDrive/User/asf.txt'

• ❓ Move a locked file into a folder using the token created by other user:
  Note: Should we allow this? Current behavior is yes.
  Similar behaviour than in shares: share receiver can rename a file in a locked folder by using the lock token of the owner #34338

• Copy a file into a locked folder using the token.

• A COPY method invocation MUST NOT duplicate any write locks active on
  the source.

• If the COPY copies the resource into a collection that is locked with a depth-infinity lock, then the resource will be added to the lock.

• ❌ Refreshing Write Locks: a client may submit a LOCK request with an If header but
  without a body for refreshing the LOCK related issue: Refresh lock tocken does not modify Timeout value when no timeout value is passed or no body given #34374

[davitol]

Pending issues will be fixed in the following versions after ownCloud 10.1.

[individual-it]

tests with multiple clients davfs2, LibreOffice, GnomeFiles

davfs locks files, but only before PUT
LibreOffice locks files for the time when it has the file open and refreshes the lock (180s)
GnomeFiles does not know about locks

1. create 3 users
2. mount user1 with davfs2 sudo mount -t davfs http://localhost/owncloud-10.1.0/owncloud/remote.php/dav/files/user1/ /mnt/ -o rw,uid=artur
3. mount user2 with GnomeFiles/Nautilus: Other Locations -> Connect to Server dav://localhost/owncloud-10.1.0/owncloud/remote.php/dav/files/user2
4. setup LibreOffice to access files of user3 by Open Remote function

• open a file with davfs, change and save it - changing and saving should work
• open a file with GnomeFiles, change and save it - changing and saving should work
• open a file with LibreOffice, change and save it, in WebUI check if file is marked as locked - changing and saving should work
• share a folder from user1 to user2 and same from user2 to user3 - folder and content should be visible by all clients
• create a textfile by davfs, open and edit it with LibreOffice (Remote Open) close LibreOffice, edit the same file with GnomeFiles - edit is possible, changes propagate
• open a file with LibreOffice (Remote Open) leave it open and try to edit it with GnomeFiles and davfs - changing the file should not be possible
• open a file with LibreOffice (Remote Open) leave it open and try to delete/move it with GnomeFiles and davfs - deleting/moving the file should not be possible
• place a file in a subfolder of the share. open that file with LibreOffice (Remote Open) leave it open and try to delete/move the parent folder with GnomeFiles and davfs - deleting the folder should not be possible
• open the same file twice using LibreOffice first with Remote Open and second through davfs - second opening should show that the file is locked and open only read-only

[PVince81]

should we close or are there pending tasks we want to continue tracking for future scheduling ?

[davitol]

Let's close the ticket. issues found now has its own tickets