even locking is forbidden on public webdav supportedlock property is still returned

[individual-it]

Steps to reproduce

1. share a folder publicly with read/write access
2. access a file that public share with LibreOffice "Open Remote" function

Expected behaviour

LibreOffice should open the file and should be able to save it back

Actual behaviour

LibreOffice shows an error message

and only opens the file read-only

Also new files cannot be saved by LibreOffice

The reason is that LibreOffice thinks that Locking is possible but LOCK requests get a 403 response
LibreOffice assumes that locks are possible because it made a supportedlock discovery and got a positive response:

PROPFIND /owncloud-10.1.0/owncloud/public.php/webdav/Documents2/Example.odt HTTP/1.1
<?xml version="1.0" encoding="utf-8"?>
<propfind xmlns="DAV:"><prop>
<resourcetype xmlns="DAV:"/>
<IsReadOnly xmlns="http://ucb.openoffice.org/dav/props/"/>
<getcontenttype xmlns="DAV:"/>
<supportedlock xmlns="DAV:"/>
</prop></propfind>


<?xml version="1.0"?>
<d:multistatus xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:oc="http://owncloud.org/ns"><d:response><d:href>/owncloud-10.1.0/owncloud/public.php/webdav/Documents2/Example.odt</d:href><d:propstat><d:prop><d:resourcetype/><d:getcontenttype>application/vnd.oasis.opendocument.text</d:getcontenttype><d:supportedlock><d:lockentry><d:lockscope><d:exclusive/></d:lockscope><d:locktype><d:write/></d:locktype></d:lockentry><d:lockentry><d:lockscope><d:shared/></d:lockscope><d:locktype><d:write/></d:locktype></d:lockentry></d:supportedlock></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><x1:IsReadOnly xmlns:x1="http://ucb.openoffice.org/dav/props/"/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response></d:multistatus>

https://tools.ietf.org/html/rfc4918#section-6.7

Since server lock support is optional, a client trying to lock a
resource on a server can either try the lock and hope for the best,
or perform some form of discovery to determine what lock capabilities
the server supports. This is known as lock capability discovery. A
client can determine what lock types the server supports by
retrieving the DAV:supportedlock property.
Any DAV-compliant resource that supports the LOCK method MUST support
the DAV:supportedlock property.

[ownclouders]

GitMate.io thinks the contributors most likely able to help are @ownclouders, and @PVince81.

Possibly related issues are #34268 (Hide lock token in public webdav responses), #34270 ([stable10] Hide lock token in public webdav responses), #13828 (webDav locking is not working), #33951 ([stable10] Webdav locking frontend), and #32250 (Feature/webdav locking frontend).

[PVince81]

Considering that using public webdav endpoint with a third party client is a rare use case, let's move to backlog to fix separately.

The fix should be to remove "supportedlock" from the response. Not sure how easy it is because Sabre seems to assume that locking is fully supported as soon as the Sabre LockPlugin is there. Might need a custom LockPlugin then.