sending MKCOL requests to another or non-existing user's webDav endpoints as normal user should return 404

[phil-davis]

Steps to reproduce

Steps to reproduce the behavior:

1. As user admin send MKCOL request to another user's endpoint
   curl -vk -X MKCOL -u admin:admin http://localhost/core/remote.php/dav/files/anu/Test | xmllint --format -

2. As user admin send MKCOL request to non-existing user's endpoint
   curl -vk -X MKCOL -u admin:admin http://localhost/core/remote.php/dav/files/nonexistent/Test | xmllint --format -

Expected behavior

the status code should be 404. Visit this lInk owncloud/ocis#3872 (comment) for more info

Actual behavior

• Returns status 403 for existing user
• Return status 409 non-existent user

`curl -vk -X MKCOL -u admin:admin http://localhost/core/remote.php/dav/files/anu/Test | xmllint --format -`

curl -vk -X MKCOL -u admin:admin http://localhost/core/remote.php/dav/files/anu/Test | xmllint --format -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
* Server auth using Basic with user 'admin'
> MKCOL /core/remote.php/dav/files/anu/Test HTTP/1.1
> Host: localhost
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Date: Tue, 08 Nov 2022 06:16:12 GMT
< Server: Apache/2.4.41 (Ubuntu)
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 0
< X-Robots-Tag: none
< X-Frame-Options: SAMEORIGIN
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Set-Cookie: ocdyemofowli=82k2al7rk5s86at5o9nod3sbbu; path=/core; HttpOnly; SameSite=Strict
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: oc_sessionPassphrase=9lMPlShWSOuv4sKHdcInmdm5FzRFq5oh1gVJcRtBAptqJplo%2FxImrE%2FGkaVc%2BaB6vnlNhFwDv91RbccXmaRrVkPkOfdgljZVUPH06qSkKRZv2%2FYcCS77d%2B9S%2B4PZbu4F; expires=Tue, 08-Nov-2022 06:36:12 GMT; Max-Age=1200; path=/core; HttpOnly; SameSite=Strict
< Content-Security-Policy: default-src 'none';
< Set-Cookie: ocdyemofowli=11n0q0rpkccdc4nua5iveoje72; path=/core; HttpOnly; SameSite=Strict
< Set-Cookie: cookie_test=test; expires=Tue, 08-Nov-2022 07:16:12 GMT; Max-Age=3600
< Content-Length: 230
< Content-Type: application/xml; charset=utf-8
< 
{ [230 bytes data]
100   230  100   230    0     0   2254      0 --:--:-- --:--:-- --:--:--  2254
* Connection #0 to host localhost left intact
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\Forbidden</s:exception>
  <s:message>Permission denied to create directory</s:message>
</d:error>

The response should be the same for both cases - if the user exists, and if the user does not exist. A mix of 403 and 409 are returned. The suggestion is that 404 should be returned in all cases, which is what ocis is implementing.

[phil-davis]

See https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiAuthWebDav/webDavMCKOLAuthOC10Issue40485.feature for the scenarios that demonstrate the current behavior.

See PR #40495 which adjusted the test scenarios. And previous issue #40485

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 10 days if no further activity occurs. Thank you for your contributions.

[phil-davis]

Still relevant. I added the "bug" labrl so that the bot will not touch this.