Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Public link enforce permissions #1269

Closed
3 tasks
PVince81 opened this issue Jun 18, 2020 · 9 comments
Closed
3 tasks

Public link enforce permissions #1269

PVince81 opened this issue Jun 18, 2020 · 9 comments
Labels
Interaction:Needs-help Asking some hints to engineering when the issue can't be reproduced Type:Technical-Debt

Comments

@PVince81
Copy link
Contributor

Make sure permissions are enforced and return 403 instead of 500.
In the case of upload-only links, any Webdav operation would usually return 404 (need to be verified with the API tests)

Supersedes owncloud/ocis-reva#285 and owncloud/ocis-reva#291
@PVince81
Copy link
Contributor Author

PVince81 commented Jun 18, 2020
edited by butonic
Loading

  • creating a public link for a file with all permissions should automatically reduce them to 1 (not sure if a good idea but the tests expect it and it mimicks the old API)

@refs refs self-assigned this Jul 1, 2020
@PVince81
Copy link
Contributor Author

PVince81 commented Jul 2, 2020

  • tech debt related to permissions:
    • user share perm mappings are not 100% the same as with public link shares in OC 10, need a good way
    • somehow consolidate the roles and mapping functions, or at least the code styles

@PVince81
Copy link
Contributor Author

PVince81 commented Jul 6, 2020

Possible approaches:

  1. Implement simple if statements in ocdav to check permissions
    or
  2. Implement simple if statements in storage layer
    or
  3. Map somehow to ACLs

also to consider: integration with roles concept.

Need to discuss what approach to take: @butonic @refs

@butonic
Copy link
Member

butonic commented Jul 6, 2020

the publicshareprovider fetches the issuer of the public share via the token. It uses that user to mint a token that is then used to authenticate requests to the actual storage. That logic needs to be double checked that

  • permissions cannot be elevated and that
  • error mcodes and messages bubblu up correctly and make sense to end users

@PVince81
Copy link
Contributor Author

PVince81 commented Jul 6, 2020

but: the user who issued the public share usually has maximum permissions, so there needs to be a mechanism to reduce the permissions to whatever the public link has been set to.

@refs
Copy link
Member

refs commented Jul 7, 2020

Outcome of the roles and permissions meeting (broader topic) where we briefly discussed public links roles:

public shares permission and roles and permission will be 2 different development; PS roles don't depend on the settings service just yet, so we can work on enforcing them on the publicsharesprovider; when the roles and permissions is done, we can adjust the code to use the roles and permission from the actual service

@PVince81
Copy link
Contributor Author

https://jira.owncloud.com/browse/OCIS-163

@butonic butonic transferred this issue from owncloud/ocis-reva Jan 18, 2021
@refs refs added Category:Feature-Parity Interaction:Needs-help Asking some hints to engineering when the issue can't be reproduced Type:Technical-Debt labels Jan 18, 2021
@refs
Copy link
Member

refs commented Jan 18, 2021

this is a big technical debt currently present in the codebase.

@settings settings bot removed the p3-medium label Apr 7, 2021
@butonic butonic mentioned this issue Dec 7, 2021
Merged
@butonic
Copy link
Member

butonic commented Mar 5, 2024

this is covered by sharing NG

@butonic butonic closed this as completed Mar 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Interaction:Needs-help Asking some hints to engineering when the issue can't be reproduced Type:Technical-Debt
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@PVince81 @butonic @refs