Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User can move a file from a shared folder with role editor to shared folder with role viewer in Shares Jail #4192

Closed
SagarGi opened this issue Jul 13, 2022 · 1 comment
Closed

User can move a file from a shared folder with role editor to shared folder with role viewer in Shares Jail #4192

SagarGi opened this issue Jul 13, 2022 · 1 comment
Assignees
@aduffeck
Labels
Priority:p2-high Escalation, on top of current planning, release blocker Type:Bug
Milestone
2.0.0 General Ava...

Comments

@SagarGi
Copy link
Member

SagarGi commented Jul 13, 2022

Description

While moving a file from one share folder where permission is editor to another share folder where permission is set to viewer, A user should to forbidden to move or create any file to the share folder where permission is viewer

Steps to Reproduce

  1. Create a user einstein
  2. Create a user marie
  3. marie creates folder tshare1
  4. . marie uploads a file tshare1/hello.txt
  5. marie creates another folder tshare2
  6. marie shares tshare1 to einstein with permission editor
  7. marie shares tshare2 to einstein with permission viewer
  8. einstein accepts both shares
  9. einstein moves the tshare1/hello.txt to tshare2/hello.txt in Shares Jail

Curl command to MOVE files/folder

curl -ks -ueinstein:relativity -X MOVE -H "DESTINATION:https://localhost:9200/dav/spaces/a0ca6a90-a365-4782-871e-d44447bbc668\$a0ca6a90-a365-4782-871e-d44447bbc668/tshare2/hello.txt" https://localhost:9200/dav/spaces/a0ca6a90-a365-4782-871e-d44447bbc668\$a0ca6a90-a365-4782-871e-d44447bbc668/tshare1/hello.txt -v | xmllint --format -

Response from the command:

*   Trying 127.0.0.1:9200...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [6 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [835 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: O=Acme Corp; CN=OCIS
*  start date: Jul 13 09:56:21 2022 GMT
*  expire date: Jul 13 09:56:21 2023 GMT
*  issuer: O=Acme Corp; CN=OCIS
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Server auth using Basic with user 'einstein'
} [5 bytes data]
> MOVE /dav/spaces/a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668/tshare1/hello.txt HTTP/1.1
> Host: localhost:9200
> Authorization: Basic ZWluc3RlaW46cmVsYXRpdml0eQ==
> User-Agent: curl/7.68.0
> Accept: */*
> DESTINATION:https://localhost:9200/dav/spaces/a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668/tshare2/hello.txt
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [130 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Access-Control-Allow-Origin: *
< Content-Length: 0
< Content-Security-Policy: default-src 'none';
< Content-Type: text/plain
< Date: Wed, 13 Jul 2022 10:29:33 GMT
< Etag: "121d4546c76b36d1aee7ededb4279192"
< Oc-Etag: "121d4546c76b36d1aee7ededb4279192"
< Oc-Fileid: 1284d238-aa92-42ce-bdc4-0b0000009157$f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c!d5a01ac9-89b7-4ea0-b015-7852af2ae44c
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
< X-Xss-Protection: 1; mode=block
< 
* Connection #0 to host localhost left intact
-:1: parser error : Document is empty

Environment

OCIS = latest docker pull
@micbar micbar added the Priority:p2-high Escalation, on top of current planning, release blocker label Jul 13, 2022
@micbar micbar added this to the 2.0.0 General Availability milestone Jul 13, 2022
@aduffeck aduffeck self-assigned this Jul 14, 2022
aduffeck added a commit to aduffeck/reva that referenced this issue Jul 14, 2022
@aduffeck
Also check permissions for the move operation destination
6c50fc9 
Fixes owncloud/ocis#4192
@aduffeck aduffeck mentioned this issue Jul 14, 2022
Merged
@aduffeck
Copy link
Contributor

This has been fixed in ocis master with #4207

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aduffeck aduffeck

Labels
Priority:p2-high Escalation, on top of current planning, release blocker Type:Bug
Projects
Infinite Scale Team Board
Archived in project
Milestone
2.0.0 General Availability
Development

No branches or pull requests
3 participants
@aduffeck @micbar @SagarGi