Groupfolders for which a user has no reading-rights (Advanced Permissions) can still be copied and read out! #1692
Comments
|
cc @nextcloud/security |
fschrempf
added
0. Needs triage
|
@Dejagenkidama Can you please provide information about your NC version and Groupfolders app version? |
|
Hello, I have the same issue with Nextcloud version 20.0.13 and GroupFolders version 8.2.3. In each case downloading the folder with the ACLs works correctly, leaving out sub-folders that do not have read permission. Copying a sub-folder with further permissions nested inside also has the same issue of ignoring ACLs. |
|
I could reproduce on master |
CarlSchwan
added
1. to develop
|
I was hoping that this would be an easy fix by just extending the groupfolder ACLStorageWrapper::copy/copyFromStorafe but unfortunately, this is only used when copying stuff inside a group folder and not the other way around :/ |
Using advanced ACL, it is possible that an user has access to a directory but not to a subdirectory, so the copying use Common::copyFromStorage instead of Local::copyFromStorage. Fix nextcloud/groupfolders#1692 Signed-off-by: Carl Schwan <[email protected]>
|
Hi, I just created nextcloud/server#29362, it would be nice if someone here could also test it and see if this correctly fix the problem and doesn't create new ones :) |
CarlSchwan
added
3. to review
Using advanced ACL, it is possible that an user has access to a directory but not to a subdirectory, so the copying use Common::copyFromStorage instead of Local::copyFromStorage. Fix nextcloud/groupfolders#1692 Signed-off-by: Carl Schwan <[email protected]>
Using advanced ACL, it is possible that an user has access to a directory but not to a subdirectory, so the copying use Common::copyFromStorage instead of Local::copyFromStorage. Fix nextcloud/groupfolders#1692 Signed-off-by: Carl Schwan <[email protected]>
Using advanced ACL, it is possible that an user has access to a directory but not to a subdirectory, so the copying use Common::copyFromStorage instead of Local::copyFromStorage. Fix nextcloud/groupfolders#1692 Signed-off-by: Carl Schwan <[email protected]>
Using advanced ACL, it is possible that an user has access to a directory but not to a subdirectory, so the copying use Common::copyFromStorage instead of Local::copyFromStorage. Fix nextcloud/groupfolders#1692 Signed-off-by: Carl Schwan <[email protected]>
Using advanced ACL, it is possible that an user has access to a directory but not to a subdirectory, so the copying use Common::copyFromStorage instead of Local::copyFromStorage. Fix nextcloud/groupfolders#1692 Signed-off-by: Carl Schwan <[email protected]>
Example:
Employee list / NC users:
MA1 site manager
MA2 accountant
MA3 project employee Lisa
MA4 project employee Hans
NC folder structure (group folder):
Group folder company location Berlin
...├── Administration
..........├── accounting
...├── projects
..........├── Project A
..........├── Project B
The following should be set via “Advanced Permissions”:
Write and read rights to all folders should have: MA1 site manager
Write and read rights to accounting folders should have: only MA2 accountant
Write and read rights to project folder A should have: only MA3 project employee Lisa
Write and read rights to project folder B should have: only MA4 project employee Hans
All of this is easy to set using the “Advanced Permissions” in the “Groupfolder”.
However…
For the root folder “Group folder company location Berlin”, all NC-users must have at least reading rights, otherwise you won’t see a folder at all…
“MA4 Projektmitarbeiter Hans” does not initially see the “Administration-Accounting” folder.
However, if he copies the complete root directory “Group folder company location Berlin” and inserts it into another of his own folders, all directories and their contents are visible to him.
Can this copying of the “invisible” folder or in general be prevented somehow?
How would you solve this problem?
Thank’s for the Tipps. Matthias
The text was updated successfully, but these errors were encountered: