Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ShareesAPIController should respect groups disallowed from sharing #25744

Closed
wants to merge 7 commits into from
Closed

ShareesAPIController should respect groups disallowed from sharing #25744

wants to merge 7 commits into from

Conversation

Tetrachloromethane250
Copy link

@Tetrachloromethane250 Tetrachloromethane250 commented Feb 22, 2021
edited by skjnldsv
Loading

ShareesAPIController should return an empty list if the person asking for who they're allowed to share with is only in groups that are excluded from sharing.

fix #20950

@Tetrachloromethane250 Tetrachloromethane250 mentioned this pull request Feb 22, 2021
Closed
@Tetrachloromethane250 Tetrachloromethane250 marked this pull request as draft February 22, 2021 12:54
@Tetrachloromethane250 Tetrachloromethane250 force-pushed the fix/20950/Transfer-Ownership-Ignores-Sharing-Restrictions branch from c444bc6 to ce0aa8e Compare February 22, 2021 13:24
@Tetrachloromethane250 Tetrachloromethane250 marked this pull request as ready for review February 22, 2021 13:29
@Tetrachloromethane250
Copy link
Author

@ChristophWurst It's a rather old issue so I don't want to mention everyone from the issue, but the homepage says to mention someone (apologies if I'm interpreting that wrong). Just wondering if it would be possible to check that this is actually a suitable fix before I go and fix the unit tests (I put my reasoning in the issue conversation)

@Tetrachloroethene
Match create parameters
56cc408 
Signed-off-by: Daniel Bishop <[email protected]>
@Tetrachloromethane250 Tetrachloromethane250 force-pushed the fix/20950/Transfer-Ownership-Ignores-Sharing-Restrictions branch from 59bb2f6 to 56cc408 Compare February 22, 2021 14:56
@kesselb
Copy link
Contributor

kesselb commented Feb 25, 2021

Thanks @Tetrachloromethane250 for your time and sending patch 👍

It looks to me that #25391 addresses a similar case?

Tetrachloromethane250 and others added 2 commits March 1, 2021 10:26
@Tetrachloromethane250 @kesselb @Tetrachloroethene
Apply suggestions from code review
d8396ef 
Signed-off-by: Daniel Bishop <[email protected]>

Co-authored-by: kesselb <[email protected]>
@Tetrachloromethane250 @kesselb @Tetrachloroethene
Add last change from review
e40590c 
Signed-off-by: Daniel Bishop <[email protected]>

Co-authored-by: kesselb <[email protected]>
@Tetrachloromethane250 Tetrachloromethane250 force-pushed the fix/20950/Transfer-Ownership-Ignores-Sharing-Restrictions branch from da0ddc7 to e40590c Compare March 1, 2021 10:28
@Tetrachloromethane250
Copy link
Author

I think #25391 is fixing a very different but similarly worded issue - from what I can tell they're changing it so that it listens to the option to allow/disallow the recipient of a share to be a group (so that everyone in the group receives the share). This is making it respect the setting where entire groups can be prevented from initiating a share. Thanks @kesselb for the suggestions - I've committed them. I'll start on rewriting the tests.

@Tetrachloroethene
Fix existing tests
ded214e 
Signed-off-by: Daniel Bishop <[email protected]>
@Tetrachloromethane250 Tetrachloromethane250 force-pushed the fix/20950/Transfer-Ownership-Ignores-Sharing-Restrictions branch from 79d7e9d to ded214e Compare March 1, 2021 17:14
@PVince81 PVince81 mentioned this pull request Mar 11, 2021
Merged
3 tasks
@Tetrachloromethane250
Copy link
Author

Just poking this again so it (hopefully) doesn't completely fall off the radar

@skjnldsv skjnldsv added the 2. developing Work in progress label Feb 21, 2024
@skjnldsv skjnldsv added bug feature: sharing 3. to review Waiting for reviews and removed 2. developing Work in progress labels Feb 27, 2024
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 27, 2024
View reviewed changes
apps/files_sharing/lib/Controller/ShareesAPIController.php
// if some groups are excluded, check the user is allowed to share
if ($this->config->getAppValue('core', 'shareapi_exclude_groups', 'no') === 'yes') {
$excludedGroups = (array)json_decode($this->config->getAppValue('core', 'shareapi_exclude_groups_list', ''), true);
$usersGroups = $this->groupManager->getUserGroupIds($this->userManager->get($this->userId));

Check notice

Code scanning / Psalm

PossiblyNullArgument Note

Argument 1 of OCP\IGroupManager::getUserGroupIds cannot be null, possibly null value provided
apps/files_sharing/lib/Controller/ShareesAPIController.php
@@ -152,6 +166,16 @@
*/
public function search(string $search = '', string $itemType = null, int $page = 1, int $perPage = 200, $shareType = null, bool $lookup = false): DataResponse {

// if some groups are excluded, check the user is allowed to share
if ($this->config->getAppValue('core', 'shareapi_exclude_groups', 'no') === 'yes') {

Check notice

Code scanning / Psalm

DeprecatedMethod Note

The method OCP\IConfig::getAppValue has been marked as deprecated
apps/files_sharing/lib/Controller/ShareesAPIController.php
@@ -152,6 +166,16 @@
*/
public function search(string $search = '', string $itemType = null, int $page = 1, int $perPage = 200, $shareType = null, bool $lookup = false): DataResponse {

// if some groups are excluded, check the user is allowed to share
if ($this->config->getAppValue('core', 'shareapi_exclude_groups', 'no') === 'yes') {
$excludedGroups = (array)json_decode($this->config->getAppValue('core', 'shareapi_exclude_groups_list', ''), true);

Check notice

Code scanning / Psalm

DeprecatedMethod Note

The method OCP\IConfig::getAppValue has been marked as deprecated
@skjnldsv skjnldsv requested review from a team, ArtificialOwl and nfebe and removed request for a team February 27, 2024 16:24
@skjnldsv skjnldsv requested review from sorbaugh, artonge and come-nc and removed request for sorbaugh February 27, 2024 16:24
artonge
artonge reviewed Feb 28, 2024
View reviewed changes
apps/files_sharing/lib/Controller/ShareesAPIController.php
Comment on lines +173 to +175
if (array_intersect($usersGroups, $excludedGroups) === $usersGroups) {
return new DataResponse($this->result);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. If $excludedGroups = ['A'] and $usersGroups = ['A'], then this returns early. OK
  2. If $excludedGroups = ['A'] and $usersGroups = ['B'], then this does not return early. OK
  3. If $excludedGroups = ['A'] and $usersGroups = ['A', 'B'], then this does not return early. NOT OK ?
  4. If $excludedGroups = ['A', 'B'] and $usersGroups = ['A'], then this returns early. OK

Am I right that case #3 should return early?

This might be more correct:

Suggested change
if (array_intersect($usersGroups, $excludedGroups) === $usersGroups) {
return new DataResponse($this->result);
}
if (count(array_intersect($usersGroups, $excludedGroups) !== 0) {
return new DataResponse($this->result);
}

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's been a while since I've looked at Nextcloud, so please excuse any terminology mixups.

If I remember correctly my theory was that a user should be blocked from viewing potential Sharees only if all the groups they are a member of are blocked from sharing. (#20950 (comment))

I was looking at it from a scenario where some imaginary Admin user is also a member of a group which is blocked from sharing: should membership of a single excludedGroup prevent a user from getting a list of sharees? At the time Share Manager took the approach that a user should be blocked from sharing only if they were only a member of excluded groups so I followed that precedent (appears to still be the decision made in https://github.com/nextcloud/server/blob/master/lib/private/Share20/ShareDisableChecker.php#L52)

Either way, that's probably a higher level design decision that I'll leave to someone else.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes sharing is only disabled if the user is only in groups disabled for sharing.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it can be simplified to just:

if ($this->shareManager->sharingDisabledForUser($this->userId)) {
	return new DataResponse($this->result);
}

@artonge
Copy link
Contributor

artonge commented Feb 28, 2024

@Tetrachloroethene, sorry for the huge delay here. If you are still motivated to push this forward, then feel free to rebase and address my comment. :)
I think it makes sense anyway.

@Tetrachloromethane250
Copy link
Author

@artonge Unfortunately I probably don't have the time to push this forward any more - very happy for anyone else to take over / fix in a different way though.

I've replied to the suggestions with what I can remember of my reasoning, and most of my thought process at the time is in a comment on the linked issue.

Sorry!

come-nc
come-nc reviewed Feb 29, 2024
View reviewed changes
Copy link
Contributor

@come-nc come-nc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logic looks sane to me, did not test though.
There is a psalm warning about sending the ?IUser to the groupmanager without checking for null first.

@skjnldsv skjnldsv added 2. developing Work in progress and removed 3. to review Waiting for reviews labels Mar 10, 2024
@susnux susnux mentioned this pull request Mar 15, 2024
Merged
4 tasks
@susnux
Copy link
Contributor

susnux commented Mar 15, 2024

@Tetrachloromethane250 thank you very much for the pull request, we fixed it the same way but now that we have a manager function we could use, we could simplify the needed changes a lot :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@come-nc come-nc come-nc left review comments

@artonge artonge artonge left review comments

@kesselb kesselb kesselb left review comments

@susnux susnux susnux left review comments

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl ArtificialOwl was automatically assigned from nextcloud/server-backend

@nfebe nfebe Awaiting requested review from nfebe nfebe was automatically assigned from nextcloud/server-backend

Assignees
No one assigned
Labels
2. developing Work in progress bug feature: sharing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Users can Transfer ownership of a file or folder even if excluded from sharing
7 participants
@Tetrachloromethane250 @kesselb @artonge @susnux @come-nc @skjnldsv @Tetrachloroethene