Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trashbin api allows users to see trashbin content of other users. #36378

Closed
dpakach opened this issue Nov 5, 2019 · 4 comments · Fixed by #36488
Closed

Trashbin api allows users to see trashbin content of other users. #36378

dpakach opened this issue Nov 5, 2019 · 4 comments · Fixed by #36488
Assignees
@karakayasemi
Labels
4 - To release
Milestone
development

Comments

@dpakach
Copy link
Contributor

dpakach commented Nov 5, 2019
edited by skshetry
Loading

Steps to reproduce

  1. Enable trashbin preview API.
  2. Create user:
    ./occ user:add chameli
  3. As chameli delete a file eg lorem.txt
    curl -X DELETE http://localhost/core/remote.php/dav/files/chameli/lorem.txt -u chameli:qwerty
  4. As user1, send request to trashbin API for files of chameli.
curl -X PROPFIND http://172.17.0.1/oc/core/remote.php/dav/trash-bin/chameli -u user1:pass1 --data '<?xml version="1.0"?><d:propfind xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns" xmlns:ocs="http://open-collaboration-services.org/ns"><d:prop><oc:trashbin-original-filename/><oc:trashbin-original-location/><oc:trashbin-delete-timestamp/><d:getlastmodified/><d:getcontentlength/><d:resourcetype/></d:prop></d:propfind>' -v| xmllint --format -

Expected behaviour

  • The user should get 401 response (unauthorized)

Actual behaviour

  • The user can list all the contents of the trashbin for chameli in the trashbin api response
<?xml version="1.0"?>
<d:multistatus xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:oc="http://owncloud.org/ns">
  <d:response>
    <d:href>/core/remote.php/dav/trash-bin/chameli/</d:href>
    <d:propstat>
      <d:prop>
        <d:resourcetype>
          <d:collection/>
        </d:resourcetype>
      </d:prop>
      <d:status>HTTP/1.1 200 OK</d:status>
    </d:propstat>
    <d:propstat>
      <d:prop>
        <oc:trashbin-original-filename/>
        <oc:trashbin-original-location/>
        <oc:trashbin-delete-timestamp/>
        <d:getlastmodified/>
        <d:getcontentlength/>
      </d:prop>
      <d:status>HTTP/1.1 404 Not Found</d:status>
    </d:propstat>
  </d:response>
  <d:response>
    <d:href>/core/remote.php/dav/trash-bin/chameli/2147490712</d:href>
    <d:propstat>
      <d:prop>
        <oc:trashbin-original-filename>lorem.txt</oc:trashbin-original-filename>
        <oc:trashbin-original-location>lorem.txt</oc:trashbin-original-location>
        <oc:trashbin-delete-timestamp>1573023465</oc:trashbin-delete-timestamp>
        <d:getlastmodified>Wed, 06 Nov 2019 06:57:41 GMT</d:getlastmodified>
        <d:getcontentlength>446</d:getcontentlength>
        <d:resourcetype/>
      </d:prop>
      <d:status>HTTP/1.1 200 OK</d:status>
    </d:propstat>
  </d:response>
</d:multistatus>

Server configuration

Operating system: ubuntu18.04

Web server: apache2

Database: mysql

PHP version: 7.2

ownCloud version: (see ownCloud admin page) 10.3 (git)

Updated from an older ownCloud or fresh install: fresh

Where did you install ownCloud from: git

Signing status (ownCloud 9.0 and above):
@skshetry skshetry changed the title Trashbin api allows users to see trahsbin content of other users. Trashbin api allows users to see trashbin content of other users. Nov 6, 2019
@phil-davis
Copy link
Contributor

I added QA-team and acceptance-tests labels to get an example acceptance test scenario done.
@dpakach please assign someone to make a test scenario that demonstrates the undesirable behaviour. Then @DeepDiver1975 will be easily able to confirm when he fixes it.

@phil-davis
Copy link
Contributor

WIP in PR #36376

@dpakach dpakach mentioned this issue Nov 11, 2019
Merged
11 tasks
@phil-davis
Copy link
Contributor

Removed QA labels and added to new sprint. Needs developer now.

@micbar micbar added this to the development milestone Nov 11, 2019
@dpakach
Copy link
Contributor Author

dpakach commented Nov 12, 2019

Test scenarios for this issue were added in #36376.
Starting line

core/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature

Line 185 in fe085f3

# This issue makes this scenario behave differently based on previously created users.

@dpakach dpakach removed their assignment Nov 12, 2019
@phil-davis phil-davis mentioned this issue Nov 18, 2019
Merged
11 tasks
@karakayasemi karakayasemi mentioned this issue Nov 28, 2019
Merged
11 tasks
@phil-davis phil-davis mentioned this issue Dec 9, 2019
Merged
11 tasks
@davitol davitol mentioned this issue Jan 9, 2020
Closed
39 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@karakayasemi karakayasemi

Labels
4 - To release
Projects
None yet
Milestone
development
Development

Successfully merging a pull request may close this issue.

[For 10.4] user is only allowed to see their own home trashbin owncloud/core
4 participants
@phil-davis @micbar @karakayasemi @dpakach