We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
oCIS version: v2.0.0-rc.1
A user who knows the id of a space can list it using the graph API by sending a PATCH request even though the user has no permission on the space.
curl -k -s -u einstein:relativity -X PATCH 'https://localhost:9200/graph/v1.0/drives/1284d238-aa92-42ce-bdc4-0b0000009157$be65710a-bced-465e-9e1a-72ff269de8ee' -d '{}' | jq . { "driveAlias": "personal/admin", "driveType": "personal", "id": "1284d238-aa92-42ce-bdc4-0b0000009157$be65710a-bced-465e-9e1a-72ff269de8ee", "lastModifiedDateTime": "2022-11-10T15:52:00.782463415+01:00", "name": "Admin", "owner": { "user": { "id": "be65710a-bced-465e-9e1a-72ff269de8ee" } }, "root": { "eTag": "\"17513f41bcd9fb0c74a6cccb8f280dc4\"", "id": "1284d238-aa92-42ce-bdc4-0b0000009157$be65710a-bced-465e-9e1a-72ff269de8ee", "webDavUrl": "https://localhost:9200/dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157$be65710a-bced-465e-9e1a-72ff269de8ee" }, "webUrl": "https://localhost:9200/f/1284d238-aa92-42ce-bdc4-0b0000009157$be65710a-bced-465e-9e1a-72ff269de8ee" }
A GET request on the same resource:
curl -k -s -u einstein:relativity 'https://localhost:9200/graph/v1.0/drives/1284d238-aa92-42ce-bdc4-0b0000009157$be65710a-bced-465e-9e1a-72ff269de8ee' | jq . { "error": { "code": "itemNotFound", "innererror": { "date": "2022-11-10T15:16:06Z", "request-id": "yocto/2IxZGOgPSg-000361" }, "message": "no drive returned from storage" } }
The user shouldn't be able to list spaces they can't access.
The text was updated successfully, but these errors were encountered:
re-tested. It fixed. Einstein get 404 without data in response
Sorry, something went wrong.
API test added here
kobergj
SwikritiT
No branches or pull requests
Context
oCIS version: v2.0.0-rc.1
Issue
A user who knows the id of a space can list it using the graph API by sending a PATCH request even though the user has no permission on the space.
A GET request on the same resource:
Expected
The user shouldn't be able to list spaces they can't access.
The text was updated successfully, but these errors were encountered: