Graph patch request leaks drive information

[C0rby]

Context

oCIS version: v2.0.0-rc.1

Issue

A user who knows the id of a space can list it using the graph API by sending a PATCH request even though the user has no permission on the space.

curl -k -s -u einstein:relativity -X PATCH 'https://localhost:9200/graph/v1.0/drives/1284d238-aa92-42ce-bdc4-0b0000009157$be65710a-bced-465e-9e1a-72ff269de8ee' -d '{}' | jq .
{
  "driveAlias": "personal/admin",
  "driveType": "personal",
  "id": "1284d238-aa92-42ce-bdc4-0b0000009157$be65710a-bced-465e-9e1a-72ff269de8ee",
  "lastModifiedDateTime": "2022-11-10T15:52:00.782463415+01:00",
  "name": "Admin",
  "owner": {
    "user": {
      "id": "be65710a-bced-465e-9e1a-72ff269de8ee"
    }
  },
  "root": {
    "eTag": "\"17513f41bcd9fb0c74a6cccb8f280dc4\"",
    "id": "1284d238-aa92-42ce-bdc4-0b0000009157$be65710a-bced-465e-9e1a-72ff269de8ee",
    "webDavUrl": "https://localhost:9200/dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157$be65710a-bced-465e-9e1a-72ff269de8ee"
  },
  "webUrl": "https://localhost:9200/f/1284d238-aa92-42ce-bdc4-0b0000009157$be65710a-bced-465e-9e1a-72ff269de8ee"
}

A GET request on the same resource:

curl -k -s -u einstein:relativity 'https://localhost:9200/graph/v1.0/drives/1284d238-aa92-42ce-bdc4-0b0000009157$be65710a-bced-465e-9e1a-72ff269de8ee' | jq .
{
  "error": {
    "code": "itemNotFound",
    "innererror": {
      "date": "2022-11-10T15:16:06Z",
      "request-id": "yocto/2IxZGOgPSg-000361"
    },
    "message": "no drive returned from storage"
  }
}

Expected

The user shouldn't be able to list spaces they can't access.

[ScharfViktor]

re-tested. It fixed. Einstein get 404 without data in response

[SwikritiT]

API test added here

• stable-2.0 [tests-only][full-ci]Adds tests for sending PATCH request to other user's space #5320
• master [tests-only][full-ci]Adds tests for sending PATCH request to other user's space - porting from stable to master #5325