We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Anonymous user that received a public link share of a folder with viewer role can lock the files inside the shared folder
Parent/test.txt
view only
test.txt
curl -upublic:#Passw0rd -XLOCK "https://localhost:9200/remote.php/dav/public-files/<public-link-token>/test.txt" -H "Content-Type: application/json" -d"<?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'><d:lockscope><d:exclusive/></d:lockscope></d:lockinfo>" -vk
The request should fail with 403 as the anonymous user doesn't have enough permission to lock the file.
403
The file gets locked
> LOCK /remote.php/dav/public-files/wTuSoMstyUivDlp/test.txt HTTP/1.1 > Host: localhost:9200 > Authorization: Basic cHVibGljOiNQYXNzdzByZA== > User-Agent: curl/7.81.0 > Accept: */* > Content-Type: application/json > Content-Length: 119 > * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.2 (IN), TLS header, Supplemental data (23): * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Access-Control-Allow-Origin: * < Content-Length: 565 < Content-Security-Policy: default-src 'none'; < Content-Type: application/xml; charset=utf-8 < Date: Thu, 23 Nov 2023 06:27:05 GMT < Lock-Token: <urn:uuid:befb9a40-00b2-42a4-ad81-520e45a2d6dd> < Vary: Origin < X-Content-Type-Options: nosniff < X-Download-Options: noopen < X-Frame-Options: SAMEORIGIN < X-Permitted-Cross-Domain-Policies: none < X-Request-Id: swikriti-OptiPlex-3070/fF7oNVLVsT-002275 < X-Robots-Tag: none < X-Xss-Protection: 1; mode=block < <?xml version="1.0" encoding="UTF-8"?> <d:prop xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:lockdiscovery><d:activelock> <d:locktype><d:write/></d:locktype> <d:lockscope><d:exclusive/></d:lockscope> <d:depth>infinity</d:depth> <d:timeout>Infinite</d:timeout> <d:locktoken><d:href>urn:uuid:befb9a40-00b2-42a4-ad81-520e45a2d6dd</d:href></d:locktoken> <d:lockroot><d:href>./test.txt</d:href></d:lockroot> <oc:ownername>Albert Einstein</oc:ownername> <oc:locktime>2023-11-23T12:12:05+05:45</oc:locktime> * Connection #0 to host localhost left intact </d:activelock></d:lockdiscovery></d:prop>%
ocis started with
PROXY_ENABLE_BASIC_AUTH=true OCIS_INSECURE=true OCIS_ASYNC_UPLOADS=true IDM_CREATE_DEMO_USERS=true OCIS_LOG_LEVEL=error ./bin/ocis server
OCIS_COMMITID=6ac5ac534dc29223d68604e7c647f3457a02cec2
The text was updated successfully, but these errors were encountered:
@SwikritiT Please validate and close if it is already resolved.
Sorry, something went wrong.
@saw-jan please ask someone to check this.
Putting this to current sprint @saw-jan.
@2403905 The test for this has been already covered
ocis/tests/acceptance/features/apiLocks/lockFiles.feature
Line 414 in 8556318
Also checked it manually and seems to be working. So closing this issue:
2403905
No branches or pull requests
Describe the bug
Anonymous user that received a public link share of a folder with viewer role can lock the files inside the shared folder
Steps to reproduce
Parent/test.txt
view only
permissiontest.txt
inside the foldercurl -upublic:#Passw0rd -XLOCK "https://localhost:9200/remote.php/dav/public-files/<public-link-token>/test.txt" -H "Content-Type: application/json" -d"<?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'><d:lockscope><d:exclusive/></d:lockscope></d:lockinfo>" -vk
Expected behavior
The request should fail with
403
as the anonymous user doesn't have enough permission to lock the file.Actual behavior
The file gets locked
Setup
ocis started with
OCIS_COMMITID=6ac5ac534dc29223d68604e7c647f3457a02cec2
The text was updated successfully, but these errors were encountered: