nextcloud
Users can still share public links to bookmarks folders even when 'Allow users to share via link' is disabled
Describe the bug When 'Allow users to share via link' is disabled, users can still create and share a link to their bookmarks folder. The link works even when the user is logged off. The link produced is in the format of "xxx.xxx.xxx.xxx/apps/bookmarks/public/(random string)" It appears that the Bookmarks app may be ignoring Nextcloud's sharing permissions.
In this scenario, only sharing the folders with other authenticated users, and only within their groups, is desired.
Conditions:
- Public sharing is off
- Federated sharing all disabled
- 'Allow resharing' is disabled
- 'Default sharing' section is all unchecked
- 'Restrict users to only share within their groups' is enabled
- '+ Apps' > Bookmarks app > 'Limit to groups' is checked, and groups are selected.
To Reproduce Steps to reproduce the behavior:
- Go to bookmarks
- Create a folder
- Click '...' and select 'Details'
- Select 'Sharing'
- Click '+' next to 'Share link'
- Share is created, link is in clipboard, and pasted link works externally without any form of security.
Expected behavior 'Share link' on folder shouldn't be there, or say 'disabled' - only 'select user or group' field should work. (Additionally, I think that password protected (public) link sharing (when used) should be honored as well.)
Desktop (please complete the following information):
- OS: Windows, Linux
- Browser: Firefox, Chrome, Brave
Server (please complete the following information):
- OS: Truenas (jailed instance of Nextcloud)
- HTTP server: nginx 1.18.0_34,2
- Database: mysql 5.7.32
- PHP version: 7.4.13_2
- Nextcloud version: 20
- Bookmarks app version: 4.0.5
Indeed, the app currently doesn't follow these settings. I used to think those only applied to the files app, though.
