server icon indicating copy to clipboard operation
server copied to clipboard

[Bug]: Access control inhibits removal of remote share

Open mickenordin opened this issue 2 years ago • 0 comments

⚠️ This issue respects the following points: ⚠️

Bug description

When sharing a directory with a remote nextcloud server, where the remote user can not access the directory due to access control, the remote user can accept a share, but it is impossible to leave the share, instead the interface complains: 'Error deleting file "<name of folder>"'

Steps to reproduce

  1. Block access to a folder in such a way that a remote user can not access it.
  2. Share that folder with a remote user
  3. Remote user accepts tha share, which is listed as pending, and tries to leave the share

Expected behavior

Remote user should be able to leave a share, no matter what the access control on the shareing server says

Installation method

None

Nextcloud Server version

27

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

  • [X] Default user-backend (database)
  • [ ] LDAP/ Active Directory
  • [X] SSO - SAML
  • [X] Other

Configuration report

{
    "system": {
        "app_install_overwrite": [
            "globalsiteselector"
        ],
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "appstoreenabled": false,
        "config_is_read_only": true,
        "csrf.disabled": true,
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "dbport": "3306",
        "dbtableprefix": "oc_",
        "dbtype": "mysql",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "SE",
        "drive_email_template_text_left": "G\u00e5 till Sunet Drive",
        "drive_email_template_plain_text_left": "G\u00e5 till Sunet Drive",
        "drive_email_template_url_left": "https:\/\/drive.test.sunet.se\/",
        "filelocking.debug": true,
        "forcessl": true,
        "gs.enabled": "true",
        "gs.federation": "global",
        "gs.trustedHosts": [
            "*.sunet.se"
        ],
        "gss.discovery.manual.mapping.file": "\/var\/www\/html\/mappingfile.json",
        "gss.discovery.manual.mapping.parameter": "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",
        "gss.discovery.manual.mapping.regex": true,
        "gss.jwt.key": "addisVecCymhuexjekBudWevHakgikCiraykPish",
        "gss.master.admin": [
            "admin",
            "_berra",
            "_carina",
            "_freitag",
            "_kano",
            "_kjellman",
            "_mariah",
            "_ocs_drive",
            "_pahol",
            "_selenium_drive",
            "_selenium_drive_mfa"
        ],
        "gss.master.url": "https:\/\/drive.test.sunet.se",
        "gss.mode": "slave",
        "gss.user.discovery.module": "\\OCA\\GlobalSiteSelector\\UserDiscoveryModules\\ManualUserMapping",
        "gss.username_format": "sanitize",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "integrity.check.disabled": true,
        "log_type": "file",
        "loglevel": 0,
        "lookup_server": "https:\/\/lookup.drive.test.sunet.se\/index.php",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_sendmailmode": "smtp",
        "mail_smtpauth": 1,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpsecure": "tls",
        "mail_template_class": "OCA\\DriveEmailTemplate\\EMailTemplate",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "mysql.utf8mb4": true,
        "objectstore": {
            "class": "\\OC\\Files\\ObjectStore\\S3",
            "arguments": {
                "bucket": "primary-sunet-drive-test.sunet.se",
                "key": "***REMOVED SENSITIVE VALUE***",
                "secret": "***REMOVED SENSITIVE VALUE***",
                "region": "us-east-1",
                "hostname": "s3.sto4.safedc.net",
                "port": "",
                "objectPrefix": "urn:oid:",
                "autocreate": false,
                "use_ssl": true,
                "use_path_style": true,
                "legacy_auth": false
            }
        },
        "overwrite.cli.url": "https:\/\/sunet.drive.test.sunet.se",
        "overwritehost": "sunet.drive.test.sunet.se",
        "overwriteprotocol": "https",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "redis.cluster": {
            "failover_mode": 1,
            "password": "***REMOVED SENSITIVE VALUE***",
            "read_timeout": 0,
            "seeds": "***REMOVED SENSITIVE VALUE***",
            "timeout": 1.1
        },
        "secret": "***REMOVED SENSITIVE VALUE***",
        "skeletondirectory": "",
        "templatedirectory": "",
        "trusted_domains": [
            "localhost",
            "node1.sunet.drive.test.sunet.se",
            "node2.sunet.drive.test.sunet.se",
            "node3.sunet.drive.test.sunet.se",
            "sunet.drive.test.sunet.se",
            "rds-sunet.drive.test.sunet.se",
            "describo-sunet.drive.test.sunet.se"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [
            "admin",
            "forcemfa"
        ],
        "twofactor_enforced_excluded_groups": [],
        "updatechecker": false,
        "version": "27.1.6.3",
        "maintenance": false
    }
}

List of activated Apps

Enabled:
  - activity: 2.19.0
  - admin_audit: 1.17.0
  - checksum: 1.2.3
  - circles: 27.0.1
  - cloud_federation_api: 1.10.0
  - comments: 1.17.0
  - contacts: 5.5.1
  - contactsinteraction: 1.8.0
  - dashboard: 7.7.0
  - dav: 1.27.0
  - federatedfilesharing: 1.17.0
  - federation: 1.17.0
  - files: 1.22.0
  - files_accesscontrol: 1.17.1
  - files_automatedtagging: 1.17.0
  - files_external: 1.19.0
  - files_pdfviewer: 2.8.0
  - files_reminders: 1.0.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - files_versions: 1.20.0
  - firstrunwizard: 2.16.0
  - globalsiteselector: 2.4.5
  - integration_jupyterhub: 0.1.0
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - mfazones: 0.0.4
  - nextcloud_announcements: 1.16.0
  - notifications: 2.15.0
  - oauth2: 1.15.2
  - password_policy: 1.17.0
  - photos: 2.3.0
  - privacy: 1.11.0
  - provisioning_api: 1.17.0
  - rds: 0.0.2
  - recommendations: 1.6.0
  - related_resources: 1.2.0
  - richdocuments: 8.2.4
  - serverinfo: 1.17.0
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - stepupauth: 0.2.0
  - support: 1.10.0
  - systemtags: 1.17.0
  - tasks: 0.15.0
  - text: 3.8.0
  - theming: 2.2.0
  - twofactor_backupcodes: 1.16.0
  - twofactor_totp: 9.0.0
  - twofactor_webauthn: 1.3.2
  - updatenotification: 1.17.0
  - user_status: 1.7.0
  - viewer: 2.1.0
  - weather_status: 1.7.0
  - workflowengine: 2.9.0
Disabled:
  - announcementcenter: 6.7.0 (installed 6.7.0)
  - approval: 1.1.1
  - assistant: 1.0.2 (installed 1.0.2)
  - bruteforcesettings: 2.7.0
  - calendar: 4.6.4 (installed 4.5.3)
  - collectives: 2.9.2 (installed 2.9.1)
  - drive_email_template: 0.1
  - encryption: 2.15.0
  - files_confidential: 2.0.1
  - files_lock: 27.0.3 (installed 27.0.2)
  - forms: 3.4.4 (installed 3.3.1)
  - integration_excalidraw: 2.0.4 (installed 2.0.4)
  - integration_openai: 1.1.5 (installed 1.1.4)
  - login_notes: 1.3.1
  - loginpagebutton: 1.0.0
  - maps: 1.2.0 (installed 1.1.1)
  - polls: 5.4.2 (installed 5.2.0)
  - sciencemesh: 0.5.0 (installed 0.5.0)
  - survey_client: 1.15.0 (installed 1.14.0)
  - suspicious_login: 5.0.0
  - theming_customcss: 1.15.0
  - twofactor_admin: 4.4.0 (installed 4.3.0)
  - user_ldap: 1.17.0
  - user_saml: 5.2.6 (installed 5.2.4)

Nextcloud Signing status

No response

Nextcloud Logs

{
  "reqId": "TxqGWEGsf5dJC3x0aCx5",
  "level": 0,
  "time": "2024-01-30T15:01:07+00:00",
  "remoteAddr": "89.46.21.238",
  "user": "[email protected]",
  "app": "webdav",
  "method": "PROPFIND",
  "url": "/remote.php/dav/files/[email protected]/LocalFolder",
  "message": "Exception thrown: Sabre\\DAV\\Exception\\Forbidden",
  "userAgent": "Mozilla/5.0 (Linux) mirall/3.4.2-1ubuntu1 (nextcloudcmd, ubuntu-5.4.0-169-generic ClientArchitecture: x86_64 OsArchitecture: x86_64)",
  "version": "27.1.6.3",
  "exception": {
    "Exception": "Sabre\\DAV\\Exception\\Forbidden",
    "Message": "",
    "Code": 0,
    "Trace": [
      {
        "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Tree.php",
        "line": 78,
        "function": "getChild",
        "class": "OCA\\DAV\\Connector\\Sabre\\Directory",
        "type": "->",
        "args": [
          "LocalFolder"
        ]
      },
      {
        "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 971,
        "function": "getNodeForPath",
        "class": "Sabre\\DAV\\Tree",
        "type": "->",
        "args": [
          "files/[email protected]/LocalFolder"
        ]
      },
      {
        "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 1662,
        "function": "getPropertiesIteratorForPath",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": [
          "files/[email protected]/LocalFolder",
          [
            "{DAV:}resourcetype",
            "{DAV:}getlastmodified",
            "{DAV:}getcontentlength",
            "{DAV:}getetag",
            "{http://owncloud.org/ns}size",
            "{http://owncloud.org/ns}id",
            "{http://owncloud.org/ns}fileid",
            "{http://owncloud.org/ns}downloadURL",
            "{http://owncloud.org/ns}dDC",
            "{http://owncloud.org/ns}permissions",
            "{http://owncloud.org/ns}checksums"
          ],
          1
        ]
      },
      {
        "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 1647,
        "function": "writeMultiStatus",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": [
          [
            "Sabre\\Xml\\Writer",
            [],
            "/remote.php/dav/",
            [
              "d",
              "s",
              "oc",
              "nc"
            ],
            []
          ],
          [
            "Generator"
          ],
          false
        ]
      },
      {
        "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/CorePlugin.php",
        "line": 346,
        "function": "generateMultiStatus",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": [
          [
            "Generator"
          ],
          false
        ]
      },
      {
        "file": "/var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php",
        "line": 89,
        "function": "httpPropFind",
        "class": "Sabre\\DAV\\CorePlugin",
        "type": "->",
        "args": [
          [
            "Sabre\\HTTP\\Request"
          ],
          [
            "Sabre\\HTTP\\Response"
          ]
        ]
      },
      {
        "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 472,
        "function": "emit",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": [
          "method:PROPFIND",
          [
            [
              "Sabre\\HTTP\\Request"
            ],
            [
              "Sabre\\HTTP\\Response"
            ]
          ]
        ]
      },
      {
        "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 253,
        "function": "invokeMethod",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": [
          [
            "Sabre\\HTTP\\Request"
          ],
          [
            "Sabre\\HTTP\\Response"
          ]
        ]
      },
      {
        "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 321,
        "function": "start",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": []
      },
      {
        "file": "/var/www/html/apps/dav/lib/Server.php",
        "line": 365,
        "function": "exec",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": []
      },
      {
        "file": "/var/www/html/apps/dav/appinfo/v2/remote.php",
        "line": 35,
        "function": "exec",
        "class": "OCA\\DAV\\Server",
        "type": "->",
        "args": []
      },
      {
        "file": "/var/www/html/remote.php",
        "line": 172,
        "args": [
          "/var/www/html/apps/dav/appinfo/v2/remote.php"
        ],
        "function": "require_once"
      }
    ],
    "File": "/var/www/html/apps/dav/lib/Connector/Sabre/Directory.php",
    "Line": 222,
    "message": "",
    "exception": {},
    "CustomMessage": "Exception thrown: Sabre\\DAV\\Exception\\Forbidden"
  }
}

Additional info

No response

mickenordin avatar Jan 30 '24 15:01 mickenordin