Fix permissions for the "uploader" Role

The "Uploade" role should not be able to list contents of the shared resource. owncloud/ocis#4657
cs3org · Sep 26, 2022 · 5cf7b3f · 5cf7b3f
1 parent 91e5930
commit 5cf7b3f
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/changelog/unreleased/fix-uploader-permissions.md b/changelog/unreleased/fix-uploader-permissions.md
@@ -0,0 +1,8 @@
+Bugfix: Fix "uploader" role permissions
+
+We fixed a permission problem on "public upload shares", which allowed to
+view the content of the shared upload folder.
+
+
+https://github.com/cs3org/reva/pull/3274
+https://github.com/owncloud/ocis/issues/4657
diff --git a/internal/http/services/owncloud/ocs/conversions/role.go b/internal/http/services/owncloud/ocs/conversions/role.go
@@ -267,7 +267,6 @@ func NewUploaderRole() *Role {
 		Name: RoleUploader,
 		cS3ResourcePermissions: &provider.ResourcePermissions{
 			Stat:               true,
-			ListContainer:      true,
 			GetPath:            true,
 			CreateContainer:    true,
 			InitiateFileUpload: true,
@@ -368,7 +367,6 @@ func NewLegacyRoleFromOCSPermissions(p Permissions) *Role {
 	}
 	if p.Contain(PermissionCreate) {
 		r.cS3ResourcePermissions.Stat = true
-		r.cS3ResourcePermissions.ListContainer = true
 		r.cS3ResourcePermissions.CreateContainer = true
 		// FIXME permissions mismatch: double check ocs create vs update file
 		// - if the file exists the ocs api needs to check update permission,
@@ -414,8 +412,7 @@ func RoleFromResourcePermissions(rp *provider.ResourcePermissions) *Role {
 		rp.RestoreRecycleItem {
 		r.ocsPermissions |= PermissionWrite
 	}
-	if rp.ListContainer &&
-		rp.Stat &&
+	if rp.Stat &&
 		rp.CreateContainer &&
 		rp.InitiateFileUpload {
 		r.ocsPermissions |= PermissionCreate