Delete a file of a not a valid user (LDAP)

[hechi]

Steps to reproduce

0. All users are LDAP users.
1. User1 share a file with User2
2. disable User1 in the LDAP backend (remove user from group)
3. User2 try to delete the shared file

Expected behaviour

File is removed from User2

Actual behaviour

Error appears and file is not removed

Server configuration

Operating system: Debian

Web server: NGINX

Database: mysql

PHP version: 5.6.30

Nextcloud version: 13.0.0.14

Updated from an older Nextcloud/ownCloud or fresh install: update from older versions

Where did you install Nextcloud from: tar

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:
 - activity: 2.6.1
 - admin_audit: 1.3.0
 - announcementcenter: 3.2.1
 - caniupdate: 0.1.2
 - comments: 1.3.0
 - dav: 1.4.6
 - federatedfilesharing: 1.3.1
 - federation: 1.3.0
 - files: 1.8.0
 - files_pdfviewer: 1.2.0
 - files_sharing: 1.5.0
 - files_texteditor: 2.5.1
 - files_trashbin: 1.3.0
 - files_versions: 1.6.0
 - files_videoplayer: 1.2.0
 - firstrunwizard: 2.2.1
 - logreader: 2.0.0
 - lookup_server_connector: 1.1.0
 - nextcloud_announcements: 1.2.0
 - notifications: 2.1.2
 - oauth2: 1.1.0
 - password_policy: 1.3.0
 - provisioning_api: 1.3.0
 - serverinfo: 1.3.0
 - sharebymail: 1.3.0
 - survey_client: 1.1.0
 - systemtags: 1.3.0
 - theming: 1.4.1
 - twofactor_backupcodes: 1.2.3
 - updatenotification: 1.3.0
 - user_ldap: 1.3.1
 - workflowengine: 1.3.0   

Nextcloud configuration:

Config report

{"system":{
	"instanceid": "***REMOVED SENSITIVE VALUE***","passwordsalt": "***REMOVED SENSITIVE VALUE***",
	"trusted_domains":[ "***REMOVED SENSITIVE VALUE***","***REMOVED SENSITIVE VALUE***"],
	"datadirectory": "***REMOVED SENSITIVEVALUE***",
	"dbtype": "mysql",
	"version": "13.0.0.14",
	"dbname": "***REMOVED SENSITIVE VALUE***",
	"dbhost": "***REMOVED SENSITIVE VALUE***",
	"dbtableprefix": "oc_",
	"dbuser": "***REMOVED SENSITIVE VALUE***",
	"dbpassword": "***REMOVED SENSITIVE VALUE***","installed": true,
	"mail_smtpmode": "sendmail",
	"mail_smtpsecure": "tls",
	"mail_smtpauthtype": "PLAIN",
	"mail_smtpauth": 1,
	"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
	"mail_smtpport": "587",
	"appstoreenabled": true,
	"updatechecker": true,
	"has_internet_connection": true,
	"check_for_working_webdav": false,
	"check_for_working_htaccess": true,
	"theme": "",
	"maintenance": false,
	"ldapIgnoreNamingRules": false,
	"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
	"mail_from_address": "***REMOVED SENSITIVE VALUE***",
	"mail_domain": "***REMOVED SENSITIVE VALUE***",
	"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
	"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
	"secret": "***REMOVED SENSITIVE VALUE***",
	"loglevel": 3,
	"trashbin_retention_obligation": "7",
	"updater.release.channel": "stable",
	"ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
	"overwrite.cli.url": "https:\/\/***REMOVED SENSITIVE VALUE***"
	}
}  

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)

LDAP config

+-------------------------------+----------------------------------------------------------------------------------------------------+                                                                      | Configuration                 |                                                                                                    | +-------------------------------+----------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      |                                                                                                    |
| hasPagedResultSupport         |                                                                                                    |
| homeFolderNamingRule          |                                                                                                    |
| lastJpegPhotoLookup           | 0                                                                                                  |
| ldapAgentName                 | uid=nextcloud,ou=systemusers,dc=example,dc=de                                                 |
| ldapAgentPassword             | ***                                                                                                |
| ldapAttributesForGroupSearch  |                                                                                                    |
| ldapAttributesForUserSearch   | sn;cn                                                                                              |
| ldapBackupHost                |                                                                                                    |
| ldapBackupPort                |                                                                                                    |
| ldapBase                      | dc=example,dc=de                                                                             |
| ldapBaseGroups                | dc=example,dc=de                                                                             |
| ldapBaseUsers                 | dc=example,dc=de                                                                             |
| ldapCacheTTL                  | 600                                                                                                |
| ldapConfigurationActive       | 1                                                                                                  |
| ldapDefaultPPolicyDN          |                                                                                                    |
| ldapDynamicGroupMemberURL     |                                                                                                    |
| ldapEmailAttribute            | mail                                                                                               |
| ldapExperiencedAdmin          | 0                                                                                                  |
| ldapExpertUUIDGroupAttr       |                                                                                                    |
| ldapExpertUUIDUserAttr        | uid                                                                                                |
| ldapExpertUsernameAttr        |                                                                                                    |
| ldapGidNumber                 | gidNumber                                                                                          |
| ldapGroupDisplayName          | cn                                                                                                 |
| ldapGroupFilter               |                                                                                                    |
| ldapGroupFilterGroups         |                                                                                                    |
| ldapGroupFilterMode           | 1                                                                                                  |
| ldapGroupFilterObjectclass    |                                                                                                    |
| ldapGroupMemberAssocAttr      | member                                                                                             |
| ldapHost                      | 10.0.0.9                                                                                           |
| ldapIgnoreNamingRules         |                                                                                                    |
| ldapLoginFilter               | (&(&(objectclass=inetOrgPerson)(memberof=cn=nextcloud,ou=groups,dc=example,dc=de))(uid=%uid)) |
| ldapLoginFilterAttributes     | uid                                                                                                |
| ldapLoginFilterEmail          | 0                                                                                                  |
| ldapLoginFilterMode           | 1                                                                                                  |
| ldapLoginFilterUsername       | 1                                                                                                  |
| ldapNestedGroups              | 0                                                                                                  |
| ldapOverrideMainServer        | 0                                                                                                  |
| ldapPagingSize                | 500                                                                                                |
| ldapPort                      | 389                                                                                                |
| ldapQuotaAttribute            |                                                                                                    |
| ldapQuotaDefault              |                                                                                                    |
| ldapTLS                       | 0                                                                                                  |
| ldapUserDisplayName           | displayname                                                                                        |
| ldapUserDisplayName2          |                                                                                                    |
| ldapUserFilter                | (&(objectclass=inetOrgPerson)(memberof=cn=nextcloud,ou=groups,dc=example,dc=de))              |
| ldapUserFilterGroups          | nextcloud                                                                                           |
| ldapUserFilterMode            | 1                                                                                                  |
| ldapUserFilterObjectclass     | inetOrgPerson                                                                                      |
| ldapUuidGroupAttribute        | auto                                                                                               |
| ldapUuidUserAttribute         | auto                                                                                               |
| turnOffCertCheck              | 0                                                                                                  |      
| turnOnPasswordChange          | 0                                                                                                  |
| useMemberOfToDetectMembership | 1                                                                                                  |
+-------------------------------+----------------------------------------------------------------------------------------------------+  

Client configuration

Browser: chrome and firefox

Operating system: Debian

Logs

Nextcloud log (data/nextcloud.log)

Nextcloud log

{"reqId":"Vqdp4vbUBBPHRNB44ZGw","level":3,"time":"2018-03-05T10:27:21+00:00","remoteAddr":"10.0.0.1","user":"user2","app":"core","method":"PROPFIND","url":"\/remote.php\/webdav\/","message":"user1 is not a valid user anymore","userAgent":"Mozilla\/5.0 (Macintosh) mirall\/2.2.4 (build 1) (Nextcloud)","version":"13.0.0.14"}
{"reqId":"K7A9at1mjKT5Ss4tLOPn","level":3,"time":"2018-03-05T10:27:29+00:00","remoteAddr":"10.0.0.1","user":"user2","app":"core","method":"GET","url":"\/remote.php\/webdav\/de.bla.jar","message":"user1 is not a valid user anymore","userAgent":"Mozilla\/5.0 (Macintosh) mirall\/2.2.4 (build 1) (Nextcloud)","version":"13.0.0.14"}
{"reqId":"K7A9at1mjKT5Ss4tLOPn","level":4,"time":"2018-03-05T10:27:29+00:00","remoteAddr":"10.0.0.1","user":"user2","app":"webdav","method":"GET","url":"\/remote.php\/webdav\/de.bla.jar","message":"Exception: {\"Exception\":\"Sabre\\\\DAV\\\\Exception\\\\ServiceUnavailable\",\"Message\":\"Storage is temporarily not available\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/CorePlugin.php(81): OCA\\\\DAV\\\\Connector\\\\Sabre\\\\ObjectTree->getNodeForPath('de.bla.monito...')\\n#1 [internal function]: Sabre\\\\DAV\\\\CorePlugin->httpGet(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#2 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#3 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(479): Sabre\\\\Event\\\\EventEmitter->emit('method:GET', Array)\\n#4 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#5 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/dav\\\/appinfo\\\/v1\\\/webdav.php(80): Sabre\\\\DAV\\\\Server->exec()\\n#6 \\\/var\\\/www\\\/nextcloud\\\/remote.php(164): require_once('\\\/var\\\/www\\\/nextcl...')\\n#7 {main}\",\"File\":\"\\\/var\\\/www\\\/nextcloud\\\/apps\\\/dav\\\/lib\\\/Connector\\\/Sabre\\\/ObjectTree.php\",\"Line\":163}","userAgent":"Mozilla\/5.0 (Macintosh) mirall\/2.2.4 (build 1) (Nextcloud)","version":"13.0.0.14"}
{"reqId":"6TMx346r7fyWxAdkPaGt","level":3,"time":"2018-03-05T10:28:19+00:00","remoteAddr":"10.0.0.1","user":"user2","app":"core","method":"PROPFIND","url":"\/remote.php\/webdav\/","message":"user1 is not a valid user anymore","userAgent":"Mozilla\/5.0 (Macintosh) mirall\/2.2.4 (build 1) (Nextcloud)","version":"13.0.0.14"}
{"reqId":"gVPB4nRcyX9ZWZrjkmeM","level":3,"time":"2018-03-05T10:28:20+00:00","remoteAddr":"10.0.0.1","user":"user2","app":"core","method":"GET","url":"\/remote.php\/webdav\/de.bla.jar","message":"user1 is not a valid user anymore","userAgent":"Mozilla\/5.0 (Macintosh) mirall\/2.2.4 (build 1) (Nextcloud)","version":"13.0.0.14"}

[tfl]

Whether or not User1 is disabled, User2 (any user account) must not be able to delete a file or share that he does not own. Period. The system should, however, disable/remove shares of an account that gets disabled. The user backend is completely irrelevant for this. Whats counts is: the account is valid or invalid.

[hechi]

Hey tfl, thanks for your post. The backend is in kind of relevant because the normal delete function is not called via the webinterface. User1 was removed via another interface (LDAP). Because i guess if you use the occ command to remove a user it works like expected.

[tfl]

To let a user A delete shares/files from user B via web is highly dangerous and should be avoided! If I where in charge of this issue I would close it.

I see it this way: it is the daily administrators task to run something like "occ check user and at least remove shares from non-existent or locked accounts" (I am not sure about locked accounts...). If occ does not support this, then I consider this a bug. Otherwise it's not.

[hechi]

Hey tfl, deleting a shared link is not deleting the file/folder by it self. Its only the link between the users. This is how its done right now. For example you share an file (A.pdf) with me, then it appears in my view. If i don't like it i delete the file. The file is still in your space but not linked/shared with me in my space.

It is not about deleting content, it is about deleting the connection which normally works if the user how shared a file with me is valid but don't work if the user is invalid.

[nextcloud-bot]

Hey, this issue has been closed because the label stale is set and there were no updates for 14 days. Feel free to reopen this issue if you deem it appropriate.

(This is an automated comment from GitMate.io.)