Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correctly look up filename when logged in but inaccessible #48295

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Correctly look up filename when logged in but inaccessible #48295

wants to merge 2 commits into from
+4 −3

Commits on Sep 23, 2024

  1. Correctly look up filename when logged in but inaccessible 

    If the user is not logged in, and we can't find the file owner, we guess
the file owner from the path. Most likely the username in the path has
some access to the file, so we can find the filename.

However, in the case where we are logged in, and the file is a group
share, both the username and the owner will be the same UID. Which is
fine as long as we have access to the file.

But in the case where we are actually writing a spreadsheet update for a
form submission, the logged in user may not have access to the file.
However, it is still a legitimate write by the forms app, so it is safe
to use the owner in the path, just as if we were logged out.

I'm not 100% sure about the security implications here and request
review. However it provides a simple workaround for our use case:
- Form with an attached spreadsheet
- User is logged in
- User has access to the form but not the spreadsheet
- The spreadsheet is in a group folder
- The versioning app is enabled

The alternative is to fix the underlying problem in the forms app, which
would be a much bigger diff. See the forms bug here:
nextcloud/forms#2067

However, if I am right about the security model here, this is a safe
workaround, and may actually be correct.

Signed-off-by: Matthew Toseland <matthew@toselandcs.co.uk>
    @toad
    toad committed Sep 23, 2024
    Configuration menu
    Copy the full SHA
    e92817d View commit details
    Browse the repository at this point in the history

  2. Merge branch 'master' into mjt-forms-versions-error-forms-bug-2067

    @toad
    toad authored Sep 23, 2024
    Configuration menu
    Copy the full SHA
    4960ef3 View commit details
    Browse the repository at this point in the history