fix(permission): enhance the strictness of permissions #7705
Conversation
|
I can no longer access webdav after this on the beta build, and on the site, whenever you try to refresh, it will prompt a password box. However, even if you don't input anything, it will still let you in. The thing is, I don't have any "meta" enabled, so I can't access webdav. On the website, it keeps asking for a password if you refresh inside of a list (not by the browser itself) it doesn't matter what settings I changed. Any fix for this? Thanks. |
You need to enable two permissions related to WebDAV for the admin user in the user management web interface in order to log in and write to WebDAV. Additionally, if you want to perform basic operations such as "create, copy, delete" on WebDAV, you will also need these basic permissions. Before version 3.41.0, the admin user would bypass these permission checks. Since the database does not store the permission information for the admin user, after this PR is merged, you will need to manually grant these permissions to the admin user. |
@xhofe 似乎有很多人都没有意识到这个PR对升级后使用的影响,麻烦把这段话放在下个正式版本的release信息当中 |
|
The thing is, there's no new option on the interface to change. You can't edit or disable the options on the user admin account. The only thing I can change is the FTP option because when I click them, nothing happens, all the admin options are enabled no matter what I do. If you can tell me where the new Webdav options are located I will be grateful, because like I said on user there's nothing new, just the FTPS two new options that are clickable. |
|
On top of that, every time I click refresh on the home where the drives are, I will get a prompt asking for a password. Funny enough, even if you don't put anything, it will let you get in. So it's kind of pointless and annoying. I double-checked if there was something wrong with my config or the installation, twice with the latest beta. But all the problems that I'm facing are related to permissions, whether it's on the website interface or the WEBDAV. |
This is caused by a version mismatch between the front end and the back end. I'm sorry but I'm not sure why you are encountering this problem. You can try re-downloading the beta version or temporarily use an account with general role. This problem will not occur in the next official release. |
I will examine and fix this problem later. |
Like I said in my second reply, I already did that, and there's a bug on the web interface on the home page. Every time I click refresh, I get a password prompt. It doesn't matter if I enter anything or a random number, or even the admin password, it still lets me in. However, it keeps repeating the same thing when I press refresh on the home page or any drive, whether it's local or elsewhere. |
|
Thanks for quickly answering, specially during these days! And sorry for overlapping the replies, hahaha. My connection sucks because I'm driving. Cheers, and happy holidays (or what everyone celebrate over there)! I just downgrade back to 3.41.0 for the time being, it has its bugs, but is working just fine for my backup usage. |
I was unable to reproduce the issue😭. Did you re-download it from the releases page when you reinstalled? The beta version I downloaded allows for modifying the admin user’s permissions in the user management page. Moreover, even if the admin has no permissions, I am not prompted for a password. Could you please tell me the status of your guest user, the operating system and its version, the WebDAV client and its version, as well as the drive you mounted? |
|
从老版本升级上来,发现admin用户权限全丢了
|
已被 #7738 修复 |
Hey, sorry for the late reply! This year started a bit too complicated, so I didn't have time to check out the thread. For me, with a non-admin account, it works well. I can access WebDAV and it works as it should on the site too. But general accounts are limited... The Guest user is disabled, I don't use it because I use a list just on my own local network to use it with WebDAV for backups. It doesn't matter which client I used, I tested on the browser with "localhost:5244/dav" and after login I get a denied access (perms) error 403. Same for the drivers, it doesn't matter (it will do the same on just the home where the drives, local and mount are, it will prompt a password when you hit refresh on the quick menu of a list with a password or not, it will let you in after you click "OK"), I can't access WebDAV with the admin account. I get all the same errors, the password prompt every time I hit refresh on the "home" section while logged in with the admin account. On WebDAV, I can't even log in with the credentials, so there's still something wrong with the admin account. In the user options, everything is checked, I try to change the password everything I can think of to no avail. I udp to the last beta, and the general account are working normally for me now, (I never created one because like I mentioned, I don't have alist on a domain, I used it just for personal use, same with guest acc). But not the admin one. |
All recent similar issues have been proven to be caused by inconsistencies between the front-end and back-end versions. If you are using a self-compiled version of AList, the front-end part needs to use the latest commit ef56a90 from the main branch, rather than the latest version 3.41.0 from the release. You can also manually modify the admin's permissions using SQLite. If the admin's permission in the database is 0, you need to change it to 1023. If you have enabled both FTP permissions for the admin, it should be 3072, and you need to change it to 4095. Alternatively, you can wait for the next release to be published, which will not have this issue. |
It was 3072, and no, I'm using just the desktop one from alist official github beta branch. Cheers! |
Add constraints of the permission system on the admin user
Add basic permissions requirement for the WebDAV endpoint
The benefits of these modifications:
Frontend part AlistGo/alist-web#216
Closes #7680