Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Sharing NG] Link password capabilities are not being respected on update #8725

Closed
JammingBen opened this issue Mar 25, 2024 · 6 comments
Closed

[Sharing NG] Link password capabilities are not being respected on update #8725

JammingBen opened this issue Mar 25, 2024 · 6 comments
Assignees
@micbar
Labels
Interaction:Question Priority:p2-high Escalation, on top of current planning, release blocker

Comments

@JammingBen
Copy link
Contributor

Describe the bug

The capabilities for link passwords are not being respected on update.

Steps to reproduce

  1. Make sure oCIS is configured to have passwords enforced for all link types
  2. Create a public link for a file and give it a password
  3. Change the link's type to internal, which will remove the password because internal links don't have a password
  4. Update the link's type to edit without setting a new password (PATCH to e.g. https://host.docker.internal:9200/graph/v1beta1/drives/e310554b-25a9-4f97-a423-8b1ff5d77254%24ff10588e-0c68-46c1-a984-c859f8fbdd20/items/e310554b-25a9-4f97-a423-8b1ff5d77254%24ff10588e-0c68-46c1-a984-c859f8fbdd20\u0021c984993a-d361-45a1-b829-9231ee827c81/permissions/tSclcXHFrIvAnaB)

Expected behavior

The server should throw an error like "passwords are enforced".

Actual behavior

The link is being updated sucsessfully.

Note that there are some edge cases to this scenario. I don't remember the details, but if I'm not mistaken, admins can remove an existing password for the view role despite passwords being enforced. So in the example above, changing the type to view should still be possible without password (for admins). Maybe @micbar or @tbsbdr can confirm this.
@rhafer rhafer added the Priority:p2-high Escalation, on top of current planning, release blocker label Mar 25, 2024
@micbar
Copy link
Contributor

micbar commented Mar 25, 2024

There is a special case: some users can leave the password out when updating.

@micbar
Copy link
Contributor

micbar commented Mar 25, 2024

Story: #7538

@micbar
Copy link
Contributor

micbar commented Apr 8, 2024

@JammingBen Can we close this? Please check if you can follow my understanding of the expected behavior.

@AlexAndBear Was implementing that.

@micbar micbar self-assigned this Apr 8, 2024
@micbar micbar moved this from Qualification to In progress in Infinite Scale Team Board Apr 8, 2024
@JammingBen
Copy link
Contributor Author

@JammingBen Can we close this? Please check if you can follow my understanding of the expected behavior.

@AlexAndBear Was implementing that.

Alex implemented this in Web. But the API still allows to change the role, therefore ignoring the capabilities. IMO that should be fixed.

@micbar
Copy link
Contributor

micbar commented Apr 9, 2024

You are right!
4.) is exactly the case where you PATCH the link, but that should only allow view links.

@rhafer @fschade Should be a quick fix.

@rhafer
Copy link
Contributor

rhafer commented May 16, 2024

This was fixed with cs3org/reva#4622

@rhafer rhafer closed this as completed May 16, 2024
@github-project-automation github-project-automation bot moved this from In progress to Done in Infinite Scale Team Board May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@micbar micbar

Labels
Interaction:Question Priority:p2-high Escalation, on top of current planning, release blocker
Projects
Infinite Scale Team Board
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rhafer @micbar @JammingBen