-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
External apps not working properly in public links with auth context #8486
Comments
To add to this, and discussing with Gianmaria @gmgigi96: this should really be handled by the backend, at the cost of a double stat for each resource that is accessed via public link (one on behalf of the owner, one on behalf of the user). For passwordless links, there's no need for passing an additional header and the backend can sort things out. For password-protected links, this is to be thought through - a separate header could be used to validate the password and then the same double stat logic would apply. For the time being though, we'd need a workaround on the frontend - just don't pass the auth context, as it was before. The proper implementation in the backend does require a bit of work (and a separate issue should be opened in Reva). |
To be noted that I discovered the issue with apps, but I expect that any access be affected. E.g. a user with read-only access to a folder + read-write public link -> no upload is allowed with the user's auth context. |
So that we do not become the user in public links, which would generate wrong requests when a user is logged in. Reported in owncloud#8486
relates to: a5b1717 |
This has been solved meanwhile. Tested in ocis |
Hi Benedikt, I don't understand how that "fixes" the issue: what is the (expected) behavior now for the case of a RW public link + user with R permissions? And viceversa, user with RW permission and R public link? |
I was missing a bit of context, sorry... if the logged in user has access to the file/folder referenced by the public link, we redirect the user to the file in the authenticated context. As logged in user you only ever see the public link if you don't have access to the file/folder via a share or space. That being said, for a file For
For
The missing bit for this was that the public link view inside the authenticated session uses the public link basic auth instead of the user auth. That was broken at some point. |
OK, that is clearer now, but the bug is precisely the behavior you have for a
And
IMHO that is confusing and misleading. Can the issue be reopened please? cc @diocas |
Currently, if I open a public link when there's auth context, the UI takes it on the requests it does.
This is an issue because my user might not have the proper permissions on a public link... Remember that, while on internal apps we use the path, for externals we use the id, so the backend will not be able to distinguish if it's a public link or normal access.
I tested with https://ocis.ocis-web.latest.owncloud.works/, where I shared a public link with RW and with a user with R permissions. If I open the file while being logged in as that user, I only get the file with R permissions (eventually, it looks like the refreshes are not working well and I might get the RW permissions, which is even more confusing).
Maybe we should still send the public-token and let the backend decide which is the greater permission (I see a bit of conflict with the fact that password protected links use the Authenticator header as well, though).
ping @kulmann
cc @elizavetaRa @glpatcern
The text was updated successfully, but these errors were encountered: