Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

External apps not working properly in public links with auth context #8486

Open
diocas opened this issue Feb 21, 2023 · 7 comments
Open

External apps not working properly in public links with auth context #8486

diocas opened this issue Feb 21, 2023 · 7 comments
Labels
Early-Adopter:CERN Type:Bug Something isn't working

Comments

@diocas
Copy link
Contributor

diocas commented Feb 21, 2023

Currently, if I open a public link when there's auth context, the UI takes it on the requests it does.
This is an issue because my user might not have the proper permissions on a public link... Remember that, while on internal apps we use the path, for externals we use the id, so the backend will not be able to distinguish if it's a public link or normal access.

I tested with https://ocis.ocis-web.latest.owncloud.works/, where I shared a public link with RW and with a user with R permissions. If I open the file while being logged in as that user, I only get the file with R permissions (eventually, it looks like the refreshes are not working well and I might get the RW permissions, which is even more confusing).

Maybe we should still send the public-token and let the backend decide which is the greater permission (I see a bit of conflict with the fact that password protected links use the Authenticator header as well, though).

ping @kulmann
cc @elizavetaRa @glpatcern

@diocas diocas added the Type:Bug Something isn't working label Feb 21, 2023
@glpatcern
Copy link

To add to this, and discussing with Gianmaria @gmgigi96: this should really be handled by the backend, at the cost of a double stat for each resource that is accessed via public link (one on behalf of the owner, one on behalf of the user).

For passwordless links, there's no need for passing an additional header and the backend can sort things out. For password-protected links, this is to be thought through - a separate header could be used to validate the password and then the same double stat logic would apply.

For the time being though, we'd need a workaround on the frontend - just don't pass the auth context, as it was before. The proper implementation in the backend does require a bit of work (and a separate issue should be opened in Reva).

@glpatcern
Copy link

To be noted that I discovered the issue with apps, but I expect that any access be affected. E.g. a user with read-only access to a folder + read-write public link -> no upload is allowed with the user's auth context.

diocas added a commit to cernbox/web that referenced this issue Jun 1, 2023
So that we do not become the user in public links, which would generate wrong requests when a user is logged in.
Reported in owncloud#8486
@tbsbdr
Copy link

tbsbdr commented Jun 13, 2023

relates to: a5b1717

@kulmann
Copy link
Contributor

kulmann commented Jul 18, 2024

This has been solved meanwhile. Tested in ocis v5.0.6 (which has the latest web v8.0.4) and ocis v6.1.0 (rolling release, which has the latest web v9.1.0). Works fine. The external app always uses the basic auth public link Authorization headers, even when a user is logged in in the same tab.

@kulmann kulmann closed this as completed Jul 18, 2024
@glpatcern
Copy link

The external app always uses the basic auth public link Authorization headers, even when a user is logged in in the same tab.

Hi Benedikt, I don't understand how that "fixes" the issue: what is the (expected) behavior now for the case of a RW public link + user with R permissions? And viceversa, user with RW permission and R public link?

@kulmann
Copy link
Contributor

kulmann commented Jul 18, 2024

I was missing a bit of context, sorry... if the logged in user has access to the file/folder referenced by the public link, we redirect the user to the file in the authenticated context. As logged in user you only ever see the public link if you don't have access to the file/folder via a share or space.

That being said, for a file x.md and a logged in user:

For R share and RW public link:

  • you'll get redirected into the share, if you want to use the public link with the higher permissions you need to use a private browser window
  • if you don't have the share but only the RW public link, you'll see the RW public link view inside your authenticated session

For RW share and R public link:

  • you'll get redirected into the share, having RW permissions. If you want to use the public link with lesser permissions, you need to use a private browser window
  • if you don't have the share but only the R public link, you'll see the R public link view inside your authenticated session

The missing bit for this was that the public link view inside the authenticated session uses the public link basic auth instead of the user auth. That was broken at some point.

@glpatcern
Copy link

OK, that is clearer now, but the bug is precisely the behavior you have for a R share and a RW public link. See the original post:

...where I shared a public link with RW and with a user with R permissions.

And

if you want to use the public link with the higher permissions you need to use a private browser window

IMHO that is confusing and misleading. Can the issue be reopened please? cc @diocas

@kulmann kulmann reopened this Jul 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Early-Adopter:CERN Type:Bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants