-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
step-up not triggered, 'this operation is forbidden' #90
Comments
This is with commit 21ed0179b4b of the mfazones app, and it looks like neither SUNET/nextcloud-mfazones#10 nor SUNET/nextcloud-mfazones#11 covers this. #10 provides the step-up when trying to add the MFA requirement (this can be seen in the screencast and also in our new sunet-custom test setup: |
The added tab view is registered through https://github.com/nextcloud/server/blob/master/apps/files/js/filelist.js#L3884 |
We're testing this with https://github.com/pondersource/nextcloud-mfa-awareness#setup-gsssh-testnet |
Steps to reproduce:
ExpectedYou will see a popup saying 'Enable MFA to enter this MFA Zone' Actual
|
Not sure how I did this earlier but I'm now seeing the files app is empty on http://sunet-nc2 over http but works OK on https://sunet-nc2 over https. |
@yasharpm any progress on the backend service that returns the MFA Zone filenames contained in a given folder? |
@michielbdejong Just started to work on this. I'm gonna make sure that we can put our actions on specific files in the list first. Next step would be to retrieve the MFA file list from the backend. Because it might be that we already have the file tags on the list items. |
This function is called on the file list with an array of the files for the current folder: |
And in that array of files we have the file id which we can use to query the back-end. |
My problem right now is to somehow intercept the call to this function to acquire the list of files and then return the control back to the original |
@michielbdejong I am blocked on the above. const originalSetFiles = fileList.setFiles;
fileList.setFiles = function(filesArray) {
console.log('FILES ARRAY', filesArray)
originalSetFiles(filesArray)
} Is the closest I have come to getting it working. But I am getting this error in js console logs:
My understanding is that the super function is getting called but it can not resolve |
That particular problem can probably be solved by binding the IIUC the problem we're trying to solve here is to know how to set the What if we register the action for all icons, and then run some extra JavaScript to hide the icon for files that are not MFA Zones, and also to change the colour if the current user session is not MFA verified? |
As discussed, the second option would get messy when the file list changes and we don't notice. So let's go with the |
After a conversation with @michielbdejong we decided to add a plugin to the file dav that would add an additional field to the file properties which would tell us if the file is MFA protected and accessible or not. Luckily the dav app allows installed apps to register their own plugins by design. Here is the code that refers to the apps. I am now reading the source for the PluginManager to see what I need to do to make it possible. |
Registered a plugin and I am receiving the propfind call and added a random property to files to see how it looks like on the other end. Next stop is that I have to modify the list of requested properties on the JS client side. This one seems easy enough. |
I have pushed the changes so far to the |
I'm checking out https://github.com/pondersource/mfazones/tree/issue_90 now |
OK I finally got past #102 and am now able to fully reproduce #90 (comment) on my laptop again. |
I see it logging "No read permissions. This might be caused by files_accesscontrol, check your configured rules" server-side for |
Should whitelist our property in https://github.com/nextcloud/server/blob/master/core/src/files/client.js |
Need to make this change in a the nextcloud source, then build, then add a line to copy it into the dist/ folder in the container https://github.com/pondersource/dev-stock/blob/main/docker/dockerfiles/nextcloud-sunet.Dockerfile#L168 |
Note to self: I downloaded https://download.nextcloud.com/.customers/server/26.0.7-153512ec/nextcloud-26.0.7-enterprise.zip |
In that folder, running:
But it says it's missing |
new dev setup for this:
|
I can see |
it seems the requires-mfa property is present in the PROFIND response body but I'm not sure where the XML parsing is taking place, and whether there is still some filter there, or perhaps it's in a different place. maybe https://www.npmjs.com/package/davclient.js is filtering? |
It's very cumbersome to be adding debug statements into NC core JS files, then building patches for them, then building docker images with those patches, then setting up the dev env with those rebuilt images, running the experiment again, and then observing 1 debug value. I now got a patch that doesn't apply cleanly. Maybe it's because I made changes to package-lock.json. Will either have to try to freshly generate a patch from v26.0.7 or find a better modus operandi. |
Now rebuilding v26.0.7, will re-apply 1ecbeda9ec4 when done. |
OK, got that working! After 5 weeks ... sorry for the delay! Now I just have to fix:
|
Got past that by using a closure. Next error: |
it works! So maybe all this work went into creating a feature that is not even useful, except for people who had MFA before and disconfigured it. Anyway, for the file owner it works so let's ship it and discuss in the new year. |
Split-out from #89 (comment)
The text was updated successfully, but these errors were encountered: