Groupbased sharing permissions not applied

[hexathos]

Steps to reproduce

1. Create a (LDAP in our case) group to prevent users from sharing
2. Create a user and put it into that group, make sure it is only in that group and no other
3. Exclude that created group from sharing on https://yoururl/index.php/settings/admin/sharing
4. Make sure nextcloud itself honors that setting

-snipped-@-snipped-:~/html/-snipped-$ php occ user:info ttest
  - user_id: ttest
  - display_name: -snipped-
  - email: -snipped-
  - cloud_id: -snipped-
  - enabled: true
  - groups:
    - nextcloud_nosharing
  - quota: none
  - storage:
    - free: 19760390144
    - used: 18342707
    - total: 19778732851
    - relative: 0.09
    - quota: -3
  - last_seen: 2022-06-29T07:50:53+00:00
  - user_directory: /home/-snipped-/data/-snipped-
  - backend: LDAP

Expected behavior

Users in that group should't be allowed to create sharing links

Actual behaviour

Users that should be excluded from sharing are still allowed to create links for sharing, and they actually work.

Calendar app version

3.4.0

CalDAV-clients used

Browser

chrome

Client operating system

linux

Server operating system

debian

Web server

Apache

Database engine version

No response

PHP engine version

No response

Nextcloud version

24.0.2

Updated from an older installed version or fresh install

No response

List of activated apps

Enabled:
  - accessibility: 1.10.0
  - activity: 2.16.0
  - admin_audit: 1.14.0
  - calendar: 3.4.0
  - circles: 24.0.0
  - cloud_federation_api: 1.7.0
  - comments: 1.14.0
  - contactsinteraction: 1.5.0
  - dashboard: 7.4.0
  - dav: 1.22.0
  - federatedfilesharing: 1.14.0
  - federation: 1.14.0
  - files: 1.19.0
  - files_external: 1.16.1
  - files_pdfviewer: 2.5.0
  - files_rightclick: 1.3.0
  - files_sharing: 1.16.2
  - files_trashbin: 1.14.0
  - files_versions: 1.17.0
  - files_videoplayer: 1.13.0
  - firstrunwizard: 2.13.0
  - logreader: 2.9.0
  - lookup_server_connector: 1.12.0
  - notifications: 2.12.0
  - oauth2: 1.12.0
  - password_policy: 1.14.0
  - photos: 1.6.0
  - privacy: 1.8.0
  - provisioning_api: 1.14.0
  - recommendations: 1.3.0
  - serverinfo: 1.14.0
  - settings: 1.6.0
  - sharebymail: 1.14.0
  - support: 1.7.0
  - survey_client: 1.12.0
  - systemtags: 1.14.0
  - text: 3.5.1
  - theming: 1.15.0
  - twofactor_backupcodes: 1.13.0
  - updatenotification: 1.14.0
  - user_ldap: 1.14.1
  - user_status: 1.4.0
  - viewer: 1.8.0
  - weather_status: 1.4.0
  - workflowengine: 2.6.0
Disabled:
  - encryption
  - nextcloud_announcements: 1.11.0

Nextcloud configuration

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "-snipped-",
            "-snipped-",
            "-snipped-",
            "-snipped-",
            "-snipped-"
        ],
        "allowed_script_domains": [
            "-snipped-",
            "-snipped-",
            "-snipped-",
            "-snipped-",
            "-snipped-"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "http:\/\/-snipped-",
        "dbtype": "mysql",
        "version": "24.0.2.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtpauthtype": "LOGIN",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "versions_retention_obligation": "auto",
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "updater.release.channel": "stable",
        "mail_smtpsecure": "ssl",
        "mail_sendmailmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwritehost": "-snipped-",
        "forwarded_for_headers": [
            "HTTP_X_FORWARDED_FOR",
            "HTTP_X_REAL_IP",
            "HTTP_X_FORWARDED_HOST"
        ],
        "overwriteprotocol": "https"
    }
}

Web server error log

-

Log file

-

Browser log

-

Additional info

[ChristophWurst]

Dup of https://github.com/nextcloud/calendar/issues/2946?

[hexathos]

I don't know, for my understanding those are two different settings that are affected.

[ChristophWurst]

It is possibly a matter of interpretation. We also got reports when non-sharing features didn't respect the sharing preferences.

[Input-BDF]

It seems this issue is still an issue

Sharing of calendars and tasks respects "Restrict users to only share with users in their groups" but does not respect "Exclude groups from creating link shares" and "Exclude groups from sharing (These groups will still be able to receive shares, but not to initiate them.)"

Expected Behaviour: Users which are only part of restricted group should not be able to create any shares at all. Even in calendar app.

NC-Version: 27.1.4 Calendar-App: 4.6.0 Other apps which may interfere (Federation share, Contacts, ...) are not in use Default user backend

Setting an group which is unable to create shares is usefull e.g. with let's say Guests. But in the current behaviour "Guests" can see other Guests with some minor affort which breaks the privacy fact.

You can minimize the issue by uncheck "Allow autocompletion .. " and/or "Allow autocompletion when entering the full name or email address" but this is more privacy by obscurity.