owncloud
Lost permission when received multiple shares on the same resource
Describe the bug
- userA creates a folder with a txt file in it
- userA shares that folder with userB with "Can edit" permissions
- userA shares that same folder to some groups which userB is a member of with "Can view" permissions
- userB opens the file in the shared folder for editing and make some changes
- userB tries to save that file -> an error messages is displayed "share does not grant InitiateFileUpload permission"
see attached video:
Screencast_20240215_153045-1.webm
I think the bug is in the sharestorageprovider, it only the permissions on the single share which the upload was tried on(https://github.com/cs3org/reva/blob/edge/internal/grpc/services/sharesstorageprovider/sharesstorageprovider.go#L243). But there might be more shares for the same resource giving different permissions.
Ideally we would not need to do that check in the sharestorageprovider and just forward the request to the "real" storageprovider. It should deal with it accordingly.
i am not getting that error in the latest master
Screencast from 21-2-24 03:01:19 अपराह्न +0545.webm
ocis build ownCloud Web UI 8.0.0-rc.5 Infinite Scale 5.1.0-prealpha+5a7d498e67 Community
i am not getting that error in the latest master
Yeah, it does not happen all the time. I guess you've been lucky.
i am not getting that error in the latest master
Screencast.from.21-2-24.03.01.19.+0545.webm ocis build ownCloud Web UI 8.0.0-rc.5 Infinite Scale 5.1.0-prealpha+5a7d498e67 Community
The issue exists as mentioned by @rhafer but the error message is changed on UI.
Screencast from 2024-02-26 14-42-01.webm
Test environment setup:
ownCloud Web UI 8.0.0-rc.5
Infinite Scale 5.1.0-prealpha+e55d17e9f Community (latest master)
Response:
<d:error
xmlns:d="DAV"
xmlns:s="http://sabredav.org/ns">
<s:exception>Sabre\DAV\Exception\Forbidden</s:exception>
<s:message>share does not grant InitiateFileDownload permission</s:message>
</d:error>
I have followed the step to reproduce as given in the issue: step 1: userA creates a folder with a txt file in it step 2: userA shares that folder with userB with "Can edit" permissions step 3: userA shares that same folder to some groups which userB is a member of with "Can view" permissions step 4: userB opens the file in the shared folder for editing and make some changes
While editing the file, I tested with the following two APIs:
1. Using the WebDAV API
curl -XPUT 'https://localhost:9200/remote.php/dav/files/userB/Shares/Folder/file.txt' -d 'owncloud testing' -u userB:password -kv
Output:
- Sometimes returns status code
403. - Sometimes returns status code
204.
2. Using the Spaces DAV API
curl -XPUT 'https://localhost:9200/remote.php/dav/spaces/<share-space-id-of-userB>/Folder/textfile0.txt' -d 'owncloud testing' -u userB:password -kv
Output :
- Sometimes returns status code
403. - Sometimes returns status code
204.
But in case of mount ID
Using the mount ID API always returns a 204 status code:
curl -XPUT 'https://localhost:9200/remote.php/dav/spaces/<mount-id>/file.txt' -d 'hello world' -u userB:password -kv
Problem with Mount ID is that:
When listing User B's drives using the following command we got two mount id:
curl -XGET 'https://localhost:9200/graph/v1beta1/me/drives' -u userB:password -vk
Output:
{
"value": [
{
"driveAlias": "virtual/shares",
"driveType": "virtual",
"id": "a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668",
"lastModifiedDateTime": "2024-12-16T16:15:32.600666293+05:45",
"name": "Shares",
"root": {
"eTag": "\"799214003e542e7b8f3531579a0b8775\"",
"id": "a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668",
"webDavUrl": "https://localhost:9200/dav/spaces/a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668"
},
"webUrl": "https://localhost:9200/f/a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668"
},
{
"driveAlias": "personal/userB",
"driveType": "personal",
"id": "96134e33-beb1-49a3-8aaa-9098a038a47c$94352569-e08d-4fbb-a1a9-aa2fbc62b2cc",
"lastModifiedDateTime": "2024-12-16T16:10:59.041884257+05:45",
"name": "userB",
"owner": {
"user": {
"displayName": "",
"id": "94352569-e08d-4fbb-a1a9-aa2fbc62b2cc"
}
},
"quota": {
"remaining": 9223372036854775807,
"state": "normal",
"total": 0,
"used": 28
},
"root": {
"eTag": "\"c3b7c2940e0d937f4ecc04e6fd56a858\"",
"id": "96134e33-beb1-49a3-8aaa-9098a038a47c$94352569-e08d-4fbb-a1a9-aa2fbc62b2cc",
"webDavUrl": "https://localhost:9200/dav/spaces/96134e33-beb1-49a3-8aaa-9098a038a47c$94352569-e08d-4fbb-a1a9-aa2fbc62b2cc"
},
"webUrl": "https://localhost:9200/f/96134e33-beb1-49a3-8aaa-9098a038a47c$94352569-e08d-4fbb-a1a9-aa2fbc62b2cc"
},
{
"driveAlias": "mountpoint/folder",
"driveType": "mountpoint",
"id": "a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668!96134e33-beb1-49a3-8aaa-9098a038a47c:19433836-d96a-4aa2-95a7-1bf95e8626d4:4f4ad6ba-8e17-470f-99b0-83e28d4d8bce",
"name": "Folder",
"owner": {
"user": {
"displayName": "",
"id": "19433836-d96a-4aa2-95a7-1bf95e8626d4"
}
},
"root": {
"id": "a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668!96134e33-beb1-49a3-8aaa-9098a038a47c:19433836-d96a-4aa2-95a7-1bf95e8626d4:4f4ad6ba-8e17-470f-99b0-83e28d4d8bce",
"remoteItem": {
"driveAlias": "personal/alice",
"eTag": "\"799214003e542e7b8f3531579a0b8775\"",
"folder": {},
"id": "96134e33-beb1-49a3-8aaa-9098a038a47c$19433836-d96a-4aa2-95a7-1bf95e8626d4!90b29c88-bf97-431b-986f-f01f9d21f1b1",
"lastModifiedDateTime": "2024-12-16T16:15:32.600666293+05:45",
"name": "Folder",
"path": "/Folder",
"rootId": "96134e33-beb1-49a3-8aaa-9098a038a47c$19433836-d96a-4aa2-95a7-1bf95e8626d4!19433836-d96a-4aa2-95a7-1bf95e8626d4",
"size": 10,
"webDavUrl": "https://localhost:9200/dav/spaces/96134e33-beb1-49a3-8aaa-9098a038a47c$19433836-d96a-4aa2-95a7-1bf95e8626d4%2119433836-d96a-4aa2-95a7-1bf95e8626d4/Folder"
},
"webDavUrl": "https://localhost:9200/dav/spaces/a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668%2196134e33-beb1-49a3-8aaa-9098a038a47c:19433836-d96a-4aa2-95a7-1bf95e8626d4:4f4ad6ba-8e17-470f-99b0-83e28d4d8bce"
},
"webUrl": "https://localhost:9200/f/a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668%2196134e33-beb1-49a3-8aaa-9098a038a47c:19433836-d96a-4aa2-95a7-1bf95e8626d4:4f4ad6ba-8e17-470f-99b0-83e28d4d8bce"
},
{
"driveAlias": "mountpoint/folder",
"driveType": "mountpoint",
"id": "a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668!96134e33-beb1-49a3-8aaa-9098a038a47c:19433836-d96a-4aa2-95a7-1bf95e8626d4:6faa0d94-76b4-4c16-9124-11f95f790d1e",
"name": "Folder",
"owner": {
"user": {
"displayName": "",
"id": "19433836-d96a-4aa2-95a7-1bf95e8626d4"
}
},
"root": {
"id": "a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668!96134e33-beb1-49a3-8aaa-9098a038a47c:19433836-d96a-4aa2-95a7-1bf95e8626d4:6faa0d94-76b4-4c16-9124-11f95f790d1e",
"remoteItem": {
"driveAlias": "personal/alice",
"eTag": "\"799214003e542e7b8f3531579a0b8775\"",
"folder": {},
"id": "96134e33-beb1-49a3-8aaa-9098a038a47c$19433836-d96a-4aa2-95a7-1bf95e8626d4!90b29c88-bf97-431b-986f-f01f9d21f1b1",
"lastModifiedDateTime": "2024-12-16T16:15:32.600666293+05:45",
"name": "Folder",
"path": "/Folder",
"rootId": "96134e33-beb1-49a3-8aaa-9098a038a47c$19433836-d96a-4aa2-95a7-1bf95e8626d4!19433836-d96a-4aa2-95a7-1bf95e8626d4",
"size": 10,
"webDavUrl": "https://localhost:9200/dav/spaces/96134e33-beb1-49a3-8aaa-9098a038a47c$19433836-d96a-4aa2-95a7-1bf95e8626d4%2119433836-d96a-4aa2-95a7-1bf95e8626d4/Folder"
},
"webDavUrl": "https://localhost:9200/dav/spaces/a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668%2196134e33-beb1-49a3-8aaa-9098a038a47c:19433836-d96a-4aa2-95a7-1bf95e8626d4:6faa0d94-76b4-4c16-9124-11f95f790d1e"
},
"webUrl": "https://localhost:9200/f/a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668%2196134e33-beb1-49a3-8aaa-9098a038a47c:19433836-d96a-4aa2-95a7-1bf95e8626d4:6faa0d94-76b4-4c16-9124-11f95f790d1e"
}
]
}
Here :arrow_up: in the response/output, we have two mount IDs returned. It's unclear which mount ID to use because I think:
- One mount ID is for the group.
- another is for the user
Additional Issue:
If the wrong mount ID is used, the API returns a 403 status code.
I'm not clear about which mount ID need to be selected. It would be helpful to have guidance on how to correctly identify and choose the appropriate mount ID.
NOTE: when mound id =
a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668!96134e33-beb1-49a3-8aaa-9098a038a47c:19433836-d96a-4aa2-95a7-1bf95e8626d4:6faa0d94-76b4-4c16-9124-11f95f790d1ereturns204but with mount id=a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668!96134e33-beb1-49a3-8aaa-9098a038a47c:19433836-d96a-4aa2-95a7-1bf95e8626d4:4f4ad6ba-8e17-470f-99b0-83e28d4d8bcereturns403
To sum up the issue:
Action: File and folder creation in the received share (myfolder)
✅ Works using:
- mount-id of editor share (create WITH content)
curl -XPUT 'https://localhost:9200/remote.php/dav/spaces/a0ca6a90-a365-4782-871e-d44447bbc668...<mount-id>/lorem.txt' \ -d"lorem" -usharee:pass -vk - remote item id (create WITH content)
curl -XPUT 'https://localhost:9200/remote.php/dav/spaces/<remote-item-id>/lorem.txt' \ -d"lorem" -usharee:pass -vk - mount-id of viewer share (create WITHOUT content)
curl -XPUT 'https://localhost:9200/remote.php/dav/spaces/a0ca6a90-a365-4782-871e-d44447bbc668...<mount-id>/loremx.txt' \ -usharee:pass -vk - dav paths (create WITHOUT content):
old,new,spaces# old curl -XPUT 'https://localhost:9200/remote.php/webdav/Shares/myfolder/oldav.txt' \ -usharee:pass -vk # new curl -XPUT 'https://localhost:9200/remote.php/dav/files/sharee/Shares/myfolder/newdav.txt' \ -usharee:pass -vk # spaces curl -XPUT 'https://localhost:9200/remote.php/dav/spaces/<shares-space-id>/myfolder/spacesdav.txt' \ -usharee:pass -vk spacespath (FOLDER creation)curl -XMKCOL 'https://localhost:9200/remote.php/dav/spaces/<shares-space-id>/myfolder/testFolder' \ -usharee:pass -vk- mount-id of viewer share (FOLDER creation)
curl -XMKCOL 'https://localhost:9200/remote.php/dav/spaces/a0ca6a90-a365-4782-871e-d44447bbc668...<mount-id>/folder1' \ -usharee:pass -vk
❌ Fails using:
-
dav paths (file WITH content) :
old,new,spaces# old # new curl -XPUT 'https://localhost:9200/remote.php/dav/files/sharee/Shares/myfolder/newdav.txt' \ -d"lorem" -usharee:pass -vk # spaces curl -XPUT 'https://localhost:9200/remote.php/dav/spaces/<shares-space-id>/myfolder/spacesdav.txt' \ -d"lorem" -usharee:pass -vk<d:error xmlns:d="DAV" xmlns:s="http://sabredav.org/ns"> <s:exception>Sabre\DAV\Exception\Forbidden</s:exception> <s:message>share does not grant InitiateFileDownload permission</s:message> <s:errorcode></s:errorcode> </d:error> -
mount-id of viewer share (file WITH content)
curl -XPUT 'https://localhost:9200/remote.php/dav/spaces/a0ca6a90-a365-4782-871e-d44447bbc668...<mount-id>/loremx.txt' \ -d"lorem" -usharee:pass -vk -
oldandnewpaths (FOLDER creation)# old curl -XMKCOL 'https://localhost:9200/remote.php/webdav/Shares/myfolder/olddavFol' \ -usharee:pass -vk # new curl -XMKCOL 'https://localhost:9200/remote.php/dav/files/sharee/Shares/myfolder/newdavFol' \ -usharee:pass -vk<d:error xmlns:d="DAV" xmlns:s="http://sabredav.org/ns"> <s:exception></s:exception> <s:message>internal error: too many spaces returned</s:message> <s:errorcode></s:errorcode> </d:error>
And as per my testing, these behaviours are not flaky (at least for now).
Nah, sometimes everything works fine leading to flaky behavior. See: https://drone.owncloud.com/owncloud/ocis/45564/33/5
Then user "Brian" should be able to upload file "filesForUpload/lorem.txt" to "Shares/Folder/lorem.txt" # FeatureContext::userShouldBeAbleToUploadFileTo()
And user "Brian" should be able to create folder "Shares/Folder/testFolder" # FeatureContext::userShouldBeAbleToCreateFolder()
And as "Alice" file "Folder/lorem.txt" should exist # FeatureContext::asFileOrFolderShouldExist()
And as "Alice" folder "Folder/testFolder" should exist # FeatureContext::asFileOrFolderShouldExist()
Examples:
| dav-path-version |
| old |
Failed step: Then user "Brian" should be able to upload file "filesForUpload/lorem.txt" to "Shares/Folder/lorem.txt"
HTTP status code was not 201 or 204 while trying to upload file 'Shares/Folder/lorem.txt'
Failed asserting that an array contains 403.
| new | ✅ file creation passed
Failed step: And user "Brian" should be able to create folder "Shares/Folder/testFolder"
HTTP status code was not 201 or 204 while trying to create folder 'Shares/Folder/testFolder' for user 'Brian'
Failed asserting that an array contains 500.
| spaces | ✅ file/folder creation passed
runsh: Total unexpected passed scenarios throughout the test run:
apiSharingNgShares/sharedWithMe.feature:5408