Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User can restrict other user's rights unintentionally #1978

Open
cetcondor opened this issue Apr 28, 2022 · 2 comments
Open

User can restrict other user's rights unintentionally #1978

cetcondor opened this issue Apr 28, 2022 · 2 comments
Labels
1. to develop Issues that are ready for development bug

Comments

@cetcondor
Copy link
Contributor

cetcondor commented Apr 28, 2022
edited
Loading

We encountered a situation that a user can take away rights from another user in a group folder unjustly just by sharing contents back with lower rights.

Steps to reproduce

  1. "Office" group has a group folder named "Shared Externally". Each member of "Office" group can Write, Share, Delete in this group folder.
  2. This group folder has subfolders. Each subfolder is shared from a "office" group service user with another (different) user group. For this example we call the other group "Committee A".
  3. The group "Committee A" have received the share with right to write and delete, but not to share further on.
  4. One person from the "Office" group is a member of both, "Office" and "Committee A" group. (So s/he sees the group folder in its original hierarchy and additionally also on root level as a received share).
  5. For a public event, this office person wants to share one document from the "Committee A" subfolder with an open link.
  6. The share seems to be created without problems. But when anyone from outside uses the link, Nextcloud says that the document was not found. When an office person who is not group member of "Committee A" creates the link, it is available.

Expected behaviour

Group folder rights should be regarded higher than rights that come with share-receiving.
A user that is member of a group with full rights for a group folder should keep the rights, even if someone shares content of a subfolder again.

Actual behaviour

The office group user as mentioned in 1. loses rights, just because someone shared the same content back with lower rights.

Server configuration

Nextcloud version:
Nextcloud Hub II (23.0.4) with all updates

Group folders version:
11.1.2

Are you using external storage, if yes which one:
No

Are you using encryption: yes/no
No

Client configuration

Browser:
Any
@cetcondor cetcondor added 0. Needs triage Issues that need to be triaged bug labels Apr 28, 2022
@XueSheng-GIT
Copy link

I can reproduce this issue on NC24rc3 with groupfolders 12beta1.
Sharing of files/folders within a groupfolder should work, even if the sharing user itself got a share of this groupfolder without sharing permissions.

Is the following anyhow related to this issue?
nextcloud/server#32211
nextcloud/server#30791

@cetcondor
Copy link
Contributor Author

@XueSheng-GIT From what I understand the two other issues are not related to it, because the owner id seems not to be the problem.

@provokateurin provokateurin added 1. to develop Issues that are ready for development and removed 0. Needs triage Issues that need to be triaged labels Sep 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1. to develop Issues that are ready for development bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@XueSheng-GIT @provokateurin @cetcondor