[BUG] OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD not correct #1429
Comments
|
@kobergj are these env vars somehow exposed to the clients via e.g. capabilities or something? THX |
|
Yes of course. In capabilities: |
|
@dj4oC This is implemented by the iOS app, with the following logic:
This interpretation matches what I could find in the ocis codebase: Can you share the full |
|
What I know is: if there is a read only share, I can remove the password in Web but I cannot on iOS. Web is working correctly. |
|
@dj4oC I'll still need either the full |
If you let me know how to get the information you need, I can provide them |
|
Ok, after looking into it, I came up with these results:
"password": {
"enforced_for": {
"read_only": true,
"read_write": true,
"read_write_delete": true,
"upload_only": true
},
"enforced": false
},To my understanding, if If it is - and with
If it isn't:
(cc @LukasHirt) |
|
You are absolutely right. You can remove a password even if passwords are enforced. Imho this is a major bug. @dj4oC how can this be expected behaviour? I would suggest to fix this asap.
Here the answer is very simple: |
|
No it was intended that you can remove the password for read only shares. So behaviour in web is correct. Creating a share should enforce the password (security by default) in anyway if there is a password policy for public shares. Passwords for shares with edit permission cannot be removed. |
|
@dj4oC So to create a read-only share without passwords I only need to create one with password, then remove it. What's the point in enforcing a password then anyways? Bonus question: Why is this "security by default"? @felix-schwarz sorry for spamming your ticket 😉 |
This is precisely the BSI/LSI obligation we have. It may be possible but the rule says: it is not allowed to CREATE a share without. |
Ok, if
IMO this issue can't be solved as-is. There's a fundamental logical conflict between "passwords are enforced" and "you can just remove it later, so if you don't want to use a password, that's fine, too". Since that behaviour also isn't documented, I, too, would classify this as a security issue that should be fixed. If admins/orgs choose to enable enforcing passwords, they should be able to rely on them actually being enforced - and that a removal is not possible. Be it by choice or by accident. Is that BSI/LSI obligation publicly accessible, so it could be referenced in documentation or code comments? From a technical POV, to support such a behavior transparently and without logical breakage, the password policy part of the capabilities endpoint could be extended, f.ex. via an |
Finding:
Read-Only Public Shares enforce passwords with oCIS
Expected behavior:
If
OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD == falseandOCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD == truethe password should only be enforced for writeable links, not for read only links.Please fix.
Ref: https://owncloud.dev/services/frontend/#password-enforcement-for-all-public-links
Thank you
ping: @DeepDiver1975 @hosy @felix-schwarz
The text was updated successfully, but these errors were encountered: