X Tutup
Skip to content

Use ViewOnlyPlugin when requesting a meta endpoint using WebDAV v2#39575

Merged
JammingBen merged 2 commits intorelease-10.9.0from
enterprise/issues/4916
Dec 9, 2021
Merged

Use ViewOnlyPlugin when requesting a meta endpoint using WebDAV v2#39575
JammingBen merged 2 commits intorelease-10.9.0from
enterprise/issues/4916

Conversation

@JammingBen
Copy link
Contributor

@JammingBen JammingBen commented Dec 8, 2021
edited
Loading

Description

This fixes an issue where versions of shared files were downloadable using the new WebDAV API despite missing permissions, e.g. when shared via secure view.

Related Issue

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Database schema changes (next release will require increase of minor version instead of patch)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests only (no source changes)

Checklist:

  • Code changes
  • Unit tests added
  • Acceptance tests added
  • Documentation ticket raised:
  • Changelog item, see TEMPLATE

@JammingBen JammingBen added Type:Bug app:dav php Pull requests that update Php code labels Dec 8, 2021
@JammingBen JammingBen self-assigned this Dec 8, 2021
@JammingBen
Copy link
Contributor Author

JammingBen commented Dec 8, 2021
edited
Loading

The original issue https://github.com/owncloud/enterprise/issues/4916 mentions this only in regards to versions, but it seems that the missing permission check affects the whole WebDAV v2 API.

I'm quite excited for the acceptance test results. @phil-davis Do you know if this scenario is somehow tested? I feel that we have a very good coverage on those kind of scenarios, but maybe this one slipped.

@JammingBen
Copy link
Contributor Author

JammingBen commented Dec 8, 2021

The original issue owncloud/enterprise#4916 mentions this only in regards to versions, but it seems that the missing permission check affects the whole WebDAV v2 API.

Ahh no, my bad, it should work in general for the new WebDAV API. It's really linked to versions (=meta) in specific.

@JammingBen JammingBen force-pushed the enterprise/issues/4916 branch from 156ada6 to 78fe325 Compare December 8, 2021 11:19
@JammingBen JammingBen changed the title Add ViewOnlyPlugin when using new webDAV API Use ViewOnlyPlugin when requesting a meta endpoint using WebDAV v2 Dec 8, 2021
@ownclouders
Copy link
Contributor

ownclouders commented Dec 8, 2021

💥 Acceptance tests pipeline webUIMobileSize-3-1-chrome-mariadb10.2-php7.4 failed. The build has been cancelled.

https://drone.owncloud.com/owncloud/core/33960/167/1

@ownclouders
Copy link
Contributor

ownclouders commented Dec 8, 2021

💥 Acceptance tests pipeline apiSharePublicLink2-mariadb10.2-php7.4 failed. The build has been cancelled.

https://drone.owncloud.com/owncloud/core/33962/72/1

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 8, 2021

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

100.0% 100.0% Coverage
0.0% 0.0% Duplication

@JammingBen JammingBen merged commit 8b25787 into release-10.9.0 Dec 9, 2021
@delete-merged-branch delete-merged-branch bot deleted the enterprise/issues/4916 branch December 9, 2021 07:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrow4a mrow4a mrow4a approved these changes

@phil-davis phil-davis Awaiting requested review from phil-davis

@DeepDiver1975 DeepDiver1975 Awaiting requested review from DeepDiver1975

Assignees

@JammingBen JammingBen

Labels

app:dav php Pull requests that update Php code Type:Bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JammingBen @ownclouders @mrow4a
X Tutup