-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent recursive copy/move operations on the API level #3009
Conversation
f59eaf0
to
ca09131
Compare
9e88aa8
to
a37ef2e
Compare
3b5e1b9
to
f44e9e8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see now why you were unhappy. Doing a GetPath request as the owner requires ocdav to know the machine auth api key ...
what would happen if we send the GetPath as the current user?
In theory the storage driver should give us a path relative to the same root when calling GetPath with two different references. Each call should look up the highest resourceid the user has access to and we should be able to compare the path. We can also check thet the references resourceid that we get in GetPath is the same ... dang ... GetPath has no resource id ... fck
I remember discussing having to extend GetPath with the space root for exactly this reason ... maybe in #1721 (comment)
Then again, we extended ResourceInfo
with Name
and could use the filedmask to query Path
and Space
in a Stat request instead of a GetPath request ... 🤔
if isShareJailRoot(req.ResourceId) { | ||
return &provider.GetPathResponse{ | ||
Status: status.NewOK(ctx), | ||
Path: "/", | ||
}, nil | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 minimal implementation so we can get the path to the share jail root
@@ -690,7 +703,8 @@ func (s *service) Stat(ctx context.Context, req *provider.StatRequest) (*provide | |||
PermissionSet: &provider.ResourcePermissions{ | |||
// TODO | |||
}, | |||
Etag: shareMd[earliestShare.Id.OpaqueId].ETag, | |||
Etag: shareMd[earliestShare.Id.OpaqueId].ETag, | |||
Owner: owner.Id, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 yes, the share jail is always owned by the current user
} | ||
if isChild { | ||
w.WriteHeader(http.StatusBadRequest) | ||
b, err := errors.Marshal(http.StatusBadRequest, "can not copy a folder into one of its children", "") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
@aduffeck this is good and fixes the loop. cc: @butonic Now the related test fails because the API request returns HTTP status 400 in this case. But oC10 returns 409 in this case. Is it easy to make another PR that adjusts the return status to 409? See my updated issue owncloud/ocis#3023 and PR #3030 that enables the test again. |
@phil-davis changing the response code will be a trivial change. I'll prepare a PR soon. |
Done in #3031 and works. @aduffeck what happens about reva master branch? Do we backport this type of fix? reva master branch also has the |
* Prevent recursive copy/move operations on the API level * Add changelog * Enable machine auth in ocdav * Fix error message * Also detect recursive operations when the SSP is involved * Fix hound issues * Set the owner on the stat response to the share jail * Implement GetPath() for the share jail root * Return a better error when the ocdav machine auth config is missing
* Prevent recursive copy/move operations on the API level * Add changelog * Enable machine auth in ocdav * Fix error message * Also detect recursive operations when the SSP is involved * Fix hound issues * Set the owner on the stat response to the share jail * Implement GetPath() for the share jail root * Return a better error when the ocdav machine auth config is missing
Fixes owncloud/ocis#3992
and owncloud/ocis#3023
and owncloud/ocis#4098
(people keep reporting this!)