Normal users can update the public link to delete its password if permission is not sent in data

[SwikritiT]

Describe the bug

Normal users can update the public link to delete its password if permission is not sent in the data

Steps to reproduce

1. As user Einstein create a folder hello
2. Make a public link for the folder

curl -XPOST "https://localhost:9200/ocs/v1.php/apps/files_sharing/api/v1/shares" -u einstein:relativity -vk --form 'path="hello"' --form 'shareType=3' --form 'permissions=15' --form 'password=#Passw0rd'         

3. Update the created public link by updating the password to be null (don't send permission)

curl -XPUT "https://localhost:9200/ocs/v1.php/apps/files_sharing/api/v1/shares/<shareId>" -u einstein:relativity -vk --form 'path="hello"' --form 'shareType=3' --form 'password=' 

Expected behavior

When we make the same request by sending permission in data we get HTTP 200 ( maybe this needs to be 400 or some 4xx status code?) and ocs 400 with some error message. So the behaviour should also be the same for when we try to update the public link without sending the permissions

curl -XPUT "https://localhost:9200/ocs/v1.php/apps/files_sharing/api/v1/shares/<shareId>" -u einstein:relativity -vk --form 'path="hello"' --form 'shareType=3' --form 'permissions=15' --form 'password='       

Response

< HTTP/1.1 200 OK
< Content-Length: 157
< Content-Type: text/xml; charset=utf-8
< Date: Tue, 28 Nov 2023 08:43:40 GMT
< Ocs-Api-Version: 1
< Vary: Origin
< X-Request-Id: swikriti-OptiPlex-3070/WkhudReKNI-014705
< 
<?xml version="1.0" encoding="UTF-8"?>
* Connection #0 to host localhost left intact
<ocs><meta><status>error</status><statuscode>400</statuscode><message>missing required password</message></meta></ocs>%

Actual behavior

The request returns 200 and the password is removed, you can access the public link from a browser without a password

Response

< HTTP/1.1 200 OK
< Content-Length: 1650
< Content-Type: text/xml; charset=utf-8
< Date: Tue, 28 Nov 2023 08:27:57 GMT
< Ocs-Api-Version: 1
< Vary: Origin
< X-Request-Id: swikriti-OptiPlex-3070/WkhudReKNI-003577
< 
<?xml version="1.0" encoding="UTF-8"?>
* TLSv1.2 (IN), TLS header, Supplemental data (23):

<ocs>
	<meta>
		<status>ok</status>
		<statuscode>100</statuscode>
		<message>OK</message>
	</meta>
	<data>
		<id>EvbqWcHxbKzynpA</id>
		<share_type>3</share_type>
		<uid_owner>einstein</uid_owner>
		<displayname_owner>Albert Einstein</displayname_owner>
		<additional_info_owner>[email protected]</additional_info_owner>
		<permissions>15</permissions>
		<stime>1701160009</stime>
		<parent></parent>
		<expiration></expiration>
		<token>nKaaMatjuZuziUu</token>
		<uid_file_owner>einstein</uid_file_owner>
		<displayname_file_owner>Albert Einstein</displayname_file_owner>
		<additional_info_file_owner>[email protected]</additional_info_file_owner>
		<state>0</state>
		<path>/hello</path>
		<item_type>folder</item_type>
		<mimetype>httpd/unix-directory</mimetype>
		<space_id>e060c3f3-ca67-4a28-88e7-3f7bb8e3e629$4c510ada-c86b-4815-8820-42cdf82c3d51!4c510ada-c86b-4815-8820-42cdf82c3d51</space_id>
		<space_alias>personal/einstein</space_alias>
		<storage_id>shared::/hello</storage_id>
		<storage>0</storage>
		<item_source>e060c3f3-ca67-4a28-88e7-3f7bb8e3e629$4c510ada-c86b-4815-8820-42cdf82c3* Connection #0 to host localhost left intact
d51!27fa742d-071c-48f1-b824-2b7332b93159</item_source>
		<file_source>e060c3f3-ca67-4a28-88e7-3f7bb8e3e629$4c510ada-c86b-4815-8820-42cdf82c3d51!27fa742d-071c-48f1-b824-2b7332b93159</file_source>
		<file_parent>e060c3f3-ca67-4a28-88e7-3f7bb8e3e629$4c510ada-c86b-4815-8820-42cdf82c3d51!4c510ada-c86b-4815-8820-42cdf82c3d51</file_parent>
		<file_target>/hello</file_target>
		<share_with_user_type>0</share_with_user_type>
		<share_with_additional_info></share_with_additional_info>
		<mail_send>0</mail_send>
		<name></name>
		<url>https://localhost:9200/s/nKaaMatjuZuziUu</url>
		<hidden>false</hidden>
	</data>
</ocs>

Setup

Please describe how you started the server and provide a list of relevant environment variables or configuration files.

OCIS_INSECURE=true
OCIS_ASYNC_UPLOADS=true
IDM_CREATE_DEMO_USERS=true
OCIS_LOG_LEVEL=error
PROXY_ENABLE_BASIC_AUTH=true

Additional context

Add any other context about the problem here.

[ScharfViktor]

wow, good catch

[2403905]

@SwikritiT What are the values for the OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD and OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD in this case?

The HTTP 200 with the error code and message in a response body is expected when the request fails.

[ScharfViktor]

I could reproduce it without extra envs. Just start ocis by default

[SwikritiT]

@SwikritiT What are the values for the OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD and OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD in this case?

The HTTP 200 with the error code and message in a response body is expected when the request fails.

I didn't set these variable so the values were whatever the default value is

[2403905]

@SwikritiT I added the fix. Please review the failed test cases.

coreApiSharePublicLink3/updatePublicLinkShare.feature:119
coreApiSharePublicLink3/updatePublicLinkShare.feature:120

https://drone.owncloud.com/owncloud/ocis/29563/31/5
https://drone.owncloud.com/owncloud/ocis/29563/31/6

[SwikritiT]

@SwikritiT I added the fix. Please review the failed test cases.

coreApiSharePublicLink3/updatePublicLinkShare.feature:119 coreApiSharePublicLink3/updatePublicLinkShare.feature:120

https://drone.owncloud.com/owncloud/ocis/29563/31/5 https://drone.owncloud.com/owncloud/ocis/29563/31/6

Hey thanks, I'll look at them