user session of a blocked user is not cleared properly

[kiranparajuli589]

Description

Owncloud has a feature that if a logged-in user is blocked, its user session should be cleared properly. It works perfectly fine also and is well demonstrated as an acceptance test here.
But strangely, the behaviors is not the same when the server and client are running on the different host i.e.
To reproduce this error I'd made a setup like:

• server running on http://127.0.0.1/owncloud
• web client running on http://127.1.1.1:8080
• make sure the client-server is connected with the oauth2 app
• allow cors for http://127.1.1.1:8080 in core config.php

Steps to reproduce

1. create a test user
2. log-in with the test user (we'll land onto the files page)
3. block the test user:

   curl -X PUT -u admin:admin http://localhost/owncloud/ocs/v2.php/cloud/users/test/disable 

4. come back to the web and reload the files-page

Expected behavior

User disabled message should be shown.

Actual behavior

The user is redirected to the login screen.

with URL

http://localhost/owncloud/index.php/login?redirect_url=%252Fowncloud%252Findex.php%252Fapps%252Foauth2%252Fauthorize%253Fclient_id%253D3evHkbj7mq1kxraf6wcSMoSuT0p2NPHKXklfBWgi22mtee4vVhTNQysyJN2qQzA5%2526redirect_uri%253Dhttp%25253A%25252F%25252F127.1.1.1%25253A8080%25252Foidc-callback.html%2526response_type%253Dtoken%2526scope%253Dopenid%252520profile%2526state%253D8d1fdde190094d91ada94c1ce3404d03%2526response_mode%253Dquery

Server configuration

Operating system:
Distributor ID: Ubuntu
Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focal

Web server:

• latest GitHub master
• started as:

cd .../web
yarn build
SERVER=127.1.1.1 PORT=8080 yarn serve

Database:
Sqlite

PHP version:

PHP 7.4.3 (cli) (built: Oct  6 2020 15:47:56) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.3, Copyright (c), by Zend Technologies
    with Xdebug v2.9.2, Copyright (c) 2002-2020, by Derick Rethans

ownCloud version: (see ownCloud admin page)

ownCloud 10.6.1alpha (daily) Build:2021-02-22T22:00:23+00:00 df5e095c7e5e94cb44f842a4b51a3480cf8878a0

Updated from an older ownCloud or fresh install:

• fresh

Where did you install ownCloud from:

wget -qO- https://download.owncloud.org/community/daily/owncloud-daily-master-qa.tar.bz2 | tar -xj -C /home/xxxxx/www/owncloud/ --strip 1

Signing status (ownCloud 9.0 and above):

Login as an admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and put the link here.

https://gist.github.com/kiranparajuli589/40733cc78e421d8360a255714a160dc1

The content of config/config.php:

{
    "system": {
        "instanceid": "ocsu5q1uas2k",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "127.1.1.1"
        ],
        "datadirectory": "\/home\/kiran\/www\/owncloud\/data",
        "overwrite.cli.url": "http:\/\/localhost\/owncloud",
        "dbtype": "sqlite3",
        "version": "10.6.1.0",
        "logtimezone": "UTC",
        "apps_paths": [
            {
                "path": "\/home\/kiran\/www\/owncloud\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/home\/kiran\/www\/owncloud\/apps-external",
                "url": "\/apps-external",
                "writable": true
            }
        ],
        "installed": true,
        "cors.allowed-domains": [
            "http:\/\/localhost\/phoenix\/dist",
            "http:\/\/127.1.1.1:8080"
        ],
        "loglevel": "2",
        "dav.enable.tech_preview": true,
        "web.baseUrl": "http:\/\/localhost\/phoenix\/dist",
        "sharing.federation.allowHttpFallback": true,
        "skeletondirectory": "\/home\/kiran\/www\/owncloud\/apps\/testing\/data\/webUISkeleton"
    },
    "apps": {
        "backgroundjob": {
            "lastjob": "12"
        },
        "comments": {
            "installed_version": "0.3.0",
            "types": "logging,dav",
            "enabled": "yes"
        },
        "configreport": {
            "installed_version": "0.2.0",
            "types": "filesystem",
            "enabled": "yes"
        },
        "core": {
            "installedat": "1614789075.7293",
            "lastupdatedat": "1614932470",
            "public_webdav": "dav\/appinfo\/v1\/publicwebdav.php",
            "public_files": "files_sharing\/public.php",
            "first_install_version": "10.6.1.0",
            "oc.integritycheck.checker": "[]",
            "lastcron": "1614932484",
            "lastupdateResult": "{\"version\":\"100.0.0.0\",\"versionstring\":\"ownCloud daily\",\"url\":\"https:\\\/\\\/download.owncloud.org\\\/community\\\/owncloud-daily-master.zip\",\"web\":\"https:\\\/\\\/doc.owncloud.org\\\/server\\\/10.6\\\/admin_manual\\\/maintenance\\\/upgrade.html\"}"
        },
        "dav": {
            "installed_version": "0.6.0",
            "types": "filesystem",
            "enabled": "yes"
        },
        "federatedfilesharing": {
            "installed_version": "0.5.0",
            "types": "filesystem",
            "enabled": "yes"
        },
        "federation": {
            "installed_version": "0.1.0",
            "types": "authentication",
            "enabled": "yes"
        },
        "files": {
            "installed_version": "1.5.2",
            "types": "filesystem",
            "enabled": "yes",
            "cronjob_scan_files": "500"
        },
        "files_external": {
            "installed_version": "0.7.1",
            "types": "filesystem",
            "enabled": "yes"
        },
        "files_mediaviewer": {
            "installed_version": "1.0.4",
            "types": "",
            "enabled": "yes"
        },
        "files_sharing": {
            "installed_version": "0.14.0",
            "types": "filesystem",
            "enabled": "yes"
        },
        "files_trashbin": {
            "installed_version": "0.9.1",
            "types": "filesystem",
            "enabled": "yes"
        },
        "files_versions": {
            "installed_version": "1.3.0",
            "types": "filesystem",
            "enabled": "yes"
        },
        "firstrunwizard": {
            "installed_version": "1.2.0",
            "types": "",
            "enabled": "yes"
        },
        "market": {
            "installed_version": "0.6.0",
            "types": "",
            "enabled": "yes"
        },
        "notifications": {
            "installed_version": "0.5.2",
            "types": "logging",
            "enabled": "yes"
        },
        "oauth2": {
            "installed_version": "0.5.0",
            "types": "authentication",
            "enabled": "yes"
        },
        "provisioning_api": {
            "installed_version": "0.5.0",
            "types": "prevent_group_restriction",
            "enabled": "yes"
        },
        "systemtags": {
            "installed_version": "0.3.0",
            "types": "logging",
            "enabled": "yes"
        },
        "testing": {
            "installed_version": "0.1.0",
            "types": "dav,authentication",
            "enabled": "yes"
        },
        "updatenotification": {
            "installed_version": "0.2.1",
            "types": "",
            "enabled": "yes"
        }
    }
}

Are you using external storage, if yes which one: local/smb/sftp/...

• no

Are you using encryption: yes/no

• no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

• no

Client configuration

Browser:

• google chrome

Operating system:

• same as mentioned above

Logs

Web server error log

ownCloud log (data/owncloud.log)

None

Browser log

The following logs were found in the browser console:

10:29:51 AM - SEVERE - http://127.1.1.1:8080/index.html#/oidc-callback?access_token=sAyMhdNhynr3k5jLFzX7NSOiG1ops9CsEjhpSZ2nI63CQvStjWBIJv4McMZl0E7r&expires_in=3600&state=4c34022253c24437aac8841a0d67fc76 - Access to XMLHttpRequest at 'http://localhost/owncloud/api/v0/settings/values-list' from origin 'http://127.1.1.1:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
10:29:51 AM - SEVERE - http://localhost/owncloud/api/v0/settings/values-list - Failed to load resource: net::ERR_FAILED
10:29:51 AM - SEVERE - http://127.1.1.1:8080/null - Failed to load resource: the server responded with a status of 404 (Not Found)
10:29:51 AM - SEVERE - http://localhost/owncloud//remote.php/dav/avatars/Alice/128.png - Failed to load resource: the server responded with a status of 404 (Not Found)
10:29:51 AM - SEVERE - http://127.1.1.1:8080/null - Failed to load resource: the server responded with a status of 404 (Not Found)
10:29:52 AM - SEVERE - http://localhost/owncloud/remote.php/dav/files/Alice/data.zip?a=1&c=f66bd0cdc4453978ecef3a9ce1c33573&preview=1&scalingup=0 - Failed to load resource: the server responded with a status of 404 (Not Found)
10:29:52 AM - SEVERE - http://localhost/owncloud/remote.php/dav/files/Alice/data.tar.gz?a=1&c=5981fb0072d9c333ebcda0f208be5429&preview=1&scalingup=0 - Failed to load resource: the server responded with a status of 404 (Not Found)
10:29:53 AM - SEVERE - http://127.1.1.1:8080/#/files/list/ - Access to XMLHttpRequest at 'http://localhost/owncloud/api/v0/settings/values-list' from origin 'http://127.1.1.1:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
10:29:53 AM - SEVERE - http://localhost/owncloud/api/v0/settings/values-list - Failed to load resource: net::ERR_FAILED
10:29:53 AM - SEVERE - http://127.1.1.1:8080/null - Failed to load resource: the server responded with a status of 404 (Not Found)
10:29:53 AM - SEVERE - http://localhost/owncloud//remote.php/dav/avatars/Alice/128.png - Failed to load resource: the server responded with a status of 404 (Not Found)
10:29:53 AM - SEVERE - http://127.1.1.1:8080/null - Failed to load resource: the server responded with a status of 404 (Not Found)
10:29:53 AM - SEVERE - http://localhost/owncloud/remote.php/dav/files/Alice/data.tar.gz?a=1&c=5981fb0072d9c333ebcda0f208be5429&preview=1&scalingup=0 - Failed to load resource: the server responded with a status of 404 (Not Found)
10:29:53 AM - SEVERE - http://localhost/owncloud/remote.php/dav/files/Alice/data.zip?a=1&c=f66bd0cdc4453978ecef3a9ce1c33573&preview=1&scalingup=0 - Failed to load resource: the server responded with a status of 404 (Not Found)
10:29:54 AM - SEVERE - http://127.1.1.1:8080/#/files/list/%2F - Access to XMLHttpRequest at 'http://localhost/owncloud/ocs/v1.php/cloud/capabilities?format=json' from origin 'http://127.1.1.1:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
10:29:54 AM - SEVERE - http://localhost/owncloud/ocs/v1.php/cloud/capabilities?format=json - Failed to load resource: net::ERR_FAILED
10:29:54 AM - SEVERE - http://127.1.1.1:8080/js/_chunks/vendor.js 87331:10047 Uncaught TypeError: Cannot read property 'status' of undefined

[kulmann]

@kiranparajuli589 with #7072 being merged a disabled user will see the login error page on page reload, when clicking on exit they will be redirected to the page you have in the expected behaviour of this issue (User disabled). Is that sufficient to close this ticket?

[kiranparajuli589]

@kiranparajuli589 with #7072 being merged a disabled user will see the login error page on page reload, when clicking on exit they will be redirected to the page you have in the expected behaviour of this issue (User disabled). Is that sufficient to close this ticket?

@kulmann yes it would be enough to close this ticket.

[kulmann]

@kulmann yes it would be enough to close this ticket.

Perfect, thank you! :-)