Skip to content

fix(ACL): Don't check ACL permissions if user doesn't have access to the folder in the first place #3867

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
provokateurin merged 1 commit into from
Jun 30, 2025
Merged

fix(ACL): Don't check ACL permissions if user doesn't have access to the folder in the first place #3867

provokateurin merged 1 commit into from
Jun 30, 2025

Conversation

@provokateurin
Copy link
Member

@provokateurin provokateurin commented Jun 24, 2025

If a user has no access to a Team folder, no rules are returned and it is assumed that this user has all permissions.
Instead of applying the folder permissions as a mask, it would also be possible to just check if the folder permissions are 0 and then use 0 as the path permissions directly, but in the end this results in the same output.

@provokateurin provokateurin added this to the Nextcloud 32 milestone Jun 24, 2025
@provokateurin provokateurin added bug 3. to review Items that need to be reviewed labels Jun 24, 2025
@provokateurin
Copy link
Member Author

provokateurin commented Jun 24, 2025

/backport to stable31

@provokateurin
Copy link
Member Author

provokateurin commented Jun 24, 2025

/backport to stable30

@icewind1991
Copy link
Member

icewind1991 commented Jun 25, 2025

This change also impacts users that do have access to the groupfolder, but the group they have access trough doesn't have full (non-acl) permissions.

For example, if a user has access trough a group that doesn't have the "delete" base permissions, and a -share acl on a folder.

With master the acl test returns

+read, +write, +create, +delete, -share

With this PR it returns

+read, +write, +create, -share

I'm not sure if either of those are "correct" output.

+read, +write, +create, -delete, -share

Is probably most correct (though it might mislead admins into thinking the -delete comes from an ACL rule, having an "explain" option that show how the permissions are calculated has been on my whish list for a while).

I would suggest either changing this PR to show that output, or scope it down to only handle the case where a user doesn't have access at all.

@provokateurin
fix(ACL): Don't check ACL permissions if user doesn't have access to …
e749891 
…the folder in the first place

Signed-off-by: provokateurin <[email protected]>
@provokateurin provokateurin force-pushed the fix/acl/command-test-permissions branch from 67cc662 to e749891 Compare June 30, 2025 13:03
@provokateurin provokateurin changed the title fix(ACL): Apply folder permissions mask when testing path permission fix(ACL): Don't check ACL permissions if user doesn't have access to the folder in the first place Jun 30, 2025
@provokateurin
Copy link
Member Author

provokateurin commented Jun 30, 2025

@icewind1991 please review again.

@provokateurin provokateurin merged commit e62ad60 into master Jun 30, 2025
53 of 55 checks passed
@provokateurin provokateurin deleted the fix/acl/command-test-permissions branch June 30, 2025 14:05
This was referenced Jun 30, 2025
Merged
Merged
@skjnldsv skjnldsv mentioned this pull request Aug 20, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@icewind1991 icewind1991 icewind1991 approved these changes

@come-nc come-nc Awaiting requested review from come-nc

Assignees

No one assigned

Labels

3. to review Items that need to be reviewed bug

Projects

None yet

Milestone

Nextcloud 32

Development

Successfully merging this pull request may close these issues.

3 participants

@provokateurin @icewind1991