Skip to content

fix(sharing): Allow public share access for everyone #55811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nfebe merged 1 commit into from
Dec 2, 2025
Merged

fix(sharing): Allow public share access for everyone #55811

nfebe merged 1 commit into from
Dec 2, 2025
+118 −5

Conversation

@nfebe
Copy link
Contributor

@nfebe nfebe commented Oct 16, 2025

When a logged-in user accesses a public share link in the same browser, the system was incorrectly checking if that user's groups were excluded from creating link shares. This caused share not found errors for users in excluded groups, even though public shares should be accessible to anyone with the link.

The group exclusion setting (shareapi_allow_links_exclude_groups) is intended to restrict share creation, not share access. Public shares are meant to be anonymous and accessible regardless of the viewer identity or group membership.

@nfebe nfebe requested a review from a team as a code owner October 16, 2025 13:55
@nfebe nfebe requested review from Altahrim, provokateurin and yemkareems and removed request for a team October 16, 2025 13:55
@github-project-automation github-project-automation bot moved this to 🏗️ In progress in 📁 Files team Oct 16, 2025
@nfebe nfebe added the 3. to review Waiting for reviews label Oct 16, 2025
@nfebe nfebe requested a review from artonge October 17, 2025 09:12
nfebe added a commit that referenced this pull request Oct 17, 2025
@nfebe
refactor: Separate concerns in link sharing checks
560779d 
Following #55811 split `shareApiAllowLinks()` into two dedicated methods to improve clarity
and separation of concerns:

- `isLinkSharingEnabled()`: Checks if link sharing is globally enabled
- `canUserCreateLinkShares()`: Checks if a user can create link shares
  (considers both global settings and group restrictions)

The original shareApiAllowLinks() is now deprecated and acts as a
wrapper to maintain backward compatibility.
@nfebe nfebe mentioned this pull request Oct 17, 2025
Draft
artonge
artonge reviewed Oct 17, 2025
View reviewed changes
Copy link
Contributor

@artonge artonge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should rather change the check to check whether the share owner can create links. This would allow preventing access to a share if the share owner is prevented to create links after it was created.

@nfebe nfebe force-pushed the fix/public-share-group-exclusion-access branch from 7a9c04a to ea29e2f Compare November 13, 2025 10:46
@nfebe nfebe requested a review from artonge November 13, 2025 10:48
@nfebe nfebe force-pushed the fix/public-share-group-exclusion-access branch from ea29e2f to e222c83 Compare November 13, 2025 22:17
provokateurin
provokateurin requested changes Nov 17, 2025
View reviewed changes
@juliusknorr
Copy link
Member

juliusknorr commented Nov 19, 2025

/backport to stable32

@juliusknorr
Copy link
Member

juliusknorr commented Nov 19, 2025

/backport to stable31

@juliusknorr
Copy link
Member

juliusknorr commented Nov 19, 2025

/backport to stable30

@nfebe nfebe force-pushed the fix/public-share-group-exclusion-access branch from e222c83 to ed0d841 Compare November 25, 2025 11:38
@nfebe nfebe requested a review from provokateurin November 25, 2025 11:39
@nfebe nfebe force-pushed the fix/public-share-group-exclusion-access branch from ed0d841 to 5aa8a64 Compare November 25, 2025 11:40
@juliusknorr juliusknorr force-pushed the fix/public-share-group-exclusion-access branch from 5aa8a64 to ca7755f Compare November 27, 2025 07:53
provokateurin
provokateurin requested changes Dec 2, 2025
View reviewed changes
@nfebe
fix(sharing): Allow public share access for everyone
6bccaf7 
When a logged-in user accesses a public share link in the same browser,
the system was incorrectly checking if that user's groups were excluded
from creating link shares. This caused share not found errors for users
in excluded groups, even though public shares should be accessible to anyone
with the link.

The group exclusion setting (`shareapi_allow_links_exclude_groups`) is
intended to restrict share creation, not share access. Public shares
are meant to be anonymous and accessible regardless of the viewer identity
or group membership.

We now check the exclusion for the share creator and not the viewer.

Signed-off-by: nfebe <[email protected]>
@nfebe nfebe force-pushed the fix/public-share-group-exclusion-access branch from ca7755f to 6bccaf7 Compare December 2, 2025 08:45
@nfebe nfebe requested a review from provokateurin December 2, 2025 08:45
@nfebe nfebe merged commit 68b9108 into master Dec 2, 2025
268 of 290 checks passed
@nfebe nfebe deleted the fix/public-share-group-exclusion-access branch December 2, 2025 14:42
This was referenced Dec 2, 2025
Draft
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juliusknorr juliusknorr juliusknorr approved these changes

@provokateurin provokateurin provokateurin approved these changes

@Altahrim Altahrim Awaiting requested review from Altahrim Altahrim is a code owner automatically assigned from nextcloud/server-backend

@yemkareems yemkareems Awaiting requested review from yemkareems yemkareems is a code owner automatically assigned from nextcloud/server-backend

@artonge artonge Awaiting requested review from artonge

Assignees

No one assigned

Labels

3. to review Waiting for reviews bug feature: sharing

Projects

📁 Files team
Status: 🏗️ In progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@nfebe @juliusknorr @artonge @provokateurin