Upload not blocked - File access control

[k1ngf15h3r]

Steps to reproduce

1. Create a public upload folder (without file listing)
2. Enable "file access control" and create rule to block access to "image/jpeg" and upload a jpeg file in publich folder
3. jpeg file would be uploaded but could not be deleted inside NC

Expected behaviour

jpeg file should not be uplaoded with error message that jpeg files are not allowed

Actual behaviour

jpeg file will be uploaded but will be not accessable

Server configuration

Operating system:
Docker Image Nextcloud:10.0.3-apache

Web server:
Apache2

Database:
MySQL 10.1.20

PHP version:
PHP 5.6.30
Nextcloud version: (see Nextcloud admin page)
11.0.2 (stable)

Updated from an older Nextcloud/ownCloud or fresh install:
updated from 10.0.3

Where did you install Nextcloud from:
Docker Hub

[Schmuuu]

Hi,

I see the same problem that MIME types are not checked (correctly?) during the upload on public links. But as soon as the file is uploaded, file access control denies the access.
However, if you want to grant access to the file for the normal user (that shared the link), you can modify the rule a little bit.

For example:

• file mime type -- is -- JPEG
• user group membership -- not member of -- normalUser

So if the user is member of the group "normalUser", then he can still access the file and delete it.

Nevertheless I would love to have the file access control also working for uploads to a public link.
I wanted to forbid uploads of *.sh, *.php and *.js but can't get this to work.

My NC version is 11.0.2 by the way.

[nickvergessen]

Duplicate of nextcloud/files_accesscontrol#55

Fix is in #3725

Problem is public shares use a different endpoint where the mimetype was always detected as ''