add some additonal permission checks to the webdav backend #255

schiessle · 2016-06-30T09:14:37Z

@LukasReschke another one for you 😉

LukasReschke · 2016-06-30T09:19:56Z

Thanks, @schiessle. I'll see if I can write an integration test for this.

MorrisJobke · 2016-06-30T09:22:52Z

Thanks, @schiessle. I'll see if I can write an integration test for this.

... or even better: let @schiessle try to add this ;)

LukasReschke · 2016-06-30T09:23:16Z

... or even better: let @schiessle try to add this ;)

Ah. I guess he'll be busy fixing the theming PR 🙈

LukasReschke · 2016-06-30T10:20:17Z

Integration tests passed. They should pass, but there are some broken unit tests, @schiessle mind taking a look at those?


There were 10 errors:

1) OCA\DAV\Tests\unit\Connector\Sabre\ObjectTreeTest::testMoveFailed with data set #0 ('a/b', 'a/c', array(false, false, false), array())
Argument 3 passed to OC\Files\Storage\Common::acquireLock() must implement interface OCP\Lock\ILockingProvider, null given, called in /drone/src/github.com/nextcloud/server/lib/private/Files/View.php on line 1909 and defined

/drone/src/github.com/nextcloud/server/lib/private/Files/Storage/Common.php:667
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1909
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:2011
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1289
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1336
/drone/src/github.com/nextcloud/server/apps/dav/lib/Connector/Sabre/ObjectTree.php:199
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:142
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:75

2) OCA\DAV\Tests\unit\Connector\Sabre\ObjectTreeTest::testMoveFailed with data set #1 ('a/b', 'b/b', array(false, false, false, false), array())
Argument 3 passed to OC\Files\Storage\Common::acquireLock() must implement interface OCP\Lock\ILockingProvider, null given, called in /drone/src/github.com/nextcloud/server/lib/private/Files/View.php on line 1909 and defined

/drone/src/github.com/nextcloud/server/lib/private/Files/Storage/Common.php:667
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1909
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:2011
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1289
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1336
/drone/src/github.com/nextcloud/server/apps/dav/lib/Connector/Sabre/ObjectTree.php:199
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:142
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:75

3) OCA\DAV\Tests\unit\Connector\Sabre\ObjectTreeTest::testMoveFailed with data set #2 ('a/b', 'b/b', array(false, true, false, false), array())
Argument 3 passed to OC\Files\Storage\Common::acquireLock() must implement interface OCP\Lock\ILockingProvider, null given, called in /drone/src/github.com/nextcloud/server/lib/private/Files/View.php on line 1909 and defined

/drone/src/github.com/nextcloud/server/lib/private/Files/Storage/Common.php:667
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1909
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:2011
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1289
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1336
/drone/src/github.com/nextcloud/server/apps/dav/lib/Connector/Sabre/ObjectTree.php:199
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:142
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:75

4) OCA\DAV\Tests\unit\Connector\Sabre\ObjectTreeTest::testMoveFailed with data set #3 ('a/b', 'b/b', array(true, true, false, false), array())
Argument 3 passed to OC\Files\Storage\Common::acquireLock() must implement interface OCP\Lock\ILockingProvider, null given, called in /drone/src/github.com/nextcloud/server/lib/private/Files/View.php on line 1909 and defined

/drone/src/github.com/nextcloud/server/lib/private/Files/Storage/Common.php:667
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1909
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:2011
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1289
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1336
/drone/src/github.com/nextcloud/server/apps/dav/lib/Connector/Sabre/ObjectTree.php:199
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:142
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:75

5) OCA\DAV\Tests\unit\Connector\Sabre\ObjectTreeTest::testMoveFailed with data set #4 ('a/b', 'b/b', array(true, true, true, false), array(false))
Argument 3 passed to OC\Files\Storage\Common::acquireLock() must implement interface OCP\Lock\ILockingProvider, null given, called in /drone/src/github.com/nextcloud/server/lib/private/Files/View.php on line 1909 and defined

/drone/src/github.com/nextcloud/server/lib/private/Files/Storage/Common.php:667
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1909
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:2011
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1289
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1336
/drone/src/github.com/nextcloud/server/apps/dav/lib/Connector/Sabre/ObjectTree.php:199
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:142
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:75

6) OCA\DAV\Tests\unit\Connector\Sabre\ObjectTreeTest::testMoveFailed with data set #5 ('a/b', 'a/c', array(false, true, false), array())
Argument 3 passed to OC\Files\Storage\Common::acquireLock() must implement interface OCP\Lock\ILockingProvider, null given, called in /drone/src/github.com/nextcloud/server/lib/private/Files/View.php on line 1909 and defined

/drone/src/github.com/nextcloud/server/lib/private/Files/Storage/Common.php:667
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1909
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:2011
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1289
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1336
/drone/src/github.com/nextcloud/server/apps/dav/lib/Connector/Sabre/ObjectTree.php:199
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:142
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:75

7) OCA\DAV\Tests\unit\Connector\Sabre\ObjectTreeTest::testMoveSuccess with data set #0 ('a/b', 'b/b', array(true, true, true, false), array(true))
Argument 3 passed to OC\Files\Storage\Common::acquireLock() must implement interface OCP\Lock\ILockingProvider, null given, called in /drone/src/github.com/nextcloud/server/lib/private/Files/View.php on line 1909 and defined

/drone/src/github.com/nextcloud/server/lib/private/Files/Storage/Common.php:667
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1909
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:2011
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1289
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1336
/drone/src/github.com/nextcloud/server/apps/dav/lib/Connector/Sabre/ObjectTree.php:199
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:142
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:82

8) OCA\DAV\Tests\unit\Connector\Sabre\ObjectTreeTest::testMoveSuccess with data set #1 ('a/b*', 'b/b', array(true, true, true, false), array(true))
Argument 3 passed to OC\Files\Storage\Common::acquireLock() must implement interface OCP\Lock\ILockingProvider, null given, called in /drone/src/github.com/nextcloud/server/lib/private/Files/View.php on line 1909 and defined

/drone/src/github.com/nextcloud/server/lib/private/Files/Storage/Common.php:667
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1909
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:2011
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1289
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1336
/drone/src/github.com/nextcloud/server/apps/dav/lib/Connector/Sabre/ObjectTree.php:199
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:142
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:82

9) OCA\DAV\Tests\unit\Connector\Sabre\ObjectTreeTest::testMoveFailedInvalidChars with data set #0 ('a/b', 'a/*', array(true, true, false), array())
Argument 3 passed to OC\Files\Storage\Common::acquireLock() must implement interface OCP\Lock\ILockingProvider, null given, called in /drone/src/github.com/nextcloud/server/lib/private/Files/View.php on line 1909 and defined

/drone/src/github.com/nextcloud/server/lib/private/Files/Storage/Common.php:667
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1909
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:2011
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1289
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1336
/drone/src/github.com/nextcloud/server/apps/dav/lib/Connector/Sabre/ObjectTree.php:199
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:142
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:91

10) OCA\DAV\Tests\unit\Connector\Sabre\ObjectTreeTest::testFailingMove
Argument 3 passed to OC\Files\Storage\Common::acquireLock() must implement interface OCP\Lock\ILockingProvider, null given, called in /drone/src/github.com/nextcloud/server/lib/private/Files/View.php on line 1909 and defined

/drone/src/github.com/nextcloud/server/lib/private/Files/Storage/Common.php:667
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1909
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:2011
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1289
/drone/src/github.com/nextcloud/server/lib/private/Files/View.php:1336
/drone/src/github.com/nextcloud/server/apps/dav/lib/Connector/Sabre/ObjectTree.php:199
/drone/src/github.com/nextcloud/server/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php:353

LukasReschke · 2016-06-30T11:17:14Z

apps/dav/lib/Connector/Sabre/ObjectTree.php

+		$sourcePermission =  $infoSource && $infoSource->isDeletable();
+
+		if (!$destinationPermission || !$sourcePermission) {
+			throw new Forbidden();


Required parameter $message missing

(Will fix myself)

LukasReschke · 2016-06-30T11:46:59Z

Tests should pass now after ea18d86

schiessle · 2016-06-30T11:50:58Z

apps/dav/lib/Connector/Sabre/ObjectTree.php

@@ -285,7 +285,7 @@ public function copy($source, $destination) {

 		$info = $this->fileView->getFileInfo(dirname($destination));
 		if ($info && !$info->isUpdateable()) {
-			throw new Forbidden();
+			throw new Forbidden('No permissions to move object.');


"copy" in this case? 😉

MorrisJobke · 2016-06-30T11:53:40Z

Tested and works 👍

schiessle · 2016-06-30T12:04:33Z

👍 for the tests

PVince81 · 2016-07-06T15:22:41Z

apps/dav/lib/Connector/Sabre/ObjectTree.php

@@ -273,6 +293,12 @@ public function copy($source, $destination) {
 			throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup');
 		}

+
+		$info = $this->fileView->getFileInfo(dirname($destination));
+		if ($info && !$info->isUpdateable()) {


Might not be 100% correct. A copy needs create permissions for a "copy in" as new file.
As for "copy + overwrite" it's "create + delete", because SabreDAV will trigger an automatic delete of the target before running this method. So in the end only a check on "create" is needed.

Even though the "update" permission semantically seems to fit better for overwrites, it never quite worked as expected.

schiessle added bug 3. to review Waiting for reviews feature: dav labels Jun 30, 2016

schiessle added this to the Nextcloud Next milestone Jun 30, 2016

add some additonal permission checks to the webdav backend

93c8458

schiessle force-pushed the dav-permission-check branch from 3182f86 to 93c8458 Compare June 30, 2016 09:17

LukasReschke force-pushed the dav-permission-check branch from eae9b92 to f43fba4 Compare June 30, 2016 10:20

Add integration tests

4e21543

LukasReschke force-pushed the dav-permission-check branch from f43fba4 to 4e21543 Compare June 30, 2016 10:21

LukasReschke reviewed Jun 30, 2016
View reviewed changes

LukasReschke added 2 commits June 30, 2016 13:17

Add required $message parameter

54ab972

Add proper throws PHP docs

62cc9f9

MorrisJobke added 2. developing Work in progress and removed 3. to review Waiting for reviews labels Jun 30, 2016

Fix tests

ea18d86

fix error message

726052b

schiessle reviewed Jun 30, 2016
View reviewed changes

MorrisJobke added 3. to review Waiting for reviews backport-request and removed 2. developing Work in progress labels Jun 30, 2016

schiessle merged commit e9dedfb into master Jun 30, 2016

LukasReschke deleted the dav-permission-check branch June 30, 2016 13:06

schiessle mentioned this pull request Jun 30, 2016

add some additonal permission checks to the webdav backend #263

Merged

MorrisJobke removed the backport-request label Jun 30, 2016

PVince81 reviewed Jul 6, 2016
View reviewed changes

nickvergessen mentioned this pull request Sep 7, 2016

Fix required permissions for webdav move and copy #1301

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add some additonal permission checks to the webdav backend #255

add some additonal permission checks to the webdav backend #255

schiessle commented Jun 30, 2016

LukasReschke commented Jun 30, 2016

MorrisJobke commented Jun 30, 2016 •

edited

Loading

LukasReschke commented Jun 30, 2016

LukasReschke commented Jun 30, 2016

LukasReschke Jun 30, 2016

LukasReschke Jun 30, 2016

LukasReschke commented Jun 30, 2016

schiessle Jun 30, 2016

MorrisJobke commented Jun 30, 2016 •

edited

Loading

schiessle commented Jun 30, 2016

PVince81 Jul 6, 2016

add some additonal permission checks to the webdav backend #255

add some additonal permission checks to the webdav backend #255

Conversation

schiessle commented Jun 30, 2016

LukasReschke commented Jun 30, 2016

MorrisJobke commented Jun 30, 2016 • edited Loading

LukasReschke commented Jun 30, 2016

LukasReschke commented Jun 30, 2016

LukasReschke Jun 30, 2016

Choose a reason for hiding this comment

LukasReschke Jun 30, 2016

Choose a reason for hiding this comment

LukasReschke commented Jun 30, 2016

schiessle Jun 30, 2016

Choose a reason for hiding this comment

MorrisJobke commented Jun 30, 2016 • edited Loading

schiessle commented Jun 30, 2016

PVince81 Jul 6, 2016

Choose a reason for hiding this comment

MorrisJobke commented Jun 30, 2016 •

edited

Loading

MorrisJobke commented Jun 30, 2016 •

edited

Loading