Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QA] guests have access to customgroups without whitelisting #516

Open
jnweiger opened this issue Aug 29, 2022 · 4 comments
Open

[QA] guests have access to customgroups without whitelisting #516

jnweiger opened this issue Aug 29, 2022 · 4 comments
Assignees
@phil-davis

Comments

@jnweiger
Copy link
Contributor

jnweiger commented Aug 29, 2022
edited
Loading

Seen with core 10.11.0-beta.2 (and rc.1) while testing owncloud/core#40257
guests 0.11.0
customgroups 0.6.2 and also 0.7.0

Follow the reproducer steps in the 'How has this been tested`section:

  • Enable customgroups. Make sure its not listed as whitelisted apps in guest configuration.
    • the guests whitelist under Settings -> Sharing is: [settings,avatar,files_external,files_trashbin,files_versions,files_sharing,files_texteditor,activity,firstrunwizard,gallery,notifications,password_policy,oauth2,files_pdfviewer,files_mediaviewer,richdocuments,onlyoffice,wopi,oco_selfservice,twofactor_totp]
  • As guest user navigate to the settings page.
  • The settings page should not show customgroups. And it does not.
    • ⛔ guest user sees customgrous and can create customgroups

image
image
@jnweiger
Copy link
Contributor Author

jnweiger commented Sep 8, 2022

@pmaier1 reproduced with guests-0.11.0 customgroups-0.7.0 and core-10.11.0-rc.1

I recommend to remove this item from the Releasenotes, or have someone doublecheck the implementation.

This was referenced Sep 8, 2022
Merged
Merged
@phil-davis
Copy link
Contributor

phil-davis commented Sep 9, 2022
edited
Loading

@jnweiger I can't get it to work for me now. I thought that I checked it back when I cherry-picked and rebased the code from PR #36258 to PR #40257

I looked through the code, and I don't really understand how it fits together. The core code adds a specific reference to "whitelistedAppsForGuests" that should be in the array returned by $user->getExtendedAttributes() - but I don't see anywhere that will set that. Guests app has code that processes the guests app setting called "whitelist".

@jvillafanez do you remember about PR #36258 ? Is there supposed to be some guests app code that is also needed to make this work?

Found it - #371 - I will rebase and see if I can get it working...

@phil-davis
Copy link
Contributor

It is looking good so far. PR #518 is a rebase of PR #371 - after merging that, we will need to release guests 0.12.0 to go with core 10.11.

@jnweiger is the guests app bundled in the core tarball these days?

@phil-davis phil-davis mentioned this issue Sep 9, 2022
Merged
9 tasks
@jnweiger
Copy link
Contributor Author

jnweiger commented Sep 9, 2022

It is looking good so far. PR #518 is a rebase of PR #371 - after merging that, we will need to release guests 0.12.0 to go with core 10.11.

@jnweiger is the guests app bundled in the core tarball these days?

Yes, I'll roll 10.11.0-rc.2 with the updated guests app.

@phil-davis phil-davis mentioned this issue Sep 10, 2022
Merged
9 tasks
@jnweiger jnweiger mentioned this issue Sep 12, 2022
Closed
42 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@phil-davis phil-davis

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jnweiger @phil-davis