Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Guest users are able to assign and unassign tags to a file after removing systemtags from whitelist #551

Open
PrajwolAmatya opened this issue Mar 9, 2023 · 2 comments
Open

Guest users are able to assign and unassign tags to a file after removing systemtags from whitelist #551

PrajwolAmatya opened this issue Mar 9, 2023 · 2 comments
Labels
bug

Comments

@PrajwolAmatya
Copy link
Contributor

Steps to reproduce

  1. set the guests whitelist so that systemtags are not in the whitelist
  2. user Alice creates and shares a file textfile.txt
  3. guest user [email protected] registers

Now use curl command to assign tag to a file

curl -u [email protected]:<password> -X PUT -H "Content-Type: text/xml" "http://localhost/core/remote.php/dav/systemtags-relations/files/<fileId>/<tagId>" -v

Expected behaviour

Guest user should not be able to asign tags on a file
Expected response: 403 Forbidden

Actual behaviour

Guest user is able to assign tag to a file.
Actual Reponse:

*   Trying 127.0.0.1:80...
* Connected to localhost (127.0.0.1) port 80 (#0)
* Server auth using Basic with user '[email protected]'
> PUT /core/remote.php/dav/systemtags-relations/files/2147490356/68 HTTP/1.1
> Host: localhost
> Authorization: Basic dGVzdEBleGFtcGxlLmNvbTp0ZXN0
> User-Agent: curl/7.81.0
> Accept: */*
> Conent-Type: text/xml
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Date: Thu, 09 Mar 2023 04:05:54 GMT
< Server: Apache/2.4.52 (Ubuntu)
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 0
< X-Robots-Tag: none
< X-Frame-Options: SAMEORIGIN
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Set-Cookie: oc5p8n2d2r60=njn1mhmo5pdbkir72ad9bu37u8; path=/core; HttpOnly; SameSite=Strict
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: oc_sessionPassphrase=ZKEcoS9qqY8dmjpuq6Re9HJeDi5oo8nn5%2Fsl3Nsq6VyvWwVPF4lVjXV%2F32qoqtuaoB3PfMxclmqm41FRu%2FOiqGlMG7tebMAaAHPGGhfiJIZjKbaZlBnIYjKyYi0VDW3R; expires=Thu, 09-Mar-2023 04:25:54 GMT; Max-Age=1200; path=/core; HttpOnly; SameSite=Strict
< Content-Security-Policy: default-src 'none';
< Set-Cookie: oc5p8n2d2r60=g2ev5a2pblofgqh4h1lf0csrvi; path=/core; HttpOnly; SameSite=Strict
< Set-Cookie: cookie_test=test; expires=Thu, 09-Mar-2023 05:05:54 GMT; Max-Age=3600
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host localhost left intact
@PrajwolAmatya PrajwolAmatya changed the title Guest users are able to assign and unassign tags to a file Guest users are able to assign and unassign tags to a file after removine systemtags from whitelist Mar 9, 2023
@SwikritiT
Copy link
Contributor

SwikritiT commented Mar 20, 2023
edited by saw-jan
Loading

TODO QA Team

@PrajwolAmatya
Copy link
Contributor Author

PrajwolAmatya commented Apr 3, 2023
edited
Loading

When the guest user tries to remove tags of a resource then the returned status code is 404.

@PrajwolAmatya PrajwolAmatya changed the title Guest users are able to assign and unassign tags to a file after removine systemtags from whitelist Guest users are able to assign and unassign tags to a file after removing systemtags from whitelist Apr 3, 2023
@PrajwolAmatya PrajwolAmatya mentioned this issue Apr 3, 2023
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SwikritiT @PrajwolAmatya