Removing a customgroup removes shares of sharees but not of sharers. #89
Comments
|
Sev2 because if we remove a custom group and we create it again, maybe the old shared folders appear again shared. |
can you verify if that happens ? if yes, please add it to the steps |
|
I actually don't think it will happen because the sharing is based on the internal custom groups name which is based on the autoincrement value |
Verified. Changed the steps. |
|
Not happening using regular groups. |
|
Argh, this is the reason: 3140530 In the past the exposed group id was "customgroup_" + numeric id but now it's "customgroup_" + uri... Now looking at events, maybe we should trigger group events when deleting groups: "preDelete", "postDelete", etc... This would trigger the logic that automatically deletes shares when a group is deleted. |
|
If we now start triggering these regular group events, this will likely open a can of worms and we need to be wary of side effects. |
|
|
Just tested with trial 2 locally and it seems to work fine. I guess that eventually we'll want to move other API calls to the group manager to be able to automatically trigger group events: #92 |
|
Raised #91 to trigger more events |
|
Workaround: when recreating the group, create it with a different name then rename it back to the original name. At group creation, the group URI is generated based on the original name, but doesn't change after renaming. |
|
Another potential issue though is if someone completely different recreates the group and add themselves, they'd then receive the files originally shared to this group. This could be seen as a security issue. I still suggest we release the custom groups app version as it is now, as this issue is no regression and existed before. We should then fix this in the release directly after that. |
|
=> needs to be documented as known issue then, maybe |
|
Another potential fix that doesn't involves events would be to append a random hash in the uri to mitigate the problem. However any user who knows the group id of another could still manualy craft a request with the intended URI when recreating the group. |
|
Bug exists since the first version of customgroups: this commit 3140530 that makes use of uri as core group id exists since the version, I found it in the 0.1 release tarball. So this bug is not a regression. |
|
@PVince81 @SergioBertolinSG can we fix this asap? This is a public repository, everyone can see this disclosure. |
Steps to reproduce
Expected behaviour
Folder stops to be shared.
Actual behaviour
Folder is still shared. Sharees doesn't see it shared though.
After step 8, member2 can see the folder 'things' shared with him.
Server configuration
Operating system:
Ubuntu 16.04
Web server:
Apache
Database:
MySQL
PHP version:
7.0
ownCloud version: (see ownCloud admin page)
10.0.3beta1
{"installed":"true","maintenance":"false","needsDbUpgrade":"false","version":"10.0.3.0","versionstring":"10.0.3 beta","edition":"Community","productname":"ownCloud"}
Updated from an older ownCloud or fresh install:
Fresh
The content of config/config.php:
Are you using external storage, if yes which one: local/smb/sftp/...
No.
Are you using encryption:
No.
Logs
Client configuration
Browser
Chrome
cc @PVince81
The text was updated successfully, but these errors were encountered: