Share links do not work for logged-in LDAP users with avatars

[Nilix007]

Steps to reproduce

1. Log in as LDAP user with an avatar
2. Open a share link from another Owncloud user

Expected behaviour

The user should see the shared file(s).

Actual behaviour

A blank page will be displayed.

Problem and hotfix

The problem is that the setupFS call in apps/dav/appinfo/v1/publicwebdav.php:75 fails because setupFS has been called before (probably when the avatar was loaded). Afterwards, Owncloud is unable to find the mountpoint of the shared file because the mountpoints checked are from the logged-in user and not from the user who shared the file(s).

The hotfix forces a tear down of the filesystem component so that the setupFS call succeeds.

diff --git a/apps/dav/appinfo/v1/publicwebdav.php b/apps/dav/appinfo/v1/publicwebdav.php
index 07004f4..ce3fad6 100644
--- a/apps/dav/appinfo/v1/publicwebdav.php
+++ b/apps/dav/appinfo/v1/publicwebdav.php
@@ -72,6 +72,7 @@ $server = $serverFactory->createServer($baseuri, $requestUri, $authBackend, func
                return new \OC\Files\Storage\Wrapper\PermissionsMask(array('storage' => $storage, 'mask' => $share->getPermissions() | \OCP\Constants::PERMISSION_SHARE));
        });
 
+       OC_Util::tearDownFS(); // XXX: hotfix
        OC_Util::setupFS($owner);
        $ownerView = \OC\Files\Filesystem::getView();
        $path = $ownerView->getPath($fileId);

Server configuration

Operating system: Debian Jessie

Web server: Nginx 1.9.10

Database: Postgres 9.4

PHP version: 5.6.27

ownCloud version: 9.1.1 + patch from #26399

Updated from an older ownCloud or fresh install: Upgraded from 8.2 (via 9.0)

Where did you install ownCloud from: Owncloud deb repository

Signing status (ownCloud 9.0 and above): unknown :)

No errors have been found.

List of activated apps:

Enabled:
  - activity: 2.3.2
  - comments: 0.3.0
  - dav: 0.2.6
  - external: 1.2
  - federatedfilesharing: 0.3.0
  - federation: 0.1.0
  - files: 1.5.1
  - files_external: 0.6.0
  - files_pdfviewer: 0.8.1
  - files_sharing: 0.10.0
  - files_texteditor: 2.1
  - files_trashbin: 0.9.0
  - files_versions: 1.3.0
  - files_videoplayer: 0.9.8
  - gallery: 15.0.0
  - notifications: 0.3.0
  - provisioning_api: 0.5.0
  - systemtags: 0.3.0
  - templateeditor: 0.1
  - updatenotification: 0.2.1
  - user_ldap: 0.9.0
Disabled:
  - encryption
  - files_antivirus
  - firstrunwizard
  - user_external

The content of config/config.php:

{
    "system": {
        "instanceid": "*** REMOVED ***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [  *** REMOVED *** ],
        "datadirectory": "\/opt\/storage\/data",
        "dbtype": "pgsql",
        "version": "9.1.1.3",
        "dbname": "owncloud",
        "dbhost": "*** REMOVED ***",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "forcessl": false,
        "ldapIgnoreNamingRules": false,
        "theme": "mafiasi",
        "mail_smtpmode": "smtp",
        "mail_smtphost": "*** REMOVED ***",
        "mail_from_address": "*** REMOVED ***",
        "mail_domain": "*** REMOVED ***",
        "maintenance": false,
        "minimum.supported.desktop.version": "1.5",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "filelocking.enabled": "true",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "localhost",
            "port": 6379,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "trashbin_retention_obligation": "auto",
        "overwrite.cli.url": "*** REMOVED ***",
        "logtimezone": "UTC",
        "logfile": "\/opt\/log\/owncloud.log",
        "loglevel": 1,
        "updatechecker": false
    }
}

Are you using external storage, if yes which one: no, only local

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)

+-------------------------------+---------------------------------------------+
| Configuration                 |                                             |
+-------------------------------+---------------------------------------------+
| hasMemberOfFilterSupport      |                                             |
| hasPagedResultSupport         |                                             |
| homeFolderNamingRule          |                                             |
| lastJpegPhotoLookup           | 0                                           |
| ldapAgentName                 | cn=*** REMOVED ***,dc=*** REMOVED ***,dc=de |
| ldapAgentPassword             | ***                                         |
| ldapAttributesForGroupSearch  | cn                                          |
| ldapAttributesForUserSearch   | uid;sn;displayName;givenName                |
| ldapBackupHost                |                                             |
| ldapBackupPort                |                                             |
| ldapBase                      | dc=*** REMOVED ***,dc=de                    |
| ldapBaseGroups                | ou=groups,dc=*** REMOVED ***,dc=de          |
| ldapBaseUsers                 | ou=People,dc=*** REMOVED ***,dc=de          |
| ldapCacheTTL                  | 600                                         |
| ldapConfigurationActive       | 1                                           |
| ldapDynamicGroupMemberURL     |                                             |
| ldapEmailAttribute            | mail                                        |
| ldapExperiencedAdmin          | 0                                           |
| ldapExpertUUIDGroupAttr       |                                             |
| ldapExpertUUIDUserAttr        |                                             |
| ldapExpertUsernameAttr        | uid                                         |
| ldapGroupDisplayName          | cn                                          |
| ldapGroupFilter               | (&(|(objectclass=posixGroup)))              |
| ldapGroupFilterGroups         |                                             |
| ldapGroupFilterMode           | 0                                           |
| ldapGroupFilterObjectclass    | posixGroup                                  |
| ldapGroupMemberAssocAttr      | memberUid                                   |
| ldapHost                      | ldap://*** REMOVED ***                      |
| ldapIgnoreNamingRules         |                                             |
| ldapLoginFilter               | (&(|(objectclass=inetOrgPerson))(uid=%uid)) |
| ldapLoginFilterAttributes     |                                             |
| ldapLoginFilterEmail          | 0                                           |
| ldapLoginFilterMode           | 1                                           |
| ldapLoginFilterUsername       | 1                                           |
| ldapNestedGroups              | 0                                           |
| ldapOverrideMainServer        | 0                                           |
| ldapPagingSize                | 500                                         |
| ldapPort                      | 389                                         |
| ldapQuotaAttribute            | ownCloudQuota                               |
| ldapQuotaDefault              | 2 GB                                        |
| ldapTLS                       | 0                                           |
| ldapUserDisplayName           | displayname                                 |
| ldapUserDisplayName2          |                                             |
| ldapUserFilter                | (|(objectclass=inetOrgPerson))              |
| ldapUserFilterGroups          |                                             |
| ldapUserFilterMode            | 0                                           |
| ldapUserFilterObjectclass     | inetOrgPerson                               |
| ldapUuidGroupAttribute        | auto                                        |
| ldapUuidUserAttribute         | auto                                        |
| turnOffCertCheck              | 0                                           |
| useMemberOfToDetectMembership | 1                                           |
+-------------------------------+---------------------------------------------+

Client configuration

Browser: Firefox 49

Operating system: Debian Jessie

Logs

Web server error log

no log available

ownCloud log (data/owncloud.log)

{"reqId":"*** REMOVED ***","remoteAddr":"*** REMOVED ***","app":"webdav","message":"Exception: {\"Message\":\"File with id \\\"5830676\\\" has not been found.\",\"Exception\":\"OCP\\\\Files\\\\NotFoundException\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\\/owncloud\\\/apps\\\/dav\\\/appinfo\\\/v1\\\/publicwebdav.php(77): OC\\\\Files\\\\View->getPath(5830676)\\n#1 \\\/var\\\/www\\\/owncloud\\\/apps\\\/dav\\\/lib\\\/Connector\\\/Sabre\\\/ServerFactory.php(130): {closure}(Object(OCA\\\\DAV\\\\Connector\\\\Sabre\\\\Server))\\n#2 [internal function]: OCA\\\\DAV\\\\Connector\\\\Sabre\\\\ServerFactory->OCA\\\\DAV\\\\Connector\\\\Sabre\\\\{closure}(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#3 \\\/var\\\/www\\\/owncloud\\\/3rdparty\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Object(Closure), Array)\\n#4 \\\/var\\\/www\\\/owncloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(446): Sabre\\\\Event\\\\EventEmitter->emit('beforeMethod', Array)\\n#5 \\\/var\\\/www\\\/owncloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(248): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#6 \\\/var\\\/www\\\/owncloud\\\/apps\\\/dav\\\/appinfo\\\/v1\\\/publicwebdav.php(87): Sabre\\\\DAV\\\\Server->exec()\\n#7 \\\/var\\\/www\\\/owncloud\\\/public.php(74): require_once('\\\/var\\\/www\\\/ownclo...')\\n#8 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/Files\\\/View.php\",\"Line\":1705,\"User\":false}","level":4,"time":"2016-10-31T17:51:54+00:00","method":"PROPFIND","url":"\/public.php\/webdav\/","user":"--"}

Browser log

no log captured

[PVince81]

My steps:

1. Install OC 9.1.1 from the tarballs
2. Setup LDAP (using the docker and zombies from https://github.com/owncloud/administration/tree/master/ldap-testing)
3. Login as "zombie400" twice (yeah, there's a bug that the avatar doesn't get fetched the first time)
4. Create a folder "test"
5. Share "test" with link
6. Copy link
7. Log out
8. Login as "zombie401" twice
9. Open copied link
10. Log out
11. Open copied link again
12. Apply the patch from [stable9.1] Fix initMountPoints to set usersSetup earlier #26399
13. Reopen the link as "zombie401" and also logged out

Works for me, cannot reproduce the issue.

@Nilix007 the mentioned patch doesn't apply 100% on top of v9.1.1. Can you diff your file with the one from the 9.1.2RC2 release ? (https://github.com/owncloud/core/blob/v9.1.2RC2/lib/private/Files/Filesystem.php)
Or alternatively try with 9.1.2RC2 to see if the problem persists there.

So far it's not clear whether it's a patching issue or whether there is something else at play.
Your explanation of the issue sounds like a potential legitimate issue.

[Nilix007]

It was more complicated than I thought at first, but I was able to reproduce the issue with an unpatched 9.1.2RC2 with our old database from 9.1.1.

My steps to reproduce:
Prerequisites. Two users A and B. Both are authenticated using LDAP. User A has an avatar.

1. As user B: Create a public share link. Let's call it link 1.
2. As user B: Set a file from the owncloud as avatar via the webinterface.
3. As user B: Create another public share link for a folder. Let's call it link 2.
4. As anonymous user: Both share links work (i.e. the content is shown via the webinterface)
5. As user A: Only link 1 works. Link 2 only shows a notification to contact the administrator.

I am not sure where the difference is between your steps and mine. Maybe the fact that you are using an LDAP avatar and I set the avatar as an owncloud file via the webinterface?

[PVince81]

@Nilix007 thanks for the detailed steps.

I tried just that and it still works fine. For the avatars I now used local OC files as avatars instead of LDAP avatars. Did you clear the browser cache + cookies before logging in as User A ?

[PVince81]

Downgrading to sev2-high as this is not a general issue (not reproducible) and need a specific env.

[PVince81]

Looking at your hotfix it seems to mean that somewhere there is previous code running that would setup the FS for the currently logged in user. But usually this should not happen for public links because it should switch to "incognito mode" early.

I don't see any third party apps in your list so it is unlikely that a hook of some sorts would access the FS very early on this code path.

Mind trying with 9.1.2 or 9.1.3RC1 and see whether the issue still exists ? 9.1.2 also contained other fixes related to avatars.

[Nilix007]

The issue still exists with 9.1.2 and 9.1.3RC1.

[PVince81]

Thanks for checking. Need to find a way to reproduce this locally.

[PVince81]

Have you checked online whether other people were having similar issues ?

You could try with 9.1.5 RC1 or 10.0 beta which contain a few more LDAP fixes.

[PVince81]

please try with 9.1.5. if the problem persists, please reopen.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.