Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Static tags should be filtered in the server #34440

Closed
sharidas opened this issue Feb 11, 2019 · 4 comments · Fixed by #34547
Closed

Static tags should be filtered in the server #34440

sharidas opened this issue Feb 11, 2019 · 4 comments · Fixed by #34547
Assignees
@sharidas
Labels
feature:tags p3-medium Normal priority Type:Bug
Milestone
development

Comments

@sharidas
Copy link
Contributor

Steps to reproduce

  1. Create static tags by assigning to the groups, say group1
  2. Login as a user , say user1 who does not belongs to goup1
  3. Navigate to the tags page
  4. Open the web dev tools to see the request and response
  5. Try to get the filters by clicking on the Select tags to filter by
  6. Verify the reponse, it will have static tags.

Expected behaviour

The response should not have static tags

Actual behaviour

The response does have static tags

Server configuration

Operating system: Ubuntu 18.04

Web server: Apache

Database: mysql

PHP version: 7.2

ownCloud version: (see ownCloud admin page) stable10 branch

Updated from an older ownCloud or fresh install:

Where did you install ownCloud from:

Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.

The content of config/config.php:

Log in to the web-UI with an administrator account and click on
'admin' -> 'Generate Config Report' -> 'Download ownCloud config report'
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.

or 

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

*ATTENTION:* Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove *all* host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption: yes/no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

LDAP configuration (delete this part if not used)

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your ownCloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser:

Operating system:

Logs

Web server error log

Insert your webserver log here

ownCloud log (data/owncloud.log)

Insert your ownCloud log here

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log 
c) ...
@sharidas sharidas self-assigned this Feb 11, 2019
@PVince81 PVince81 added this to the backlog milestone Feb 11, 2019
@PVince81 PVince81 added feature:tags p3-medium Normal priority labels Feb 11, 2019
@PVince81 PVince81 mentioned this issue Feb 11, 2019
Merged
10 tasks
@PVince81
Copy link
Contributor

might need to revert some parts of #34116 since the filtering is not needed any more on the client side

@ownclouders
Copy link
Contributor

GitMate.io thinks the contributor most likely able to help you is @ownclouders.

Possibly related issues are #34002 (Static tags are shown in the searchbox "Select tags to filter by" even when they do not belong to the user's group), #34054 (Add lock to the static tag in the input field when required), #22566 (Too many mapping entries for system tag kill the DB server), #12195 (server not found), and #21001 (System tag filter section in files navigation).

@sharidas
Copy link
Contributor Author

Once the tags are retrieved here https://github.com/owncloud/core/blob/master/apps/dav/lib/SystemTag/SystemTagsByIdCollection.php#L122
IMHO an array_filter() should help us filter out static tags which are not meant for the user.

I have tested locally with the changes, and the verified the response. The response does not have static tags for the users who are not part of the static tags group.

@PVince81 PVince81 modified the milestones: backlog, development Feb 19, 2019
This was referenced Feb 19, 2019
Merged
Merged
@sharidas
Copy link
Contributor Author

sharidas commented Feb 19, 2019
edited by phil-davis
Loading

PRs created

@lock lock bot locked as resolved and limited conversation to collaborators Feb 21, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@sharidas sharidas

Labels
feature:tags p3-medium Normal priority Type:Bug
Projects
None yet
Milestone
development
Development

Successfully merging a pull request may close this issue.

Fix static tags filtering in the backend owncloud/core
3 participants
@PVince81 @sharidas @ownclouders