Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Can rename file/folder in group folder without delete permission #3276

Open
4 of 8 tasks
luka-nextcloud opened this issue Aug 8, 2024 · 4 comments
Open
4 of 8 tasks

[Bug]: Can rename file/folder in group folder without delete permission #3276

luka-nextcloud opened this issue Aug 8, 2024 · 4 comments
Assignees
@luka-nextcloud
Labels
0. Needs triage Issues that need to be triaged bug

Comments

@luka-nextcloud
Copy link

⚠️ This issue respects the following points: ⚠️

Bug description

Users can rename a file/folder when the right of delete file is denied in advanced authorization. Happens on 29 and master.

Steps to reproduce

  1. Create a group folder "GroupFolder1"
  2. Create a group "Group1"
  3. Assign user "UserA" to group "Group1"
  4. Assign group "Group1" to "GroupFolder1"
  5. Enable "advanced permissions" for group folder "GroupFolder1" and select "Group1"
  6. Login as "UserA"
  7. Access files
  8. Open sharing tab of folder "GroupFolder1"
  9. Add advanced permission for group "Group1". Allow read, write, create, share. Deny delete
  10. Access folder "GroupFolder1"
  11. Create any file/folder
  12. Rename created file/folder

Expected behavior

File/Folder cannot be renamed without delete permission.

Installation method

None

Nextcloud Server version

29

Operating system

None

PHP engine version

None

Web server

None

Database engine version

None

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

No response

List of activated Apps

No response

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response
@luka-nextcloud luka-nextcloud added bug 0. Needs triage Issues that need to be triaged labels Aug 8, 2024
@luka-nextcloud luka-nextcloud self-assigned this Aug 8, 2024
@luka-nextcloud luka-nextcloud mentioned this issue Aug 8, 2024
Closed
8 tasks
@small1
Copy link

small1 commented Aug 22, 2024

This will be a tricky one since DELETE is not issued on rename. as long as you have write you can rename.

@luka-nextcloud
Copy link
Author

This will be a tricky one since DELETE is not issued on rename. as long as you have write you can rename.

Some storages might have only one operation for rename, but that is not guaranteed. So, we should make it consistent between storages.

@joshtrichards
Copy link
Member

joshtrichards commented Sep 12, 2024
edited
Loading

Is this the inverse of #859? :-)

Also see #1646

@joshtrichards joshtrichards transferred this issue from nextcloud/server Sep 25, 2024
@provokateurin
Copy link
Member

Hm I'd say this is intended. Delete means non-recoverable changes while renaming a file or folder can be reverted easily.
I'd say this can be fixed with #1646 by just adding it to the ACL options.
I'm not sure if it should be the same as the "Move" ACL or a separate "Rename" ACL.
@joshtrichards what do you think?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@luka-nextcloud luka-nextcloud

Labels
0. Needs triage Issues that need to be triaged bug
Projects
📝 Office team
Status: 🧭 Planning evaluation (don't pick)
Milestone
No milestone
Development

No branches or pull requests
4 participants
@small1 @joshtrichards @provokateurin @luka-nextcloud