Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: mask out rule permissions before merging permissions #2833

Merged
merged 2 commits into from
Mar 5, 2024

Conversation

icewind1991
Copy link
Member

To test:

  • Create group1 and group2
  • Create user1 and add it to group1 and group2
  • Create a groupfolder with access to group1 and group2 and acl enabled
  • On the groupfolder, set all permissions to allow for group1, and all except read to deny for group2
  • Create a subfolder folder
  • On the subfolder, set all to deny for group2.
  • occ groupfolders:permissions 1 should list the following permissions
+--------+---------------+-----------------------------------------+
| Path   | User/Group    | Permissions                             |
+--------+---------------+-----------------------------------------+
| /      | group: group2 | -write, -create, -delete, -share        |
|        | group: group1 | +read, +write, +create, +delete, +share |
| folder | group: group2 | -read, -write, -create, -delete, -share |
+--------+---------------+-----------------------------------------+

User1 has no access to the subfolder, as it is denied through group2

  • On folder, set all share permissions to deny and the rest to inherit
  • occ groupfolders:permissions 1 should list the following permissions
+--------+---------------+-----------------------------------------+
| Path   | User/Group    | Permissions                             |
+--------+---------------+-----------------------------------------+
| /      | group: group2 | -write, -create, -delete, -share        |
|        | group: group1 | +read, +write, +create, +delete, +share |
| folder | group: group1 | -share                                  |
|        | group: group2 | -read, -write, -create, -delete, -share |
+--------+---------------+-----------------------------------------+

On master: user1 now suddenly has access to the folder, even though there should be no new allow permissions for them.

With this PR his permissions are still denied.

lib/ACL/Rule.php Outdated Show resolved Hide resolved
@icewind1991 icewind1991 force-pushed the mask-acl-permissions-before-merge branch from 0791457 to 14c2d19 Compare March 4, 2024 13:07
@icewind1991 icewind1991 requested a review from come-nc March 4, 2024 14:49
@icewind1991 icewind1991 merged commit 314fae1 into master Mar 5, 2024
44 checks passed
@icewind1991 icewind1991 deleted the mask-acl-permissions-before-merge branch March 5, 2024 12:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants