-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[QA] Guests should not access external storages normally available for "all" users #40894
Comments
No regression. |
@hodyroff Is this expected behaviour or should we change the defaults? |
IMHO the default should be that its not available ... like JW suggests - if that is technically possible and easy. |
I'd vote for a "won't fix" https://github.com/owncloud/guests/pull/535/files is when the external storages were added to the core whitelist. The PR mentions encryption, which makes sense because otherwise the guests wouldn't be able to decrypt the files, but I'm not sure about external storages. Maybe they were added in case someone shares a file with them (being the file in an external storage), so the guest could access to it. In any case, the only valid solution I see without having to tear things apart is to move the external storages from the core whitelist to the default whitelist. I'm not sure what would happen if the admin remove any external storage from the whitelist (just the If we want to fiddle with these things, it might be better to plan a way for the users to interact with the apps. I know we have options to enable apps for specific groups, and maybe we should be exploring that option instead, but it will take time to propose a viable solution (if any). |
Not a Prio fmpov |
Guests have access to external storages, even when the files_external app is not in the whitelist.
I could not find anything to limit external storages to non-guest users. IMHO, that would be a sane default.
I had opened a doc issue to get this behaviour documented, owncloud/docs-server#1036, but it seems we agree that it is more a bug that should be fixed, rather than documented.
The text was updated successfully, but these errors were encountered: