Feat/ocisdev 949/disable direct sharing#12542
Conversation
8e443b0 to
3cff93f
Compare
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
69a050d to
94bd77b
Compare
dj4oC
left a comment
There was a problem hiding this comment.
Adds independent OCIS_ENABLE_USER_SHARING / OCIS_ENABLE_PUBLIC_SHARING config flags (default true) enforced across reva's user/ocm/public share providers and oCIS's graph/frontend/sharing services, so ops can disable direct sharing and/or public link sharing per deployment.
Findings
Security (needs verification, not confirmed exploitable): the new Invite() gate in api_driveitem_permissions.go checks IsSpaceRoot(resourceId) against the raw, caller-supplied resource ID rather than a Stat-verified one — see inline comment. If this can be spoofed on any backend, the whole disable-sharing feature is silently defeated. A01:2021 Broken Access Control — CWE-863.
Stability (concern): usershareprovider.New() — a vendored, exported constructor — gained a 4th parameter. Any un-diffed call site still using the old signature would fail to compile; needs a whole-repo go build ./... confirmation, not just the touched packages. Separately, FileShares.vue's new canShareWithUsers computed collapses "admin disabled sharing instance-wide" and "you personally lack permission" into the same message — minor UX correctness issue, non-blocking.
Performance: No findings — this is a config-gated boolean check at existing handler entry points; one path (sharees.go) got cheaper (skips a gateway RPC) when the flag is off.
Test coverage (blocking): 0%. This PR ships a new security/compliance-relevant permission gate across 5 services with no unit test asserting either flag actually blocks share creation, and no e2e/acceptance test for OCIS_ENABLE_USER_SHARING=false / OCIS_ENABLE_PUBLIC_SHARING=false. The author's "full test suite passes" claim doesn't exercise the new branches — no test in the diff references either flag. Suggested test shape left inline. TODOs found: none. Dependency touched: yes — github.com/owncloud/reva/v2 bumped to track owncloud/reva#651; all 3 Snyk checks (security/license/code) pass on the current head, so no new CVE/license concern from this bump specifically.
Deployment topology check
Compatible — this is a per-service Go config flag read at startup with server-side enforcement in each deployment topology (single binary, docker-compose, k8s); no topology-specific assumptions.
Verdict
Changes requested — not because the feature is wrong, but the access-control bypass question needs a maintainer answer before this ships as a compliance control, the vendor signature change needs a full-repo build check, and the 0% test coverage on new permission-enforcement logic falls well short of the required bar.
🤖 Automated review by Claude Code (security · stability · performance · coverage)
Generated by Claude Code
|
@claude please add a playwright test to it |
94bd77b to
aa836c1
Compare
…e6f7f Includes owncloud/reva#651, which adds the enable_user_sharing and enable_public_sharing config options this feature depends on.
Adds two independent, per-deployment config options: - OCIS_ENABLE_USER_SHARING (default true), read by the frontend, graph, sharing and ocm services. When false, creating new user, group or federated shares is rejected (via reva's usershareprovider and ocmshareprovider, and via the graph Invite endpoint for the modern web client), the legacy sharees search endpoint returns no results, and the files_sharing.user.enabled / user_enumeration.enabled capabilities report false so the web UI hides the "share with people" search. Space membership invites are exempt. - OCIS_ENABLE_PUBLIC_SHARING (default true), read by the frontend and sharing services. When false, creating new public links is rejected via reva's publicshareprovider, and files_sharing.public.enabled reports false so the web UI hides public link creation. The two settings are fully independent of each other.
aa836c1 to
5e589ca
Compare
Description
Adds two independent, per-deployment config options that let Ops disable direct (user/group/federated) sharing and/or public link sharing:
Both settings default to enabled and are fully independent of each other. Requires owncloud/reva#651 (already merged; this PR bumps the vendored dependency to that commit).
Related Issue
Motivation and Context
Ops need the ability to lock down sharing per deployment for compliance/security reasons — e.g. disabling all direct user-to-user sharing while still allowing public links (or vice versa), without one setting affecting the other.
How Has This Been Tested?
Screenshots (if appropriate):
None — behavior is a hidden/shown UI element; can add before/after screenshots on request.
Types of changes
Checklist: