[QA] Guests should not access external storages normally available for "all" users #40894
Comments
|
No regression. |
hodyroff
added
the
p2-high
|
@hodyroff Is this expected behaviour or should we change the defaults? |
|
IMHO the default should be that its not available ... like JW suggests - if that is technically possible and easy. |
|
I'd vote for a "won't fix" https://github.com/owncloud/guests/pull/535/files is when the external storages were added to the core whitelist. The PR mentions encryption, which makes sense because otherwise the guests wouldn't be able to decrypt the files, but I'm not sure about external storages. Maybe they were added in case someone shares a file with them (being the file in an external storage), so the guest could access to it. In any case, the only valid solution I see without having to tear things apart is to move the external storages from the core whitelist to the default whitelist. I'm not sure what would happen if the admin remove any external storage from the whitelist (just the If we want to fiddle with these things, it might be better to plan a way for the users to interact with the apps. I know we have options to enable apps for specific groups, and maybe we should be exploring that option instead, but it will take time to propose a viable solution (if any). |
|
Not a Prio fmpov |
Guests have access to external storages, even when the files_external app is not in the whitelist.
I could not find anything to limit external storages to non-guest users. IMHO, that would be a sane default.
I had opened a doc issue to get this behaviour documented, owncloud/docs-server#1036, but it seems we agree that it is more a bug that should be fixed, rather than documented.
The text was updated successfully, but these errors were encountered: