warn about external storages in guests_app.adoc

[jnweiger]

Guests have access to external storages, even when the files_external app is not in the whitelist.
I could not find anything to limit external storages to non-guest users. IMHO, that would be a sane default.

@pako81 Maybe this is a bug and should be fixed, rather than documented?

Not sure, if this warning should be here, or in the section about external storages instead.

[pako81]

This is happening because files_external, files_external_dropbox, files_external_ftp, files_external_s3 and windows_network_drive are included in the CORE_WHITELIST https://github.com/owncloud/guests/blob/master/lib/AppWhitelist.php#L33 and are therefore hard-coded.

I remember we discussed this some time ago as we updated the whitelist for the guests app for version 0.12.1. And, if I recall correctly, the decision at that time was to leave external storages apps.

I am also not a big fan of letting guests access external storages by default. Note that if we decide to change this, guests will still be able to see the external storage listed but as soon as they click on it an error will be returned:

I am open for changes in the current behaviour. @phil-davis @jvillafanez what do you think?

[phil-davis]

Someone needs to decide what the requirement is, and then sort out the effort required if a change to the current behavior is needed.

For example, if a company has some external storage that is available to "all users" then probably the storage contains company-wide documents - maybe policies/procedures/forms etc. And I expect that they would not want or expect that guest users can view such things. So they would want a way to control that. Maybe they can already? Mount the external storage to a group that contains "all staff"?

[mmattel]

Should this PR now be continued (review/merge/beackport) or is it on-hold? For the latter, put it to draft.

[pako81]

Discussed with @hodyroff. Guests should not access external storages normally available for "all" users.

We apparently have two options here:

1. still show external storages to guests but as soon as they click on them they will get an "storage is temporary not available" error (it may however be confusing for the guests)

2. not show external storages at all to guests, more complicated as front-end code would be required.

Probably option 1. would already suffice here.

[pako81]

I don't think it is technically possible to provide a more meaningful error message to guests or even the Access to this resource is forbidden for guests template as files_external storages are mounted at the login so i.e. when hardcoding the name of the windows_network_drive app at https://github.com/owncloud/guests/blob/master/lib/AppWhitelist.php#L47-L60, the guest will automatically get that template at login and would not be able to login at all.

[mmattel]

This is going to be a technical discussion that should be held in core.
Whatever the finding is to be documented, the current changes or new stuff, pls drop a doc related comment. Not working on it until then.

[jnweiger]

Noting todo for documentation here right now. Needs to be sorted out in a core or enterprise ticket first.

[jnweiger]

Followup in owncloud/core#40894