I’ve found a critical security issue on circles and I’m not sure where to report as a bug.
Using nextcloud 18.104.22.168. Create a Circle and add Members to it, create a folder and share with circle members. Then access with regular member of a circle…and share is not shown in user space.
Then promote user to “Moderator” and check again, share is now shown. For me this is already a bug, but then the worrying part comes: demote the user again to “Member” and the share is still shown! But things can even go worse!! I REMOVE user from circle and share is still available, user can read, add or remove files and folders.
I consider this is an extremely severe security issue as user can alter contents.
This behaviour has been reported in the past to the github repository but never answered. Folders shared with circles can't be accessed by other circle members · Issue #1167 · nextcloud/circles · GitHub
(FYI I’ve found that despite the “delete user” from circle request returns a 200 code and removes it from the UI the user is not removed. Refresh page shows it again with same level, no errors shown in nextcloud log)
Our only “strange” app that we use is SSO & SAML authentication.
Where can I report this as a bug?
EDIT: sorry I did some mess when trying to edit solution. You can check it at my bug report [Bug]: Members of circle cannot access shared folders. Removed user can still access/modify files · Issue #38146 · nextcloud/server · GitHub