Nextcloud version (eg, 20.0.5): 26.0.1
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.41
PHP version (eg, 7.4): 8.2.5
The issue you are facing: Setting up public sharing permissions via the OCS Share API - I hope this is user error and not a bug!
I have a need to be able to automate the generation of share links to allow the public to upload only to a specific share.
I’ve been able to set this up:
curl -u superadmin:SuperPassword* -X POST 'https://<FQDN>/ocs/v2.php/apps/files_sharing/api/v1/shares?shareType=3&permissions=4&path=/UploadShare&publicUpload=true&label=perm4' -H "OCS-APIRequest: true"
It works, I get the share info back via XML which includes the token and the URL to send to the uploader.
<?xml version="1.0"?>
<ocs>
<meta>
<status>ok</status>
<statuscode>200</statuscode>
<message>OK</message>
</meta>
<data>
<id>33</id>
<share_type>3</share_type>
<uid_owner>superadmin</uid_owner>
<displayname_owner>Super Admin</displayname_owner>
<permissions>31</permissions>
<can_edit>1</can_edit>
<can_delete>1</can_delete>
<stime>1682584336</stime>
<parent/>
<expiration/>
<token>9rFcHHgDdJKZ464</token>
<uid_file_owner>superadmin</uid_file_owner>
<note></note>
<label>perm4</label>
<displayname_file_owner>Super Admin</displayname_file_owner>
<path>/UploadShare</path>
<item_type>folder</item_type>
<mimetype>httpd/unix-directory</mimetype>
<has_preview></has_preview>
<storage_id>home::superadmin</storage_id>
<storage>7</storage>
<item_source>11613</item_source>
<file_source>11613</file_source>
<file_parent>11520</file_parent>
<file_target>/UploadShare</file_target>
<share_with/>
<share_with_displayname>(Shared link)</share_with_displayname>
<password/>
<send_password_by_talk></send_password_by_talk>
<url>https://<FQDN>/index.php/s/9rFcHHgDdJKZ464</url>
<mail_send>1</mail_send>
<hide_download>0</hide_download>
<attributes/>
</data>
</ocs>
However, I have noticed that despite defining the permissions as 4
(write / upload only), the returned XML seems to suggest the permissions have been set to 31
which is full.
This is confirmed in the web GUI, if I look at the above share:
Why is this set to 31? I tried different values for permissions, but no matter what I feed in the curl command, the permissions are set to 31.
If I leave out the permissions variable entirely, it still sets it to 31.
Not only is this not what I want, but also appears to be incorrect according to the documentation where it states that the default (if nothing is specified?) for a public share should be 1: OCS Share API — Nextcloud latest Developer Manual latest documentation
So have I got something wrong or is this a really big security problem where persmissions are not set as defined in the API request?
Many thanks for any input.