OCS Share API options and defining permissions - bug ?!?

Nextcloud version (eg, 20.0.5): 26.0.1
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.41
PHP version (eg, 7.4): 8.2.5

The issue you are facing: Setting up public sharing permissions via the OCS Share API - I hope this is user error and not a bug!

I have a need to be able to automate the generation of share links to allow the public to upload only to a specific share.

I’ve been able to set this up:

curl -u superadmin:SuperPassword* -X POST 'https://<FQDN>/ocs/v2.php/apps/files_sharing/api/v1/shares?shareType=3&permissions=4&path=/UploadShare&publicUpload=true&label=perm4' -H "OCS-APIRequest: true"

It works, I get the share info back via XML which includes the token and the URL to send to the uploader.

<?xml version="1.0"?>
<ocs>
 <meta>
  <status>ok</status>
  <statuscode>200</statuscode>
  <message>OK</message>
 </meta>
 <data>
  <id>33</id>
  <share_type>3</share_type>
  <uid_owner>superadmin</uid_owner>
  <displayname_owner>Super Admin</displayname_owner>
  <permissions>31</permissions>
  <can_edit>1</can_edit>
  <can_delete>1</can_delete>
  <stime>1682584336</stime>
  <parent/>
  <expiration/>
  <token>9rFcHHgDdJKZ464</token>
  <uid_file_owner>superadmin</uid_file_owner>
  <note></note>
  <label>perm4</label>
  <displayname_file_owner>Super Admin</displayname_file_owner>
  <path>/UploadShare</path>
  <item_type>folder</item_type>
  <mimetype>httpd/unix-directory</mimetype>
  <has_preview></has_preview>
  <storage_id>home::superadmin</storage_id>
  <storage>7</storage>
  <item_source>11613</item_source>
  <file_source>11613</file_source>
  <file_parent>11520</file_parent>
  <file_target>/UploadShare</file_target>
  <share_with/>
  <share_with_displayname>(Shared link)</share_with_displayname>
  <password/>
  <send_password_by_talk></send_password_by_talk>
  <url>https://<FQDN>/index.php/s/9rFcHHgDdJKZ464</url>
  <mail_send>1</mail_send>
  <hide_download>0</hide_download>
  <attributes/>
 </data>
</ocs>

However, I have noticed that despite defining the permissions as 4 (write / upload only), the returned XML seems to suggest the permissions have been set to 31 which is full.

This is confirmed in the web GUI, if I look at the above share:

image492×836 24.3 KB

Why is this set to 31? I tried different values for permissions, but no matter what I feed in the curl command, the permissions are set to 31.

If I leave out the permissions variable entirely, it still sets it to 31.

Not only is this not what I want, but also appears to be incorrect according to the documentation where it states that the default (if nothing is specified?) for a public share should be 1: OCS Share API — Nextcloud latest Developer Manual latest documentation

So have I got something wrong or is this a really big security problem where persmissions are not set as defined in the API request?

Many thanks for any input.

I’ve done some more testing, and I get different results if I omit the publicUpload=true variable.

• Without this, and without defining any permissions, they’re set to 17 (read only).
• If I then define permission of 2 for example, then they’re set to 19
• If I then define permissions of 4, it’s then 21.

So it appears to take whatever value we define in permissions and then add 17. I don’t know if this is expected.

Of course, I have now tried defining a value of -13 so 17-13=4, but alas, that doesn’t work and I get an `Invalid permissions message.

This has been logged as a bug, I hadn’t noticed before on github.