OCS Share API options and defining permissions - bug ?!?

Nextcloud version (eg, 20.0.5): 26.0.1
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.41
PHP version (eg, 7.4): 8.2.5

The issue you are facing: Setting up public sharing permissions via the OCS Share API - I hope this is user error and not a bug!

I have a need to be able to automate the generation of share links to allow the public to upload only to a specific share.

I’ve been able to set this up:

curl -u superadmin:SuperPassword* -X POST 'https://<FQDN>/ocs/v2.php/apps/files_sharing/api/v1/shares?shareType=3&permissions=4&path=/UploadShare&publicUpload=true&label=perm4' -H "OCS-APIRequest: true"

It works, I get the share info back via XML which includes the token and the URL to send to the uploader. :slight_smile:

<?xml version="1.0"?>
  <displayname_owner>Super Admin</displayname_owner>
  <displayname_file_owner>Super Admin</displayname_file_owner>
  <share_with_displayname>(Shared link)</share_with_displayname>

However, I have noticed that despite defining the permissions as 4 (write / upload only), the returned XML seems to suggest the permissions have been set to 31 which is full.

This is confirmed in the web GUI, if I look at the above share:

Why is this set to 31? I tried different values for permissions, but no matter what I feed in the curl command, the permissions are set to 31.

If I leave out the permissions variable entirely, it still sets it to 31.

Not only is this not what I want, but also appears to be incorrect according to the documentation where it states that the default (if nothing is specified?) for a public share should be 1: OCS Share API — Nextcloud latest Developer Manual latest documentation

So have I got something wrong or is this a really big security problem where persmissions are not set as defined in the API request?

Many thanks for any input.

1 Like

I’ve done some more testing, and I get different results if I omit the publicUpload=true variable.

  • Without this, and without defining any permissions, they’re set to 17 (read only).
  • If I then define permission of 2 for example, then they’re set to 19
  • If I then define permissions of 4, it’s then 21.

So it appears to take whatever value we define in permissions and then add 17. I don’t know if this is expected.

Of course, I have now tried defining a value of -13 so 17-13=4, but alas, that doesn’t work and I get an `Invalid permissions message. :frowning:

1 Like

This has been logged as a bug, I hadn’t noticed before on github.

1 Like