Nextcloud version (eg, 20.0.5):
Operating system and version (eg, Ubuntu 20.04):
Apache or nginx version (eg, Apache 2.4.25):
PHP version (eg, 7.4):
The issue you are facing: Setting up public sharing permissions via the OCS Share API - I hope this is user error and not a bug!
I have a need to be able to automate the generation of share links to allow the public to upload only to a specific share.
I’ve been able to set this up:
curl -u superadmin:SuperPassword* -X POST 'https://<FQDN>/ocs/v2.php/apps/files_sharing/api/v1/shares?shareType=3&permissions=4&path=/UploadShare&publicUpload=true&label=perm4' -H "OCS-APIRequest: true"
It works, I get the share info back via XML which includes the token and the URL to send to the uploader.
<?xml version="1.0"?> <ocs> <meta> <status>ok</status> <statuscode>200</statuscode> <message>OK</message> </meta> <data> <id>33</id> <share_type>3</share_type> <uid_owner>superadmin</uid_owner> <displayname_owner>Super Admin</displayname_owner> <permissions>31</permissions> <can_edit>1</can_edit> <can_delete>1</can_delete> <stime>1682584336</stime> <parent/> <expiration/> <token>9rFcHHgDdJKZ464</token> <uid_file_owner>superadmin</uid_file_owner> <note></note> <label>perm4</label> <displayname_file_owner>Super Admin</displayname_file_owner> <path>/UploadShare</path> <item_type>folder</item_type> <mimetype>httpd/unix-directory</mimetype> <has_preview></has_preview> <storage_id>home::superadmin</storage_id> <storage>7</storage> <item_source>11613</item_source> <file_source>11613</file_source> <file_parent>11520</file_parent> <file_target>/UploadShare</file_target> <share_with/> <share_with_displayname>(Shared link)</share_with_displayname> <password/> <send_password_by_talk></send_password_by_talk> <url>https://<FQDN>/index.php/s/9rFcHHgDdJKZ464</url> <mail_send>1</mail_send> <hide_download>0</hide_download> <attributes/> </data> </ocs>
However, I have noticed that despite defining the permissions as
4 (write / upload only), the returned XML seems to suggest the permissions have been set to
31 which is full.
This is confirmed in the web GUI, if I look at the above share:
Why is this set to 31? I tried different values for permissions, but no matter what I feed in the curl command, the permissions are set to 31.
If I leave out the permissions variable entirely, it still sets it to 31.
Not only is this not what I want, but also appears to be incorrect according to the documentation where it states that the default (if nothing is specified?) for a public share should be 1: OCS Share API — Nextcloud latest Developer Manual latest documentation
So have I got something wrong or is this a really big security problem where persmissions are not set as defined in the API request?
Many thanks for any input.