Group Sharing Blacklist for local users and groups when LDAP-Authentication enabled

I have set-up an owncloud instance with LDAP-Authentication enabled. For various purposes we have also some local non-ldap system users. I would like to be able to prevent normal LDAP users from sharing with them. First, I disabled a user, but others were still able to share with this user.

After this, I created a local group e.g. “hidden” and added it to the Group Sharing Blacklist. This works for the group, but not for its members. According to “These groups will not be available to share with.” this works as intended. But in my understanding, according to the next phrase “Members of the group are not restricted in initiating shares and can receive shares with other groups they are a member of as usual.”, users not member of “hidden” should not be able to share with them.

Should this work like this and I just misunderstood the description? If yes, are there any good ideas how I can prevent these local users being found in sharing search and/or receiving shares?

Steps to reproduce

  1. set-up LDAP-Auth
  2. create local user with occ user:add test
  3. create local group with occ group:add hidden
  4. add user test to group hidden occ group:add-member -m test hidden
  5. add “hidden” to “Group Sharing Blacklist”
  6. with any user share something with test

Expected behaviour

According to " These groups will not be available to share with. Members of the group are not restricted in initiating shares and can receive shares with other groups they are a member of as usual. ", this should at least be prevented since no one else is member of the group “hidden”

Actual behaviour

The user “test” can be selected in sharing search and the item be shared.

Server configuration

Operating system: CentOS 7.6

Web server: Apache 2.4.6

Database: PostgreSQL 11

PHP version: 7.2.10

ownCloud version: 10.4

Updated from an older ownCloud or fresh install: Updated from 10.3.1, fresh install was 10.2

Where did you install ownCloud from: https://download.owncloud.org/community/owncloud-10.4.0.tar.bz2

Signing status (ownCloud 9.0 and above):
is ok

The content of config/config.php:
doesn’t matter yet

List of activated apps:
doesn’t matter yet

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)

works perfectly fine

No creative person around who has a good idea how to hide specific users from sharee search?

You cannot share with the group, but you can share directly with each member. This was designed to prevent sharing with large groups (classic “everyone” group where all the users belong to, for example).

good ideas? probably not.
You can play around with “Restrict users to only share with users in their groups” setting, but it seems annoying.

Basically, with that setting enabled, you can add all users to an “everyone” group so they can share with anyone. Then, you can move particular users to a “hidden” group, being those users member only of that group.

@pmaier1 it seems weird to me that this is possible… any use case I’m missing?

1 Like

@jvillafanez thanks a lot for these clarifications.

You can play around with “Restrict users to only share with users in their groups” setting, but it seems annoying.

Basically, with that setting enabled, you can add all users to an “everyone” group so they can share with anyone. Then, you can move particular users to a “hidden” group, being those users member only of that group.

Didn’t think of that. That might be something. I have to try it. Thank you very much!

I did not find a good solution for my issue yet. A disabled user no longer showing up in the sharee search would probably solve the issue. Is this the way it should be? At least in 10.4.0 the user is shown anyway.

It looks like this FR is asking for the same feature.

I put some time into preparing a PR for the feature but it looks like we would need to extend the internal API to allow an app like the files_sharing app to access the state from the accounts table.

It seems OC\User\IUser does not expose the STATE_DISABLED state from OC\User\Account so it can be checked from OCA\Files_Sharing\Controller:: getUsers() in the files_sharing app.

1 Like

I figured out how to patch this in a way that might get accepted by upstream.

--- apps/files_sharing/lib/Controller/ShareesController.php-orig	2020-05-18 19:46:10.391355114 +0200
+++ apps/files_sharing/lib/Controller/ShareesController.php	2020-05-18 23:40:47.683924504 +0200
@@ -179,6 +179,9 @@
 			$usersTmp = $this->userManager->find($search, $this->limit, $this->offset);
 
 			foreach ($usersTmp as $user) {
+				if (!$user->isEnabled()) {
+					continue;
+				}
 				$users[$user->getUID()] = $user;
 			}
 		}

I’ll look into upstreaming it after some more testing.

Quoting @PVince81 from Github:

Most likely I would introduce a setting that enables or disables this feature. As far as I understand the codebase the change would not forbid sharing with a deactivated sharee, it would just hide them from the search. Does that sound feasible? Does introducing a setting for such a trivial feature make sense?

I guess @pmaier1 was tagged on quite a few issues related to this and some guidance working towards an upstreamable patch would be very much appreciated.

2 Likes