Skip to content

fix(trashbin): deletedBy of a file from a federated folder #56668

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ArtificialOwl merged 1 commit into from
Dec 4, 2025
Merged

fix(trashbin): deletedBy of a file from a federated folder #56668

ArtificialOwl merged 1 commit into from
Dec 4, 2025

Conversation

@ArtificialOwl
Copy link
Member

@ArtificialOwl ArtificialOwl commented Nov 25, 2025
edited
Loading

If coming from a federated folder, the share token is used to auth the webdav delete request.
Before creating new entry in the trashbin table, checking if file was deleted remotely using IRequest.
In case the token is a valid share token, using sharedWith to set deletedBy.
However deletedBy is now a remote entity but front-end will still displays 'Unknown', which is still better than 'You'

image

@ArtificialOwl ArtificialOwl force-pushed the fix/noid/real-account-on-deleted-federation branch 2 times, most recently from 225735b to 690c878 Compare November 25, 2025 17:11
@ArtificialOwl ArtificialOwl marked this pull request as ready for review November 26, 2025 09:18
@ArtificialOwl ArtificialOwl requested a review from a team as a code owner November 26, 2025 09:18
@ArtificialOwl ArtificialOwl requested review from Altahrim, salmart-dev and yemkareems and removed request for a team November 26, 2025 09:18
@ArtificialOwl ArtificialOwl force-pushed the fix/noid/real-account-on-deleted-federation branch from 690c878 to ce32c06 Compare November 26, 2025 09:19
@ArtificialOwl ArtificialOwl force-pushed the fix/noid/real-account-on-deleted-federation branch from ce32c06 to ea8b133 Compare December 1, 2025 17:25
provokateurin
provokateurin reviewed Dec 2, 2025
View reviewed changes
apps/files_trashbin/lib/Trashbin.php
try {
$request = Server::get(IRequest::class);
/** @psalm-suppress NoInterfaceProperties */
$token = $request->server['PHP_AUTH_USER'] ?? '';
Copy link
Member

@provokateurin provokateurin Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this somehow allow forging the value, so it looks like someone else deleted the file?

Copy link
Member Author

@ArtificialOwl ArtificialOwl Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the webdav request is authed, it might be by using the share token.
I only check if this is the case so I can assign a name to the deleter.

Yes, if you know the share token, you can delete the file (if the share has permission), but this is the expected behavior

@ArtificialOwl
Copy link
Member Author

ArtificialOwl commented Dec 4, 2025

/backport to stable32

@ArtificialOwl
Copy link
Member Author

ArtificialOwl commented Dec 4, 2025

/backport to stable31

This was referenced Dec 4, 2025
Merged
Merged
@ArtificialOwl ArtificialOwl merged commit b18372e into master Dec 4, 2025
231 of 247 checks passed
@ArtificialOwl ArtificialOwl deleted the fix/noid/real-account-on-deleted-federation branch December 4, 2025 14:46
This was referenced Dec 4, 2025
Merged
Merged
@AndyScherzinger AndyScherzinger added this to the Nextcloud 33 milestone Dec 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@provokateurin provokateurin provokateurin left review comments

@AndyScherzinger AndyScherzinger AndyScherzinger approved these changes

@nfebe nfebe nfebe approved these changes

@sorbaugh sorbaugh Awaiting requested review from sorbaugh

@Altahrim Altahrim Awaiting requested review from Altahrim Altahrim is a code owner automatically assigned from nextcloud/server-backend

@salmart-dev salmart-dev Awaiting requested review from salmart-dev salmart-dev is a code owner automatically assigned from nextcloud/server-backend

@yemkareems yemkareems Awaiting requested review from yemkareems yemkareems is a code owner automatically assigned from nextcloud/server-backend

Assignees

No one assigned

Labels

3. to review Waiting for reviews enhancement feature: federation feature: trashbin

Projects

None yet

Milestone

Nextcloud 33

Development

Successfully merging this pull request may close these issues.

5 participants

@ArtificialOwl @AndyScherzinger @nfebe @provokateurin