Top Menu

Jump to content
Home
    • Projects
    • Activity
    • Work packages
    • Calendars
    • Team planners
    • Boards
    • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.
    • Help and support
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Enterprise support
    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?
      Create a new account

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
    Activity
  • Roadmap
  • Work packages
    Work packages
  • Calendars
    Calendars
  • Team planners
    Team planners
  • Boards
    Boards
  • Forums
  • Feature tour
    Feature tour
You are here:
  • Forums
  • General discussion

Content

Openproject User can obtain wrong / higher Nextcloud permissions

Added by Julia Braun 11 months ago

Hello, not sure if this is a bug or a feature.

What happens ? User "Member" (M) can cheat on his openproject/nextcloud permissions and get nextcloud file permissions of user "Admin" (A). Normally, user M should have access to linked files according to his nextcloud permissions. However, 

  • User M is logged in in his Openproject account and has never connected with nextcloud. 
  • In the same browser, user A is logged in into his nextcloud account.
  • then user M connects the very first time to nextcloud from within his openproject account. User M gets forwarded to the nextcloud "authorise access" page 
  1. Request for login -> click (1_accountaccess)
  2. Next page, no login mask but, "You are currently logged in as A. You are about to grant M permissions to your nextcloud account." (2_accountconnect)
  • If one clicks without reading carefully, now M in openproject has the nextcloud file permissions of user A. It means M can see all file links with the nextcloud permissions of User A and also download them. 

It might be a good idea to re-request login into nextcloud before granting access.? 

In any case, is there a way to undo the grant permission/account connection ? As I am in the exact situation that now a project member has basically nextcloud admin file link access.

Thanks for any feedback.

Julia


Replies (4)

RE: Openproject User can obtain wrong / higher Nextcloud permissions - Added by Adam Szabo 11 months ago

Hi Julia,

which use-case are you talking about where ONE browser is used at the same time by two different users :)

i think we could take a look at this case and maybe add a security concern more to a bug report,

Wieland, what would you say?

RE: Openproject User can obtain wrong / higher Nextcloud permissions - Added by Wieland Lindenthal 11 months ago

Hi Julia Braun,

The OAuth authorization flow that you have described is correct. You had to confirm that you want to grant OpenProject access as Nextcloud user A. As you are already logged in you just need to click "Grant". That is normal OAuth style and not very specific for the integration of OpenProject and Nextcloud.

Yes, if you don't read it carefully it is easy that you grant a user access that you didn't intend. 

My personal opinion on forcing users to re-login: I believe it would be uncomfortable and not necessary in most cases. I believe  setting up OAuth should focus on making it easy for normal users and they usually have only one account. Admins might have multiples but then they need to handle them carefully. Also, but that is a completely different topic, some instances have single-sign-on (SSO) setup and in that case the login would not really be handled in Nextcloud after all. 

To revoke the access as Nextcloud user A for OpenProject you can simply go in your Nextcloud instance to /settings/user/security and under Devices & sessions remove OpenProject client. 

I hope that helps!

Wieland

RE: Openproject User can obtain wrong / higher Nextcloud permissions - Added by Julia Braun 10 months ago

Hi @Adam Szabo and @Wieland, thanks for you replies and the detailed explanations.  It's true that this is a very rare case. 
I have followed Wielands suggestions and could revoke the connection. Thank you !

RE: Openproject User can obtain wrong / higher Nextcloud permissions - Added by Julia Braun 10 months ago

Harry Perkins wrote:

Hi

Did you have a fix on this issue? Facing same issue but no response from anyone and couldn't find this topic troubleshooting in google.

Hi @Harry Perkins:
I followed the suggestion of @Wieland and it worked out.

"To revoke the access as Nextcloud user A for OpenProject you can simply go in your Nextcloud instance to /settings/user/security and under Devices & sessions remove OpenProject client."

  • (1 - 4/4)
Loading...