Content
You are here:
Openproject User can obtain wrong / higher Nextcloud permissions
Added by Julia Braun almost 2 years ago
Hello, not sure if this is a bug or a feature.
What happens ? User "Member" (M) can cheat on his openproject/nextcloud permissions and get nextcloud file permissions of user "Admin" (A). Normally, user M should have access to linked files according to his nextcloud permissions. However,
- User M is logged in in his Openproject account and has never connected with nextcloud.
- In the same browser, user A is logged in into his nextcloud account.
- then user M connects the very first time to nextcloud from within his openproject account. User M gets forwarded to the nextcloud "authorise access" page
- Request for login -> click (1_accountaccess)
- Next page, no login mask but, "You are currently logged in as A. You are about to grant M permissions to your nextcloud account." (2_accountconnect)
- If one clicks without reading carefully, now M in openproject has the nextcloud file permissions of user A. It means M can see all file links with the nextcloud permissions of User A and also download them.
It might be a good idea to re-request login into nextcloud before granting access.?
In any case, is there a way to undo the grant permission/account connection ? As I am in the exact situation that now a project member has basically nextcloud admin file link access.
Thanks for any feedback.
Julia
Replies (4)
Hi Julia,
which use-case are you talking about where ONE browser is used at the same time by two different users :)
i think we could take a look at this case and maybe add a security concern more to a bug report,
Wieland, what would you say?
Hi Julia Braun,
The OAuth authorization flow that you have described is correct. You had to confirm that you want to grant OpenProject access as Nextcloud user A. As you are already logged in you just need to click "Grant". That is normal OAuth style and not very specific for the integration of OpenProject and Nextcloud.
Yes, if you don't read it carefully it is easy that you grant a user access that you didn't intend.
My personal opinion on forcing users to re-login: I believe it would be uncomfortable and not necessary in most cases. I believe setting up OAuth should focus on making it easy for normal users and they usually have only one account. Admins might have multiples but then they need to handle them carefully. Also, but that is a completely different topic, some instances have single-sign-on (SSO) setup and in that case the login would not really be handled in Nextcloud after all.
To revoke the access as Nextcloud user A for OpenProject you can simply go in your Nextcloud instance to
/settings/user/security
and under Devices & sessions remove OpenProject client.I hope that helps!
Wieland
Hi @Adam Szabo and @Wieland, thanks for you replies and the detailed explanations. It's true that this is a very rare case.
I have followed Wielands suggestions and could revoke the connection. Thank you !
Harry Perkins wrote:
Hi @Harry Perkins:
I followed the suggestion of @Wieland and it worked out.
"To revoke the access as Nextcloud user A for OpenProject you can simply go in your Nextcloud instance to
/settings/user/security
and under Devices & sessions remove OpenProject client."