copy to overwrite (file and folder) from Personal to Shares Jail behaves differently

[SagarGi]

Description

When we copy a file over the top of an existing folder from Personal to Shares Jail we get 500 status code. Also when we copy folder over the top of an existing file (given user has an editor role to the shared resources) then the status code is 403.

Steps to reproduce

1. user einstein creates a file t1.txt and a folder FOLDER
2. user moss creates a folder MOSSS-Folder
3. user moss creates a folder MOSSS-Folder/sample-folder
4. user moss shares the folder MOSSS-Folder to einstein
5. user einstein copy t1.txt over the folder MOSSS-Folder

curl command to copy:

curl -ks -ueinstein:relativity -X COPY -H "DESTINATION:https://host.docker.internal:9200/dav/spaces/a0ca6a90-a365-4782-871e-d44447bbc668\$a0ca6a90-a365-4782-871e-d44447bbc668/MOSSS-Folder/" https://host.docker.internal:9200/dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157\$4c510ada-c86b-4815-8820-42cdf82c3d51/t1.txt -v | xmllint --format -

Response:

* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: O=Acme Corp; CN=OCIS
*  start date: Aug 15 08:06:05 2022 GMT
*  expire date: Aug 15 08:06:05 2023 GMT
*  issuer: O=Acme Corp; CN=OCIS
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Server auth using Basic with user 'einstein'
} [5 bytes data]
> COPY /dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157$4c510ada-c86b-4815-8820-42cdf82c3d51/t1.txt HTTP/1.1
> Host: host.docker.internal:9200
> Authorization: Basic ZWluc3RlaW46cmVsYXRpdml0eQ==
> User-Agent: curl/7.68.0
> Accept: */*
> DESTINATION:https://host.docker.internal:9200/dav/spaces/a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668/MOSSS-Folder/
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [130 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 500 Internal Server Error
< Access-Control-Allow-Origin: *
< Content-Length: 0
< Content-Security-Policy: default-src 'none';
< Date: Mon, 15 Aug 2022 08:40:19 GMT
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
< X-Xss-Protection: 1; mode=block

Also copying a folder into a file

curl command

curl -ks -ueinstein:relativity -X COPY -H "DESTINATION:https://host.docker.internal:9200/dav/spaces/a0ca6a90-a365-4782-871e-d44447bbc668\$a0ca6a90-a365-4782-871e-d44447bbc668/moss.txt/" https://host.docker.internal:9200/dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157\$4c510ada-c86b-4815-8820-42cdf82c3d51/FOLDER/ -v | xmllint --format -```

#### Response 

```console
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: O=Acme Corp; CN=OCIS
*  start date: Aug 15 08:06:05 2022 GMT
*  expire date: Aug 15 08:06:05 2023 GMT
*  issuer: O=Acme Corp; CN=OCIS
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Server auth using Basic with user 'einstein'
} [5 bytes data]
> COPY /dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157$4c510ada-c86b-4815-8820-42cdf82c3d51/FOLDER/ HTTP/1.1
> Host: host.docker.internal:9200
> Authorization: Basic ZWluc3RlaW46cmVsYXRpdml0eQ==
> User-Agent: curl/7.68.0
> Accept: */*
> DESTINATION:https://host.docker.internal:9200/dav/spaces/a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668/moss.txt/
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [130 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Access-Control-Allow-Origin: *
< Content-Length: 0
< Content-Security-Policy: default-src 'none';
< Date: Mon, 15 Aug 2022 09:08:27 GMT
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
< X-Xss-Protection: 1; mode=block
< 
* Connection #0 to host host.docker.internal left intact
-:1: parser error : Document is empty

Note: Needs some information regarding it what is expected and what is actual as OC10 gives a status of 204. or its forbidden in ocis for spaces?

[phil-davis]

Also see core PR owncloud/core#40308 - that demonstrates what happens currently in oC10 core. Maybe we want to forbid some of these "strange" COPY overwrite share requests? And define the expected/required behavior, and make both oC10 and oCIS match that.

[SagarGi]

@phil-davis shall we wait for this owncloud/core#40308 (comment) ? On OCIS for new and old webdav we have this issue #3874. it gives 404 while overwritting and for spaces its giving 500 and 403 when copying. I am confused what exactly the expected behavior is for spaces webdav

[phil-davis]

I pinged again in owncloud/core#40308 - it will be useful to get confirmation about the expected/required behavior. Then we can write "correct" tests for the core-personal-spaces cases. And then we can make similar-style test cases for move and copy in and out of project spaces.

[ScharfViktor]

Scenario: copy a file over the top of an existing folder received as a user share
    Given using spaces DAV path
    And user "Alice" has uploaded file with content "ownCloud test text file 1" to "/textfile1.txt"
    And user "Brian" has created folder "/BRIAN-Folder"
    And user "Brian" has created folder "BRIAN-Folder/sample-folder"
    And user "Brian" has shared folder "BRIAN-Folder" with user "Alice"
    And user "Alice" has accepted share "/BRIAN-Folder" offered by user "Brian"
    When user "Alice" copies file "/textfile1.txt" from space "Personal" to "/BRIAN-Folder" inside space "Shares" using the WebDAV API
    Then the HTTP status code should be "204"
    And for user "Alice" the content of the file "/BRIAN-Folder" of the space "Shares" should be "ownCloud test text file 1"
    And as "Alice" file "/textfile1.txt" should exist
    And user "Alice" should not have any received shares

I'm a little confused. Is this a real case?
Copy the file as a folder (as Destination is /BRIAN-Folder instead of /BRIAN-Folder/textfile1.txt) - it's like ordering a null beer.

I don't know that will it ever be fixed. Maybe should we should change this tests or delete?

[phil-davis]

I am looking at some test scenarios like this (using personal spaces, not project spaces) in PR #6323 - the expected behavior was defined in core recently (I will have to search for the links to that)

Copying a source file "over the top of" another existing file is an "easy" scenario - the file content of the target is updated. There is a question about what to do with version history - do we copy the version history from the source file, or is the new content of the target file just a new version of the target file.

Copying a folder "over the top of" another folder (not inside) - that could be implemented by doing some merge of the contents of the two folders. But the easy thing is to not allow that, and give some status like 409.

Copying a file "over the top of" a folder (not inside) is a strange thing to do - so we should return a status like 409 and do nothing.

Copying a folder "over the top of" a file is a strange thing to do - so we should return a status like 409 and do nothing.

The server should never return HTTP status 500 - there should be no way for a user to be playing around sending curl commands to the server and get a 500 response.

[micbar]

Copying a source file "over the top of" another existing file is an "easy" scenario - the file content of the target is updated. There is a question about what to do with version history - do we copy the version history from the source file, or is the new content of the target file just a new version of the target file.

Semantically this is very clear: COPY means only content, no versions, no shares. In that case, it adds content and creates a new version, but should not copy older versions of the source file.

[micbar]

MOVE has different semantics:

The source file with all its versions and shares will be moved to the new location and an existing file will be completely replaced. That should always result in the overwritten target file being moved to the trashbin, with all its versions and shares.

[ScharfViktor]

The server should never return HTTP status 500 - there should be no way for a user to be playing around sending curl commands to the server and get a 500 response.

Yes, I agree.

Copying a folder "over the top of" another folder (not inside) - that could be implemented by doing some merge of the contents of the two folders. But the easy thing is to not allow that, and give some status like 409.

Copying a file "over the top of" a folder (not inside) is a strange thing to do - so we should return a status like 409 and do nothing.

Copying a folder "over the top of" a file is a strange thing to do - so we should return a status like 409 and do nothing.

409 is fine. I asked because tests expect 204. and I could not believe that this behavior was correct

[micbar]

@butonic Had mentioned a case where copying a folder over a file is valid.

[ScharfViktor]

@butonic Had mentioned a case where copying a folder over a file is valid.

it means that the expectations of the tests are correct. leaving tests in expected failures file

[amrita-shrestha]

I think the actual endpoint is different to copy share inside the SHARE space i.e

curl -XCOPY -ubrian:sss -vk https://localhost:9200/remote.php/dav/spaces/{personal-spaceid}/index.php -H 'Destination:  https://localhost:9200/remote.php/dav/spaces/{share-mountpoint-id}'

above endpoint return 412 Pre condition failed status code.
If 412 status code is correct then this issue can be close

related issue : #6999

cc: @ScharfViktor @micbar

[amrita-shrestha]

Closed on the behalf that api endpoint is revised and the new API endpoint is
curl -XCOPY -ubrian:sss -vk https://localhost:9200/remote.php/dav/spaces/{personal-spaceid}/index.txt -H 'Destination: https://localhost:9200/remote.php/dav/spaces/{share-mountpoint-id}/game/index.txt
#4393 (comment)

QA-TEAM To-do

• Remove this issue from expected-failure file and use correct API endpoint [tests-only][full-ci]Update expected to failure based on correct issue #7211

### [copy to overwrite (file and folder) from Personal to Shares Jail behaves differently](https://github.com/owncloud/ocis/issues/4393)

- [apiSpacesShares/copySpaces.feature:529](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/copySpaces.feature#L529)
- [apiSpacesShares/copySpaces.feature:543](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/copySpaces.feature#L543)

Related issue

• COPY a folder to received share file/folder seems to work but no change in shares - lost share mountpoint in me/drives #6999

[SagarGi]

Closed on the behalf that api endpoint is revised and the new API endpoint is curl -XCOPY -ubrian:sss -vk https://localhost:9200/remote.php/dav/spaces/{personal-spaceid}/index.txt -H 'Destination: https://localhost:9200/remote.php/dav/spaces/{share-mountpoint-id}/game/index.txt #4393 (comment)

QA-TEAM To-do

• Remove this issue from expected-failure file and use correct API endpoint

### [copy to overwrite (file and folder) from Personal to Shares Jail behaves differently](https://github.com/owncloud/ocis/issues/4393)

- [apiSpacesShares/copySpaces.feature:529](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/copySpaces.feature#L529)
- [apiSpacesShares/copySpaces.feature:543](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/copySpaces.feature#L543)

Related issue

• copy personal space file to shared folder root result share in decline state #6999

The shares folders of a user can also be accessed by the users virtual-share-id. So We do not need to explicitly use the mount point id. I will create another issue to show to actual behaviour and link all this to it. And also this whole issue is not related to this issue: #6999