file access control can be removed if user has access to parent folder

[alterratz]

Steps to reproduce

1. Foler p (owned and shared by admin) has rw acces for group g1 and user u1
2. Folder p contains folder q
3. Folder q is tagged "g1only"
4. A FAC rule g1access with (TAG==g1only) AND (user is not memger of g1) is set up
5. user u1 cannot chdir to p/q (which is expected)

Expected behaviour

user u1 should not be able to modify the tags for folder q, even he has rw permissions on p (if he does not own it)

Actual behaviour

user u1 can open the info panel for q and temove the tag "g1only". After this he has full access to q

Important Notes

I strongly belive this is related to 41b185baedd8f992b4ee55d15469b1732f28669e
Allow dir-listing also when one child is blocked by access control #5124
(I have applied this commit locally)

Server configuration

Operating system: Linux squamata 4.8.0-2-amd64 #1 SMP Debian 4.8.11-1 (2016-12-02) x86_64

Web server: Apache/2.4.25 (Debian) (apache2handler)

Database: pgsql PostgreSQL 9.6.3 on x86_64-pc-linux-gnu, compiled by gcc (Debian 6.3.0-17) 6.3.0 20170510, 64-bit

PHP version: 7.0.19-1
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, mysqlnd, PDO, xml, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, imagick, intl, json, ldap, exif, mcrypt, mysqli, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, Phar, posix, readline, shmop, SimpleXML, soap, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 12.0.0 - 12.0.0.29 + 41b185baedd8f992b4ee55d15469b1732f28669e

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from:

Signing status:

Signing status

{
    "qownnotesapi": {
        "EXCEPTION": {
            "class": "OC\\IntegrityCheck\\Exceptions\\InvalidSignatureException",
            "message": "Certificate is not valid."
        }
    }
}

List of activated apps:

App list

``` Enabled: - activity: 2.5.2 - bookmarks: 0.10.0 - bruteforcesettings: 1.0.2 - calendar: 1.5.3 - checksum: 0.3.4 - comments: 1.2.0 - contacts: 1.5.3 - dav: 1.3.0 - deck: 0.1.4 - drawio: 0.8.8 - external: 2.0.3 - federatedfilesharing: 1.2.0 - federation: 1.2.0 - files: 1.7.2 - files_accesscontrol: 1.2.4 - files_automatedtagging: 1.2.2 - files_downloadactivity: 1.1.1 - files_external: 1.3.0 - files_markdown: 1.0.1 - files_pdfviewer: 1.1.1 - files_sharing: 1.4.0 - files_texteditor: 2.4.1 - files_trashbin: 1.2.0 - files_versions: 1.5.0 - files_videoplayer: 1.1.0 - firstrunwizard: 2.1 - gallery: 17.0.0 - gpxedit: 0.0.6 - gpxpod: 2.1.2 - groupfolders: 1.0.2 - issuetemplate: 0.2.1 - logreader: 2.0.0 - lookup_server_connector: 1.0.0 - nextant: 1.0.8 - nextcloud_announcements: 1.1 - notes: 2.2.0 - notifications: 2.0.0 - oauth2: 1.0.5 - password_policy: 1.2.2 - provisioning_api: 1.2.0 - qownnotesapi: 17.5.0 - rainloop: 4.28.1 - richdocuments: 1.12.28 - serverinfo: 1.2.0 - sharebymail: 1.2.0 - spreed: 2.0.1 - survey_client: 1.0.0 - systemtags: 1.2.0 - tasks: 0.9.5 - theming: 1.3.0 - twofactor_backupcodes: 1.1.1 - updatenotification: 1.2.0 - workflowengine: 1.2.0

Disabled:

• admin_audit
• apporder
• audioplayer
• encryption
• keeweb
• mail
• user_external
• user_ldap
• weather

</details>

**The content of config/config.php:**
<details>
	<summary>Config report</summary>

{
"instanceid": "ocoygzxy7l84",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"cloud.eguana.rocks"
],
"datadirectory": "/var/nextcloud/data",
"overwrite.cli.url": "https://cloud.eguana.rocks",
"dbtype": "pgsql",
"version": "12.0.0.29",
"dbname": "nextcloud",
"dbhost": "localhost",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"logtimezone": "UTC",
"installed": true,
"maintenance": false,
"loglevel": 2,
"mail_from_address": "admin",
"mail_smtpmode": "php",
"mail_smtpauthtype": "LOGIN",
"mail_domain": "eguana.rocks"
}

</details>

**Are you using external storage, if yes which one:** Array
(
    [0] => \OC\Files\Storage\Local
    [1] => \OCA\Files_External\Lib\Storage\FTP
    [2] => \OC\Files\Storage\DAV
    [3] => \OCA\Files_External\Lib\Storage\OwnCloud
    [4] => \OCA\Files_External\Lib\Storage\SFTP
    [5] => \OCA\Files_External\Lib\Storage\AmazonS3
    [6] => \OCA\Files_External\Lib\Storage\Dropbox
    [7] => \OCA\Files_External\Lib\Storage\Google
    [8] => \OCA\Files_External\Lib\Storage\Swift
    [9] => \OCA\Files_External\Lib\Storage\SFTP
    [10] => \OCA\Files_External\Lib\Storage\SMB
    [11] => \OCA\Files_External\Lib\Storage\SMB
)


**Are you using encryption:** no

**Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/...

### Client configuration
**Browser:** Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

[nickvergessen]

Well, that is basically the main reason for the automated tagging app.
Basically you should use Restricted or Invisible tags for access control exactly for that reason.

The problem is, that the tagging API is currently very limited, so it is not possible to prevent (un)assigning of tags etc.

[MohammedFota]

Hi Nextcloud team!

Thanks a lot for the great work,

Hey @alterratz

About this matter and for your case, as @nickvergessen mentioned, you will need to use the Restricted tag type which can be created under Admin > WorkFlow, that type can be removed only by users members of Admin group, this should fix the concept you're trying to achieve,

i hope this helps,
Cheers,
M.Fota

[timboven]

I have the feeling that the core of this issue is similar to my issue: nextcloud/server#6181

[nickvergessen]

See https://docs.nextcloud.com/server/12/admin_manual/file_workflows/access_control.html#available-rules-label
And the docu of the autotagging app:
https://docs.nextcloud.com/server/12/admin_manual/file_workflows/automated_tagging.html

[nickvergessen]

Also I want to point out, that https://docs.nextcloud.com/server/12/admin_manual/file_workflows/access_control.html#denied-access shows what is blocked, and tagging is not in the list ;)

Maybe we should add that explicitly?