Server: Wrong user for App Token if created through impersonation

Created on 15 May 2019  路  5Comments  路  Source: nextcloud/server

Steps to reproduce

  1. Login as Admin and impoersonate a User
  2. Go to his Security settings and add an App Token
  3. The new Created App-Token is created for the original user ("root" in my case)

Expected behaviour

The impersonated User should be the owner/target of the new created App-Token

Actual behaviour

The original user is the owner of the new Token

Server configuration

Operating system:
Ubuntu 18.04
Web server:
Apache 2.4.29
Database:
MySQL 5.7.26
PHP version:
PHP 7.2.17-0ubuntu0.18.04.1
Nextcloud version: (see Nextcloud admin page)
16.0.0
Updated from an older Nextcloud/ownCloud or fresh install:
Upgrade from 15
Where did you install Nextcloud from:

Signing status:


Signing status

No errors have been found.

List of activated apps:


App list

Enabled:
  - accessibility: 1.2.0
  - activity: 2.9.1
  - admin_audit: 1.6.0
  - bookmarks: 1.0.3
  - calendar: 1.7.0
  - cloud_federation_api: 0.2.0
  - comments: 1.6.0
  - contacts: 3.1.1
  - dav: 1.9.2
  - encryption: 2.4.0
  - federatedfilesharing: 1.6.0
  - federation: 1.6.0
  - files: 1.11.0
  - files_accesscontrol: 1.6.0
  - files_downloadactivity: 1.5.0
  - files_external: 1.7.0
  - files_fulltextsearch: 1.3.0
  - files_pdfviewer: 1.5.0
  - files_retention: 1.5.1
  - files_rightclick: 0.13.0
  - files_sharing: 1.8.0
  - files_texteditor: 2.8.0
  - files_trashbin: 1.6.0
  - files_versions: 1.9.0
  - files_videoplayer: 1.5.0
  - firstrunwizard: 2.5.0
  - gallery: 18.3.0
  - groupfolders: 4.0.0
  - impersonate: 1.3.0
  - logreader: 2.1.0
  - lookup_server_connector: 1.4.0
  - nextcloud_announcements: 1.5.0
  - notifications: 2.4.1
  - oauth2: 1.4.2
  - password_policy: 1.6.0
  - privacy: 1.0.0
  - provisioning_api: 1.6.0
  - quota_warning: 1.5.0
  - recommendations: 0.4.0
  - serverinfo: 1.6.0
  - sharebymail: 1.6.0
  - support: 1.0.0
  - survey_client: 1.4.0
  - systemtags: 1.6.0
  - theming: 1.7.0
  - theming_customcss: 1.3.0
  - twofactor_backupcodes: 1.5.0
  - twofactor_totp: 2.1.2
  - updatenotification: 1.6.0
  - user_ldap: 1.6.0
  - viewer: 1.0.0
  - workflowengine: 1.6.0
Disabled:
  - end_to_end_encryption
  - fulltextsearch
  - fulltextsearch_elasticsearch
  - tasks
  - twofactor_rcdevsopenotp
  - w2g2

Nextcloud configuration:


Config report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.url.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/cloud.url.com",
        "htaccess.RewriteBase": "\/",
        "dbtype": "mysql",
        "version": "16.0.0.9",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtpauthtype": "LOGIN",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "tls",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "session_lifetime": 1800,
        "memcache.local": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "updater.release.channel": "stable"
    }
}

Are you using external storage, if yes which one: local/smb/sftp/...
no
Are you using encryption: yes/no
no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
no

Client configuration

Browser:
Chrome 74
Operating system:
Windows

4. to release bug security
Source
picture sunchezz89

Most helpful comment

We can not create app tokens for other users, because the app token requires the password of the user that owns the token later.

But maybe we should simply disable app token creation for impersonated people

picture nickvergessen on 16 May 2019
👍2

All 5 comments

cc @nextcloud/security

kesselb picture kesselb on 16 May 2019

We can not create app tokens for other users, because the app token requires the password of the user that owns the token later.

But maybe we should simply disable app token creation for impersonated people

nickvergessen picture nickvergessen on 16 May 2019
👍2

But maybe we should simply disable app token creation for impersonated people

Yep that is the way to go.

rullzer picture rullzer on 16 May 2019

For UX, please let the User know (maybe with a Hint), that it is not possible with impersonation. Pls do not simply hide the section.

sunchezz89 picture sunchezz89 on 22 May 2019

https://github.com/nextcloud/server/pull/15936 is merged

@GretaD please use the automated github issues fix keywords ;)
like fix #issue_number

skjnldsv picture skjnldsv on 7 Dec 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ThomasLeister picture ThomasLeister  路  3Comments
j-ed picture j-ed  路  3Comments
georgehrke picture georgehrke  路  3Comments
arno01 picture arno01  路  3Comments
williambargent picture williambargent  路  3Comments