Upload is not prevented (only store the final .file is)

[solracsf]

About https://docs.nextcloud.com/server/latest/admin_manual/file_workflows/access_control.html#prevent-uploading-of-specific-files

Setting a rule like

Will NOT prevent the file upload >100 MB. File will be fully uploaded by the client to the server but final MOVE of the .file will be denied, wasting both server tmp ressources and client Server+Bandwidth.

Upload should be prevented by checking the file size BEFORE the upload, not after.

[solracsf]

It applies to any filter i think. File is always uploaded, and "filtered" after the upload.
A rule like this and a .pst upload is only denied after the file is fully uploaded too.

[nickvergessen]

If you have access to "master", can you check if it works there?
I suspect #310 or #330 solve this?

[pyretta84]

I have the same issue. On your documentation page (https://docs.nextcloud.com/server/latest/admin_manual/file_workflows/access_control.html) you've said: "If access to a file has been denied for a user, the user can not: Create/upload the file", but this isn't true.

I really need to restrict the uploadable file types to image files only.
So I selected the flow for "block access to a file" (File Access Control) and use the trigger "file MIME type" does not match "images" and I gave the specific folder an restricted tag "Images Only" and choose this tag also in that flow to apply that flow to that folder - as you mentioned in your manual/documention linked above as well.

But I can upload everything - if I share the link to anonymous users it is even more important to restrict the upload possibilities! I could even upload JS files, SH files, php or sql files - everything! No setting on that File Access Control flow apply in the upload process - no file size observer, no MIME type observers, nothing. That is a real security issue! And you really need to update your manual if the upload of files can't be managed, because it doesn't work.

But really this should be. A file management program - a cloud service, which has the ability to let anonymous users upload files has to be able to restrict the uploads. It's really essential.

Please help us fix this. Thank you very much.

Here a Screenshot of my settings I made in the flow:

I could upload any file type - not just images.
Even if I restict it to filenames /.*\.(jpg|png|jpeg)/ - nothing changes and nothing apply to the upload process.

To your information, here are my used specs:
Nextcloud Hub 6 (27.1.1)
File access control 1.17.1
Operating System: Linux 5.10.0-13-amd64 x86_64
PHP 8.2.10
mySQL 8.0.34

EDIT/UPDATE: I even installed a completely new Nextcloud with only the basic applications active to prevent some applications from interfering with the functions of this File Access Control application. Nothing changed.

[pyretta84]

After some further checks I think I figured something out.

If I only try the following, it works as expected:

Result: I can't upload any file which has a lesser size than 2 MB into that tagged folder. Great!

But if I add only one further option - no matter what - it crashes the rule.
So I thought only one option is allowed and tried it with MIME type. The result was, that the tagged folder can't be opened again - because it doesn't match that MIME type obviously. Same thing with filenames.

So the only thing what is working here is "file size (uploaded)" - everything else isn't working in combination with "file system tag" if that tag applies to the parent folder of the uploaded files, which is what I would need.

I think it needs extra options for "File mime type (uploaded)" which is mentioned in that documentation but is not available as a option (anymore?). I don't have this option... as you can see in this screenshot:

[nickvergessen]

The rules are "and" connected.
The rule says if the file size is smaller than 2 MB and bigger than 20 MB.
A file can never be both at the same time, so the rule will never match.

Since you want to block uploads if one of the cases matches, and we don't have "or" connection, you need to create 3 different rule sets (which basically is the or):
(Also you need to add a exclusion for folders, otherwise the tagged folder itself will not be accessible)

1. Block non-images

• File system tag > is tagged with > "Image Only"
• File MIME type > is not > Images
• File MIME type > is not > Folder

2. Block smaller files

• File system tag > is tagged with > "Image Only"
• File size (upload) > less > 2 MB
• File MIME type > is not > Folder

3. Block bigger files

• File system tag > is tagged with > "Image Only"
• File size (upload) > greater > 20 MB
• File MIME type > is not > Folder

[pyretta84]

Thank you very much! I thought your proposal should be working - but not exactly as you mentioned. But you put me on my way to solv it.

This thing with the folder seems not to work:

But if I create for every mime type group and every other option I needed a own rule, it works.
It's not restricted to that folder anymore, but for the moment it would be fitting.

I needed to use custom mime types like /^application\/(rar|vnd.rar|x-rar-compressed|octet-stream|zip|gzip|x-zip-compressed|x-tar|x-sh|sh|rtf|x-httpd-php|pdf||ogg|vnd.oasis.opendocument.text|vnd.oasis.opendocument.spreadsheet|nd.apple.installer+xml|xhtml+xml|xml|html|json|ld+json|javascript|java-archive|x-csh|x-bzip2|x-bzip|x-freearc|x-7z-compressed|vnd.mozilla.xul+xml)$/i or /^text\/(plain|css|csv|calendar|javascript|sh|x-sh|html|xml)$/i

this worked for me. Thank you very much!