Allow to restrict app password data access

[j-ed]

Expected behavior

If a user creates individual app passwords, it should be possible to restrict to which data the app should have access to and what kind of access should be allowed.

Example:

App         RO  RW  CREATE  DELETE  UPLOAD
----------  --  --  ------  ------  ------
Calendar    X
Contacts        X
Files                                 X          

Current behavior

If a user creates individual app passwords, he couldn't restrict to which data the app should have access.

Steps to reproduce

1. Login as as a user
2. Choose Personal -> App passwords

Environment

Server Configuration

OS: Linux 3.2.82
Web server: Apache2 2.4.25
Database: MariaDB 5.5.53
PHP version: 5.6.29
Nextcloud version: 10.0.2

Client Configuration

Browser: Mozilla Firefox 50.1.0
Operating system: Windows 7

EDIT by @jospoortvliet : Please see #30331 for a few more details and use cases.

[MariusBluem]

See: #719

What is the current plan/state? @icewind1991

[nickvergessen]

The problem is that this is not really that easy.

E.g. you wouldn't want your activity reader to do anything right?
But it needs access to all of those to display the related events, get the contact names for displaying and file access for handling of paths in activities.

So while it is nice in theory, we need to make this easily checkable and somehow a way to correctly deal with this for other apps.

[benyanke]

@nickvergessen It would seem that to implement this, a permissions framework would need to be built into the core of NC, at which point apps could register the permissions they have available, which would be namespaced with the app name, etc, etc.

A framework I'm using on my own projects is https://github.com/spatie/laravel-permission. While it's deeply integrated with laravel, so not very suitable for this, perhaps a similar model could be used: create a list of permissions - as you mentioned, separate out read vs write permissions in each section, and then assign to users.

[nickvergessen]

Yeah something similar to the bruteforce protection we added in 12 (or was it 11?).

server/core/Controller/LoginController.php

Line 219 in 0bccd5a

* @BruteForceProtection(action=login)

[j-ed]

The issue has still not been fixed in Nextcloud v13.0.6.

[szaimen]

I suppose this issue is still valid? If not, please close this issue!

[j-ed]

Yes, you're right. It is still not possible to restrict the data access.

[riedel]

Actually it makes sense to go even further. IMHO it would make sense to use the sharing functionality to share a file or subdirectory with an "app password". Particularly if one needs to upload or download data for a longer timeframe in a multiuser environment keeping any password on disk or in memory with such wide permissions does not much lessen the attack surface.

Context: I am currently looking on a good way how to instruct users to include nextcloud files in projects in their HPC project. Registering an extra user for sharing files with yourself seems to be the only good solution.

[InRiPa]

I'm using Android Apps, which access a specific App from nextcloud (e.g. app for calendar, app for tasks, ..). It would be nice to restrict the access of given "app password account" to the exact purpose.