Allow public page access to apps with group restrictions on

[pranavk]

Currently, when group restrictions are on, it is not possible to have a controller method declared as public page because the security middleware checks if the app is enabled for the user unconditionally.

See: https://github.com/nextcloud/server/blob/master/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php#L188

Although, when group restrictions are disabled, then \OC_App::isEnabled($this->appName) returns true making it possible to access a public controller method.

However, an app might need to make a method public even when group restrictions are on. My use case is nextcloud/richdocuments where the document editing service requires to download the document from nextcloud to be able to edit it. Since it has no user context, it downloads the file (and does some other stuff too) via a public controller method, which fails when group restrictions are on.

I think we may need to introduce a new annotation here and then guard the security middleware method there with it.

[julien-nc]

Did you find a solution ? I'm looking for a way to allow public pages to my apps (PhoneTrack and GpxPod) when there are group restrictions...

[julien-nc]

There is a duplicate of this issue : #6962

[julien-nc]

#8593 partially fixes the problem : Routing system is still redirecting users who are not in any authorized group when they try to access to public pages of restricted apps. I'll try to find where to fix that.