User gets HTTP response 207 while accessing other users' data using the meta API

[Talank]

During PROPFIND of a file using file id via meta API in OCIS, when a user tries tries to get unauthorized access to other users' data, the HTTP response code is 207.

Steps to reproduce

1. Create user Alice and Emily
2. User Alice uploads a file testfile.txt with content "test content"
3. As user Emily, using the fileid of the Alices' file testfile.txt, send an HTTP PROPFIND request to the API endpoint remote.php/dav/meta/<fileid>

Expected behavior

The response should be something like that in OC10 in which the HTTP status code is 404

Actual behavior (In OCIS)

The http status code is 207

For example, for the request

curl 'http://localhost:9140/remote.php/dav/meta/MTI4NGQyMzgtYWE5Mi00MmNlLWJkYzQtMGIwMDAwMDA5MTYyOjgzYzVlNzBhLWUzMjgtNDMwNS05NWQxLThmNTcwNzgzMmY0Nw==/v' \
  -X 'PROPFIND' \
  -u 'Emily:1234' -v | xmllint --format -

The response data is as follows.

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 9140 (#0)
* Server auth using Basic with user 'Emily'
> PROPFIND /remote.php/dav/meta/MTI4NGQyMzgtYWE5Mi00MmNlLWJkYzQtMGIwMDAwMDA5MTYyOjgzYzVlNzBhLWUzMjgtNDMwNS05NWQxLThmNTcwNzgzMmY0Nw==/v HTTP/1.1
> Host: localhost:9140
> Authorization: Basic dHUxOjEyMzQ=
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 207 Multi-Status
< Access-Control-Allow-Origin: *
< Content-Security-Policy: default-src 'none';
< Content-Type: application/xml; charset=utf-8
< Dav: 1, 3, extended-mkcol
< Vary: Origin
< X-Access-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXZhIiwiZXhwIjoxNTk0OTg0OTg0LCJpYXQiOjE1OTQ5ODEzODQsImlzcyI6Imh0dHBzOi8vbG9jYWxob3N0OjkyMDAiLCJ1c2VyIjp7ImlkIjp7ImlkcCI6Imh0dHBzOi8vbG9jYWxob3N0OjkyMDAiLCJvcGFxdWVfaWQiOiJ0dTEifSwidXNlcm5hbWUiOiJ0dTEiLCJtYWlsIjoidHUxQGV4YW1wbGUub3JnIiwiZGlzcGxheV9uYW1lIjoiVXNlciBPd2FuZSJ9fQ.8ti__uBKIIU051R8lES547fl2C60EVK9F4K_oBGyCPk
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
< X-Xss-Protection: 1; mode=block
< Date: Fri, 17 Jul 2020 10:23:04 GMT
< Content-Length: 1025
< 
{ [1025 bytes data]
100  1025  100  1025    0     0  20098      0 --:--:-- --:--:-- --:--:-- 20098
* Connection #0 to host localhost left intact
<?xml version="1.0" encoding="utf-8"?>
<d:multistatus xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:oc="http://owncloud.org/ns">
  <d:response>
    <d:href>/remote.php/dav/meta/MTI4NGQyMzgtYWE5Mi00MmNlLWJkYzQtMGIwMDAwMDA5MTYyOjgzYzVlNzBhLWUzMjgtNDMwNS05NWQxLThmNTcwNzgzMmY0Nw==/v/</d:href>
    <d:propstat>
      <d:prop>
        <oc:id>dmlydHVhbDptZXRhL01USTROR1F5TXpndFlXRTVNaTAwTW1ObExXSmtZelF0TUdJd01EQXdNREE1TVRZeU9qZ3pZelZsTnpCaExXVXpNamd0TkRNd05TMDVOV1F4TFRobU5UY3dOemd6TW1ZME53PT0vdg==</oc:id>
        <oc:fileid>dmlydHVhbDptZXRhL01USTROR1F5TXpndFlXRTVNaTAwTW1ObExXSmtZelF0TUdJd01EQXdNREE1TVRZeU9qZ3pZelZsTnpCaExXVXpNamd0TkRNd05TMDVOV1F4TFRobU5UY3dOemd6TW1ZME53PT0vdg==</oc:fileid>
        <d:getetag>"b228ea923c2a4ceae4f92a03efaea14a"</d:getetag>
        <d:resourcetype>
          <d:collection/>
        </d:resourcetype>
        <d:getcontenttype>httpd/unix-directory</d:getcontenttype>
        <oc:size>0</oc:size>
        <d:getlastmodified>Fri, 17 Jul 2020 10:11:39 +0000</d:getlastmodified>
        <oc:favorite>0</oc:favorite>
      </d:prop>
      <d:status>HTTP/1.1 200 OK</d:status>
    </d:propstat>
  </d:response>
</d:multistatus>

In OC10

The HTTP status code is 404

For example, for the request

curl 'http://localhost/core/remote.php/dav/meta/2147510015octllwqtombf/v' \
  -X 'PROPFIND' \                      
  -u 'Emily:Emily' -v | xmllint --format -

The response data is as follows.

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
* Server auth using Basic with user 'Emily'
> PROPFIND /core/remote.php/dav/meta/2147510015octllwqtombf/v HTTP/1.1
> Host: localhost
> Authorization: Basic dXUxOnV1MQ==
> User-Agent: curl/7.58.0
> Accept: */*
> 
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0< HTTP/1.1 404 Not Found
< Date: Fri, 17 Jul 2020 10:27:00 GMT
< Server: Apache/2.4.29 (Ubuntu)
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: none
< X-Frame-Options: SAMEORIGIN
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Set-Cookie: octllwqtombf=eu7m3289keeuq5k8fqclinvir4; path=/core; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: oc_sessionPassphrase=iH3dC0eqI9fFYoc7jcsc%2BBqs32a9UGv2U3azINr0kXfBWZuLJwlosE09SKxUXjUu5sPYMXRzmDA24dnwNe%2FIokWjbTKbW0kzzVf0Yo3%2FL1Qc6hc9MlkiFzcJX%2F%2BfEPIQ; path=/core; HttpOnly; SameSite=strict
< Content-Security-Policy: default-src 'none';
< Set-Cookie: octllwqtombf=r9sbrb6823ee9sqc93hpdts3hp; path=/core; HttpOnly
< Set-Cookie: cookie_test=test; expires=Fri, 17-Jul-2020 11:27:00 GMT; Max-Age=3600
< Vary: Brief,Prefer
< DAV: 1, 3, extended-mkcol, 2, access-control, calendarserver-principal-property-search
< Content-Length: 181
< Content-Type: application/xml; charset=utf-8
< 
{ [181 bytes data]
100   181  100   181    0     0    874      0 --:--:-- --:--:-- --:--:--   870
* Connection #0 to host localhost left intact
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\NotFound</s:exception>
  <s:message/>
</d:error>

[individual-it]

the response is 403 now, see owncloud/ocis#773