Created attachment 134363 [details] A screenshot of the prompt SUMMARY Attempting to open any file in a WebDAV folder connected to a Nextcloud provider results in a confirmation prompt that includes a warning about a potential scam attempt. STEPS TO REPRODUCE 1. Setup a WebDAV connection to a Nextcloud provider 2. Browse the WebDAV folder to a file 3. Open the file OBSERVED RESULT A confirmation/warning prompt is displayed each time a file is opened. EXPECTED RESULT Files are opened without any prompt being displayed SOFTWARE/OS VERSIONS Operating System: KDE neon 5.20 KDE Plasma Version: 5.20.4 KDE Frameworks Version: 5.77.0 Qt Version: 5.15.2 Kernel Version: 5.4.0-58-generic OS Type: 64-bit Processors: 4 × Intel® Core™ i5-6200U CPU @ 2.30GHz Memory: 7.1 GiB of RAM Graphics Processor: Mesa Intel® HD Graphics 520 ADDITIONAL INFORMATION Rough translation of the attached screenshot: "Website access confirmation - Dolphin" "You are about to connect to site [nextcloud provider URL] with username [nextcloud username] but the site doesn't require authentication. This might be a scam attempt. Is [nextcloud provider URL] really the site you want to access?" [YES] [NO]
I confirm this bug is present on my installation as well and it's quite annoying. OS: KDE neon Focal KDE Plasma Version: 5.20.5 KDE Frameworks Version: 5.78.0 Qt Version: 5.15.2
*** Bug 376361 has been marked as a duplicate of this bug. ***
*** Bug 425486 has been marked as a duplicate of this bug. ***
Are there any updates re. this?
This is still happening in 5.22.4 Operating System: KDE neon 5.22 KDE Plasma Version: 5.22.4 KDE Frameworks Version: 5.84.0 Qt Version: 5.15.3 Kernel Version: 5.11.0-25-generic (64-bit) Graphics Platform: X11 Processors: 4 × Intel® Core™ i5-6200U CPU @ 2.30GHz Memory: 7.5 GiB of RAM Graphics Processor: Mesa Intel® HD Graphics 520
This also happens on my system, with the addition that every time I open the account in Dolphin I am greeted with the same warning (I do not have to open a file). Operating System: Fedora 34 KDE Plasma Version: 5.22.4 KDE Frameworks Version: 5.85.0 Qt Version: 5.15.2 Kernel Version: 5.13.12-200.fc34.x86_64 (64-bit) Graphics Platform: X11 Processors: 4 × Intel® Core™ i5-5200U CPU @ 2.20GHz Memory: 15,4 GiB of RAM Graphics Processor: Mesa Intel® HD Graphics 5500
Hmm, I can open webdavs://nextcloud.<mydomain>/remote.php/dav/files/ncp in dolphin without any prompt. Is this the kind of URL we're talking about? Do you have something like ncp@ after the // ?
Okay so I have exactly the same problem using my own self-hosted Nextcloud instance and the Owncloud (Sciebo-branded) instance from my university. I added both connections in the KDE settings panel (Online-Zugänge - "Online - Access"?) and tried to open them in the network tab of Dolphin. What i found out is that by adding Nextcloud/ Owncloud this way the URL looks like the following: ``` webdavs://username@domain.tld/remote.php/webdav/ ``` This leads to the dialog that all the others here described and is shown in the screenshot from @MK. But if you remove the `username@` from the URL and copy that into a fresh instance of Dolphin, it doesn't ask you for the confirmation anymore. I am not sure where Dolphin takes the username in this case, but it seems to work. So the Nextcloud/Owncloud setup wizard should store another URL for those services, at least for Dolphin.
BTW I am using Manjaro KDE with Plasma 5.22.5, Frameworks 5.87.0 and Qt 5.15.2
I also get the same warning eacht time I connect but not for every file. Is there a way to disable that warning? I couldn't find it in the settings. My url looks as follows: webdavs://<username>@nextcloud.<mydomain>.tld:443/remote.php/dav/files/<username>/ I am running dolphin 21.12.2.
I found a workaround to remove username@ from the URL, and thus get rid of the prompt. 1. Close Dolphin, if it was open. 2. Open ~/.local/share/user-places.xbel and find bookmark item with title of "Nextcloud Storage", take note of its href value. Mine was "remote:/2_nextcloud-storage". 3. Open ~/.local/share/remoteview/<href-base>.desktop where <href-base> is the part after "remote:/", so my desktop file was "2_nextcloud-storage.desktop". 4. Within the desktop file remove "<username>@" part from the URL key. Save the file. 5. Open Dolphin again, and try to access "Nextcloud Storage", it shouldn't prompt you anymore.
Same here (or rather "similar here"). I set up my local Nextcloud RasPi a few weeks ago and for a few days now, I get that dialog at every KDE startup. The dialog does not say, where it comes from. It just states its message. No hint on where to go to check the address/username. Nothing. Just the message, that I might be scammed and whether or not I want to continue. Futhermore, I do not have Online Services stuff in systemsettings or something configured in dolphin. So I had to grep my home folder for Nextcloud keywords and found some Akonadi files (~/.config/akonadi_davgroupware_resource_5rc) which do not contain any user name in the URL (https://192.168.178.251/remote.php/dav). They do have my user name in the config file though. But how would they connect to my Nextcloud instance otherwise?
Supplemental to earlier post: During investigation I found that apparently I created two CalDAV/CardDAV configs to the same Nextcloud instance. So I removed the one that was not shown as "Ready" in the Calendar Sources settings dialog within the Kalendar application. Since then, the funny message is gone.
Yep, can confirm Operating System: Fedora Linux 37 KDE Plasma Version: 5.26.5 KDE Frameworks Version: 5.102.0 Qt Version: 5.15.8
I think it can be in 15-minute bug list, because I found it while configuring new Plasma install, just went through settings changing them, added account, decided to add Nextcloud storage in Places
I guess I found the problem: Plasma add URL like webdavs://user@host/remote.php/dav/files/user But Nextcloud need URL like webdavs://host/remote.php/dav/files/user I maybe found the root of problem, but I'm not a programmer In file https://invent.kde.org/network/kaccounts-integration/-/blob/master/src/plugins/kio-webdav/kioservices.cpp two places, that caught my attention: First is lines 163-167 QUrl url; // <- if this is url composer url.setHost(host); url.setUserName(username); // <- this is unnecessary url.setScheme(QStringLiteral("webdavs")); url.setPath(path); Second is lines 198-204 QString walletUrl(url.scheme()); walletUrl.append(QStringLiteral("-")); walletUrl.append(username); // <- unnecessary walletUrl.append(QStringLiteral("@")); walletUrl.append(url.host()); walletUrl.append(QStringLiteral(":-1-")); I am not developer, and I don't know details about how user credentials is sent to Nextcloud server, but I know that without username in URL everything works as it should. Correct me if I wrong, will appreciate some technical details
Git commit 4f2814995c4703af008492084d1d2ea1a5249061 by Fushan Wen, on behalf of Tino Lorenz. Committed on 27/05/2023 at 05:23. Pushed by fusionfuture into branch 'master'. knetattach: don't store username in WebDAV URL This should at least partially fix 430894 (there may still be other programs creating bad URLs, though). If a username is required for the connection, it can still be entered in KIO's password dialog. M +3 -3 knetattach/knetattach.cpp https://invent.kde.org/plasma/plasma-desktop/-/commit/4f2814995c4703af008492084d1d2ea1a5249061
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-desktop/-/merge_requests/1536
Git commit 2257a6cbf51efd55efd77af163e82cf91103dadd by Fushan Wen, on behalf of Tino Lorenz. Committed on 27/05/2023 at 05:27. Pushed by fusionfuture into branch 'Plasma/5.27'. knetattach: don't store username in WebDAV URL This should at least partially fix 430894 (there may still be other programs creating bad URLs, though). If a username is required for the connection, it can still be entered in KIO's password dialog. (cherry picked from commit 4f2814995c4703af008492084d1d2ea1a5249061) M +3 -3 knetattach/knetattach.cpp https://invent.kde.org/plasma/plasma-desktop/-/commit/2257a6cbf51efd55efd77af163e82cf91103dadd
Just wanted to add, that the title of the message dialog in english is "Confirm website access - some_URL". Hopefully this will make this thread easier to find for some. I had a selfhosted caldav/carddav system that changed URL, so my proxy gave a default page without requirering authorization - that triggered this recurring message for me. I found the akonadi file using a simle grep irl "some_URL", which gave me "~/.config/akonadi_davgroupware_resource_1rc" - i deleted that file (there was only one entry), rebooted and the problem was gone.