diff --git a/changelog/unreleased/fix-sharing-roles.md b/changelog/unreleased/fix-sharing-roles.md new file mode 100644 index 00000000000..14f018caccd --- /dev/null +++ b/changelog/unreleased/fix-sharing-roles.md @@ -0,0 +1,5 @@ +Bugfix: Fix sharing roles + +Sharing roles were inconsistent and had some wrong entries. This fixes it. + +https://github.com/owncloud/reva/pull/482 diff --git a/pkg/conversions/role.go b/pkg/conversions/role.go index 012c2fe512d..14eeff919a7 100644 --- a/pkg/conversions/role.go +++ b/pkg/conversions/role.go @@ -209,194 +209,169 @@ func NewUnknownRole() *Role { } } -// NewDeniedRole creates a fully denied role -func NewDeniedRole() *Role { - return &Role{ - Name: RoleDenied, - cS3ResourcePermissions: &provider.ResourcePermissions{}, - ocsPermissions: PermissionsNone, - } -} +// Sharing Viewer (Files + Folders) -// NewViewerRole creates a viewer role. `sharing` indicates if sharing permission should be added -func NewViewerRole() *Role { - p := PermissionRead +// NewSecureViewerRole creates a secure viewer role +func NewSecureViewerRole() *Role { return &Role{ - Name: RoleViewer, + Name: RoleSecureViewer, cS3ResourcePermissions: &provider.ResourcePermissions{ - GetPath: true, - GetQuota: true, - InitiateFileDownload: true, - ListContainer: true, - ListRecycle: true, - Stat: true, + GetPath: true, + ListContainer: true, + Stat: true, }, - ocsPermissions: p, } } -// NewViewerListGrantsRole creates a viewer role. `sharing` indicates if sharing permission should be added +// NewViewerRole creates a viewer role. +func NewViewerRole() *Role { + r := NewSecureViewerRole() + r.Name = RoleViewer + r.ocsPermissions = PermissionRead + r.cS3ResourcePermissions.GetQuota = true + r.cS3ResourcePermissions.InitiateFileDownload = true + return r +} + +// NewViewerListGrantsRole creates a viewer role. func NewViewerListGrantsRole() *Role { - role := NewViewerRole() - role.cS3ResourcePermissions.ListGrants = true - return role + r := NewViewerRole() + r.Name = RoleViewerListGrants + r.cS3ResourcePermissions.ListGrants = true + return r } -// NewSpaceViewerRole creates a spaceviewer role -func NewSpaceViewerRole() *Role { +// Sharing Folder + +// NewDeniedRole creates a fully denied role +func NewDeniedRole() *Role { return &Role{ - Name: RoleSpaceViewer, - cS3ResourcePermissions: &provider.ResourcePermissions{ - GetPath: true, - GetQuota: true, - InitiateFileDownload: true, - ListContainer: true, - ListGrants: true, - ListRecycle: true, - Stat: true, - }, - ocsPermissions: PermissionRead, + Name: RoleDenied, + cS3ResourcePermissions: &provider.ResourcePermissions{}, + ocsPermissions: PermissionsNone, } } -// NewEditorRole creates an editor role. `sharing` indicates if sharing permission should be added +// NewEditorLiteRole creates an editor-lite role +func NewEditorLiteRole() *Role { + r := NewViewerRole() + r.Name = RoleEditorLite + r.ocsPermissions = PermissionCreate + r.cS3ResourcePermissions.CreateContainer = true + r.cS3ResourcePermissions.InitiateFileUpload = true + r.cS3ResourcePermissions.Move = true + return r +} + +// NewEditorRole creates an editor role. func NewEditorRole() *Role { - p := PermissionRead | PermissionCreate | PermissionWrite | PermissionDelete - return &Role{ - Name: RoleEditor, - cS3ResourcePermissions: &provider.ResourcePermissions{ - CreateContainer: true, - Delete: true, - GetPath: true, - GetQuota: true, - InitiateFileDownload: true, - InitiateFileUpload: true, - ListContainer: true, - ListRecycle: true, - Move: true, - RestoreRecycleItem: true, - Stat: true, - }, - ocsPermissions: p, - } + r := NewEditorLiteRole() + r.Name = RoleEditor + r.ocsPermissions = PermissionRead | PermissionCreate | PermissionWrite | PermissionDelete + r.cS3ResourcePermissions.Delete = true + r.cS3ResourcePermissions.RestoreRecycleItem = true + return r } -// NewEditorListGrantsRole creates an editor role. `sharing` indicates if sharing permission should be added +// NewEditorListGrantsRole creates an editor role. func NewEditorListGrantsRole() *Role { - role := NewEditorRole() - role.cS3ResourcePermissions.ListGrants = true - return role + r := NewEditorRole() + r.Name = RoleEditorListGrants + r.cS3ResourcePermissions.ListGrants = true + return r } -// NewEditorListGrantsWithVersionsRole creates an editor role. `sharing` indicates if sharing permission should be added +// NewEditorListGrantsWithVersionsRole creates an editor role. func NewEditorListGrantsWithVersionsRole() *Role { - role := NewEditorListGrantsRole() - role.cS3ResourcePermissions.ListFileVersions = true - return role -} - -// NewSpaceEditorRole creates an editor role -func NewSpaceEditorRole() *Role { - return &Role{ - Name: RoleSpaceEditor, - cS3ResourcePermissions: &provider.ResourcePermissions{ - CreateContainer: true, - Delete: true, - GetPath: true, - GetQuota: true, - InitiateFileDownload: true, - InitiateFileUpload: true, - ListContainer: true, - ListFileVersions: true, - ListGrants: true, - ListRecycle: true, - Move: true, - RestoreFileVersion: true, - RestoreRecycleItem: true, - Stat: true, - }, - ocsPermissions: PermissionRead | PermissionCreate | PermissionWrite | PermissionDelete, - } + r := NewEditorListGrantsRole() + r.Name = RoleEditorListGrantsWithVersions + r.cS3ResourcePermissions.ListFileVersions = true + r.cS3ResourcePermissions.RestoreFileVersion = true + return r } -// NewSpaceEditorWithoutVersionsRole creates an editor without list/restore versions role -func NewSpaceEditorWithoutVersionsRole() *Role { - return &Role{ - Name: RoleSpaceEditorWithoutVersions, - cS3ResourcePermissions: &provider.ResourcePermissions{ - CreateContainer: true, - Delete: true, - GetPath: true, - GetQuota: true, - InitiateFileDownload: true, - InitiateFileUpload: true, - ListContainer: true, - ListGrants: true, - ListRecycle: true, - Move: true, - RestoreRecycleItem: true, - Stat: true, - }, - ocsPermissions: PermissionRead | PermissionCreate | PermissionWrite | PermissionDelete, - } -} - -// NewSpaceEditorWithoutTrashbinRole creates an editor role without list/restore resources in trashbin on a space. -func NewSpaceEditorWithoutTrashbinRole() *Role { - return &Role{ - Name: RoleSpaceEditorWithoutTrashbin, - cS3ResourcePermissions: &provider.ResourcePermissions{ - CreateContainer: true, - Delete: true, - GetPath: true, - GetQuota: true, - InitiateFileDownload: true, - InitiateFileUpload: true, - ListContainer: true, - ListFileVersions: true, - ListGrants: true, - Move: true, - RestoreFileVersion: true, - Stat: true, - }, - ocsPermissions: PermissionRead | PermissionCreate | PermissionWrite | PermissionDelete, - } -} +// Sharing File // NewFileEditorRole creates a file-editor role func NewFileEditorRole() *Role { - p := PermissionRead | PermissionWrite - return &Role{ - Name: RoleEditor, - cS3ResourcePermissions: &provider.ResourcePermissions{ - GetPath: true, - GetQuota: true, - InitiateFileDownload: true, - ListContainer: true, - ListRecycle: true, - Stat: true, - InitiateFileUpload: true, - RestoreRecycleItem: true, - }, - ocsPermissions: p, - } + r := NewViewerRole() + r.Name = RoleFileEditor + r.ocsPermissions = PermissionRead | PermissionWrite + r.cS3ResourcePermissions.InitiateFileUpload = true + return r } // NewFileEditorListGrantsRole creates a file-editor role func NewFileEditorListGrantsRole() *Role { - role := NewFileEditorRole() - role.cS3ResourcePermissions.ListGrants = true - return role + r := NewFileEditorRole() + r.Name = RoleFileEditorListGrants + r.cS3ResourcePermissions.ListGrants = true + return r } // NewFileEditorListGrantsWithVersionsRole creates a file-editor role func NewFileEditorListGrantsWithVersionsRole() *Role { role := NewFileEditorListGrantsRole() role.cS3ResourcePermissions.ListFileVersions = true + role.cS3ResourcePermissions.RestoreFileVersion = true return role } -// NewCoownerRole creates a coowner role. +// Space Membership + +// NewSpaceViewerRole creates a spaceviewer role +// FIXME: Same as ViewerListGrants +func NewSpaceViewerRole() *Role { + r := NewViewerRole() + r.Name = RoleSpaceViewer + r.cS3ResourcePermissions.ListGrants = true + return r +} + +// NewSpaceEditorWithoutVersionsRole creates an editor without list/restore versions role +func NewSpaceEditorWithoutVersionsRole() *Role { + r := NewSpaceViewerRole() + r.Name = RoleSpaceEditorWithoutVersions + r.cS3ResourcePermissions.CreateContainer = true + r.cS3ResourcePermissions.InitiateFileUpload = true + r.cS3ResourcePermissions.Move = true + return r +} + +// NewSpaceEditorWithoutTrashbinRole creates an editor role without list/restore resources in trashbin on a space. +func NewSpaceEditorWithoutTrashbinRole() *Role { + r := NewSpaceEditorWithoutVersionsRole() + r.Name = RoleSpaceEditorWithoutTrashbin + r.ocsPermissions = PermissionRead | PermissionCreate | PermissionWrite | PermissionDelete + r.cS3ResourcePermissions.ListFileVersions = true + r.cS3ResourcePermissions.RestoreFileVersion = true + return r +} + +// NewSpaceEditorRole creates an editor role +func NewSpaceEditorRole() *Role { + r := NewSpaceEditorWithoutTrashbinRole() + r.Name = RoleSpaceEditor + r.cS3ResourcePermissions.ListRecycle = true + r.cS3ResourcePermissions.Delete = true + r.cS3ResourcePermissions.RestoreRecycleItem = true + return r +} + +// NewManagerRole creates an manager role +func NewManagerRole() *Role { + r := NewSpaceEditorRole() + r.Name = RoleManager + r.ocsPermissions = PermissionAll + r.cS3ResourcePermissions.PurgeRecycle = true + r.cS3ResourcePermissions.AddGrant = true // managers can add users to the space + r.cS3ResourcePermissions.RemoveGrant = true // managers can remove users from the space + r.cS3ResourcePermissions.UpdateGrant = true // managers can update user roles + r.cS3ResourcePermissions.DenyGrant = true // managers can deny access to sub folders + return r +} + +// NewCoownerRole creates a coowner role. NOT USED BY OCIS func NewCoownerRole() *Role { return &Role{ Name: RoleCoowner, @@ -424,24 +399,7 @@ func NewCoownerRole() *Role { } } -// NewEditorLiteRole creates an editor-lite role -func NewEditorLiteRole() *Role { - return &Role{ - Name: RoleEditorLite, - cS3ResourcePermissions: &provider.ResourcePermissions{ - Stat: true, - GetPath: true, - CreateContainer: true, - InitiateFileUpload: true, - InitiateFileDownload: true, - ListContainer: true, - Move: true, - }, - ocsPermissions: PermissionCreate, - } -} - -// NewUploaderRole creates an uploader role with no download permissions +// NewUploaderRole creates an uploader role with no download permissions. NOT USED BY OCIS func NewUploaderRole() *Role { return &Role{ Name: RoleUploader, @@ -455,7 +413,7 @@ func NewUploaderRole() *Role { } } -// NewNoneRole creates a role with no permissions +// NewNoneRole creates a role with no permissions NOT USED BY OCIS func NewNoneRole() *Role { return &Role{ Name: "none", @@ -464,49 +422,6 @@ func NewNoneRole() *Role { } } -// NewManagerRole creates an manager role -func NewManagerRole() *Role { - return &Role{ - Name: RoleManager, - cS3ResourcePermissions: &provider.ResourcePermissions{ - GetPath: true, - GetQuota: true, - InitiateFileDownload: true, - ListGrants: true, - ListContainer: true, - ListFileVersions: true, - ListRecycle: true, - Stat: true, - InitiateFileUpload: true, - RestoreFileVersion: true, - RestoreRecycleItem: true, - Move: true, - CreateContainer: true, - Delete: true, - PurgeRecycle: true, - - // these permissions only make sense to enforce them in the root of the storage space. - AddGrant: true, // managers can add users to the space - RemoveGrant: true, // managers can remove users from the space - UpdateGrant: true, - DenyGrant: true, // managers can deny access to sub folders - }, - ocsPermissions: PermissionAll, - } -} - -// NewSecureViewerRole creates a secure viewer role -func NewSecureViewerRole() *Role { - return &Role{ - Name: RoleSecureViewer, - cS3ResourcePermissions: &provider.ResourcePermissions{ - GetPath: true, - ListContainer: true, - Stat: true, - }, - } -} - // RoleFromOCSPermissions tries to map ocs permissions to a role // TODO: rethink using this. ocs permissions cannot be assigned 1:1 to roles func RoleFromOCSPermissions(p Permissions, ri *provider.ResourceInfo) *Role { diff --git a/pkg/publicshare/manager/owncloudsql/conversions.go b/pkg/publicshare/manager/owncloudsql/conversions.go index 84abf766003..7966495e7c1 100644 --- a/pkg/publicshare/manager/owncloudsql/conversions.go +++ b/pkg/publicshare/manager/owncloudsql/conversions.go @@ -27,10 +27,10 @@ import ( link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1" provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" typespb "github.com/cs3org/go-cs3apis/cs3/types/v1beta1" + "github.com/jellydator/ttlcache/v2" "github.com/owncloud/reva/v2/pkg/conversions" "github.com/owncloud/reva/v2/pkg/rgrpc/status" "github.com/owncloud/reva/v2/pkg/rgrpc/todo/pool" - "github.com/jellydator/ttlcache/v2" ) // DBShare stores information about user and public shares. @@ -157,6 +157,9 @@ func sharePermToInt(p *provider.ResourcePermissions) int { func intTosharePerm(p int) (*provider.ResourcePermissions, error) { perms, err := conversions.NewPermissions(p) if err != nil { + if err == conversions.ErrZeroPermission { + return nil, nil + } return nil, err }