Skip to content

Commit

Permalink
fix: permission check in public share update
Browse files Browse the repository at this point in the history
  • Loading branch information
micbar committed Apr 12, 2024
1 parent d98c5e4 commit 00652a3
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 0 deletions.
6 changes: 6 additions & 0 deletions changelog/unreleased/fix-public-share-update.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
Bugfix: Fix public share update

We fixed the permission check for updating public shares. When updating the permissions of a public share while not providing a password, the check must be against the new permissions to take into account that users can opt out only for view permissions.

https://github.com/cs3org/reva/pull/4622
https://github.com/cs3org/reva/pull/4626
12 changes: 12 additions & 0 deletions internal/grpc/services/publicshareprovider/publicshareprovider.go
Original file line number Diff line number Diff line change
Expand Up @@ -554,12 +554,24 @@ func (s *service) UpdatePublicShare(ctx context.Context, req *link.UpdatePublicS
}
updatePassword := req.GetUpdate().GetType() == link.UpdatePublicShareRequest_Update_TYPE_PASSWORD
setPassword := grant.GetPassword()

// we update permissions with an empty password and password is not set on the public share
emptyPasswordInPermissionUpdate := len(setPassword) == 0 && updatePermissions && !ps.PasswordProtected

// password is updated, we use the current permissions to check if the user can opt out
if updatePassword && !isInternalLink && enforcePassword(canOptOut, ps.GetPermissions().GetPermissions(), s.conf) && len(setPassword) == 0 {
return &link.UpdatePublicShareResponse{
Status: status.NewInvalidArg(ctx, "password protection is enforced"),
}, nil
}

// permissions are updated, we use the new permissions to check if the user can opt out
if emptyPasswordInPermissionUpdate && !isInternalLink && enforcePassword(canOptOut, grant.GetPermissions().GetPermissions(), s.conf) && len(setPassword) == 0 {
return &link.UpdatePublicShareResponse{
Status: status.NewInvalidArg(ctx, "password protection is enforced"),
}, nil
}

// validate password policy
if updatePassword && len(setPassword) > 0 {
if err := s.passwordValidator.Validate(setPassword); err != nil {
Expand Down

0 comments on commit 00652a3

Please sign in to comment.