diff --git a/internal/http/services/owncloud/ocs/conversions/role.go b/internal/http/services/owncloud/ocs/conversions/role.go index 251fc542da..f04bd7cabd 100644 --- a/internal/http/services/owncloud/ocs/conversions/role.go +++ b/internal/http/services/owncloud/ocs/conversions/role.go @@ -26,7 +26,7 @@ import ( provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" ) -// Role describes the interface to transform different permission sets into each other +// Role is a set of ocs permissions and cs3 resource permissions under a common name. type Role struct { Name string cS3ResourcePermissions *provider.ResourcePermissions @@ -34,22 +34,23 @@ type Role struct { } const ( - // RoleUnknown is used for unknown roles - RoleUnknown string = "unknown" - // RoleLegacy provides backwards compatibility - RoleLegacy string = "legacy" - // RoleViewer grants non-editor role on a resource - RoleViewer string = "viewer" - // RoleEditor grants editor permission on a resource, including folders - RoleEditor string = "editor" - // RoleFileEditor grants editor permission on a single file - RoleFileEditor string = "file-editor" - // RoleCoowner grants owner permissions on a resource - RoleCoowner string = "coowner" - // RoleUploader FIXME: uploader role with only write permission can use InitiateFileUpload, not anything else - RoleUploader string = "uploader" + // RoleViewer grants non-editor role on a resource. + RoleViewer = "viewer" + // RoleEditor grants editor permission on a resource, including folders. + RoleEditor = "editor" + // RoleFileEditor grants editor permission on a single file. + RoleFileEditor = "file-editor" + // RoleCoowner grants co-owner permissions on a resource. + RoleCoowner = "coowner" + // RoleUploader grants uploader permission to upload onto a resource. + RoleUploader = "uploader" // RoleManager grants manager permissions on a resource. Semantically equivalent to co-owner. - RoleManager string = "manager" + RoleManager = "manager" + + // RoleUnknown is used for unknown roles. + RoleUnknown = "unknown" + // RoleLegacy provides backwards compatibility. + RoleLegacy = "legacy" ) // CS3ResourcePermissions for the role @@ -93,7 +94,6 @@ func (r *Role) OCSPermissions() Permissions { // M = Mounted func (r *Role) WebDAVPermissions(isDir, isShared, isMountpoint, isPublic bool) string { var b strings.Builder - // b.Grow(7) if !isPublic && isShared { fmt.Fprintf(&b, "S") } @@ -138,7 +138,7 @@ func RoleFromName(name string) *Role { } } -// NewUnknownRole creates an unknown role +// NewUnknownRole creates an unknown role. An Unknown role has no permissions over a cs3 resource nor any ocs endpoint. func NewUnknownRole() *Role { return &Role{ Name: RoleUnknown, @@ -152,7 +152,6 @@ func NewViewerRole() *Role { return &Role{ Name: RoleViewer, cS3ResourcePermissions: &provider.ResourcePermissions{ - // read GetPath: true, GetQuota: true, InitiateFileDownload: true, @@ -171,7 +170,6 @@ func NewEditorRole() *Role { return &Role{ Name: RoleEditor, cS3ResourcePermissions: &provider.ResourcePermissions{ - // read GetPath: true, GetQuota: true, InitiateFileDownload: true, @@ -180,21 +178,13 @@ func NewEditorRole() *Role { ListFileVersions: true, ListRecycle: true, Stat: true, - - // write - InitiateFileUpload: true, - RestoreFileVersion: true, - RestoreRecycleItem: true, - - // create - CreateContainer: true, - - // delete - Delete: true, - - // not sure where to put these, but they are part of an editor - Move: true, - PurgeRecycle: true, + InitiateFileUpload: true, + RestoreFileVersion: true, + RestoreRecycleItem: true, + CreateContainer: true, + Delete: true, + Move: true, + PurgeRecycle: true, }, ocsPermissions: PermissionRead | PermissionCreate | PermissionWrite | PermissionDelete, } @@ -205,7 +195,6 @@ func NewFileEditorRole() *Role { return &Role{ Name: RoleEditor, cS3ResourcePermissions: &provider.ResourcePermissions{ - // read GetPath: true, GetQuota: true, InitiateFileDownload: true, @@ -214,11 +203,9 @@ func NewFileEditorRole() *Role { ListFileVersions: true, ListRecycle: true, Stat: true, - - // write - InitiateFileUpload: true, - RestoreFileVersion: true, - RestoreRecycleItem: true, + InitiateFileUpload: true, + RestoreFileVersion: true, + RestoreRecycleItem: true, }, ocsPermissions: PermissionRead | PermissionWrite, } @@ -229,7 +216,6 @@ func NewCoownerRole() *Role { return &Role{ Name: RoleCoowner, cS3ResourcePermissions: &provider.ResourcePermissions{ - // read GetPath: true, GetQuota: true, InitiateFileDownload: true, @@ -238,26 +224,16 @@ func NewCoownerRole() *Role { ListFileVersions: true, ListRecycle: true, Stat: true, - - // write - InitiateFileUpload: true, - RestoreFileVersion: true, - RestoreRecycleItem: true, - - // create - CreateContainer: true, - - // delete - Delete: true, - - // not sure where to put these, but they are part of an editor - Move: true, - PurgeRecycle: true, - - // grants - AddGrant: true, - UpdateGrant: true, - RemoveGrant: true, + InitiateFileUpload: true, + RestoreFileVersion: true, + RestoreRecycleItem: true, + CreateContainer: true, + Delete: true, + Move: true, + PurgeRecycle: true, + AddGrant: true, + UpdateGrant: true, + RemoveGrant: true, }, ocsPermissions: PermissionAll, } @@ -268,15 +244,10 @@ func NewUploaderRole() *Role { return &Role{ Name: RoleViewer, cS3ResourcePermissions: &provider.ResourcePermissions{ - // he will need to make stat requests - // TODO and List requests - Stat: true, - ListContainer: true, - // read - GetPath: true, - // mkdir - CreateContainer: true, - // upload + Stat: true, + ListContainer: true, + GetPath: true, + CreateContainer: true, InitiateFileUpload: true, }, ocsPermissions: PermissionCreate, @@ -288,7 +259,6 @@ func NewManagerRole() *Role { return &Role{ Name: RoleManager, cS3ResourcePermissions: &provider.ResourcePermissions{ - // read GetPath: true, GetQuota: true, InitiateFileDownload: true, @@ -297,21 +267,15 @@ func NewManagerRole() *Role { ListFileVersions: true, ListRecycle: true, Stat: true, - - // write - InitiateFileUpload: true, - RestoreFileVersion: true, - RestoreRecycleItem: true, - Move: true, - - // create - CreateContainer: true, - - // delete - Delete: true, - PurgeRecycle: true, - - // grants. These permissions only make sense to enforce them in the root of the storage space. + InitiateFileUpload: true, + RestoreFileVersion: true, + RestoreRecycleItem: true, + Move: true, + CreateContainer: true, + Delete: true, + PurgeRecycle: true, + + // these permissions only make sense to enforce them in the root of the storage space. AddGrant: true, // managers can add users to the space RemoveGrant: true, // managers can remove users from the space UpdateGrant: true,