Skip to content

Commit

Permalink
Adjust permissions for deleting spaces (#2828)
Browse files Browse the repository at this point in the history
* adjust permissions for deleting spaces

Signed-off-by: jkoberg <[email protected]>

* changelog

Signed-off-by: jkoberg <[email protected]>

* block space delete not general delete

Signed-off-by: jkoberg <[email protected]>
  • Loading branch information
kobergj authored May 6, 2022
1 parent bdbc57f commit 62b6715
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 0 deletions.
6 changes: 6 additions & 0 deletions changelog/unreleased/deleteSpacePermissions.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
Bugfix: Check permissions when deleting spaces

Do not allow viewers and editors to delete a space (you need to be manager)
Block deleting a space via dav service (should use graph to avoid accidental deletes)

https://github.com/cs3org/reva/pull/2827
9 changes: 9 additions & 0 deletions internal/http/services/owncloud/ocdav/delete.go
Original file line number Diff line number Diff line change
Expand Up @@ -154,5 +154,14 @@ func (s *svc) handleSpacesDelete(w http.ResponseWriter, r *http.Request, spaceID
return
}

// do not allow deleting spaces via dav endpoint - use graph endpoint instead
// we get a relative reference coming from the space root
// so if the path is "empty" we a referencing the space
if ref.GetPath() == "." {
sublog.Info().Msg("deleting spaces via dav is not allowed")
w.WriteHeader(http.StatusBadRequest)
return
}

s.handleDelete(ctx, w, r, ref, sublog)
}
5 changes: 5 additions & 0 deletions pkg/storage/utils/decomposedfs/spaces.go
Original file line number Diff line number Diff line change
Expand Up @@ -510,6 +510,11 @@ func (fs *Decomposedfs) DeleteStorageSpace(ctx context.Context, req *provider.De
return err
}

// only managers are allowed to disable or purge a drive
if err := fs.checkManagerPermission(ctx, n); err != nil {
return errtypes.PermissionDenied(fmt.Sprintf("user is not allowed to delete spaces %s", n.ID))
}

if purge {
if !n.IsDisabled() {
return errtypes.NewErrtypeFromStatus(status.NewInvalidArg(ctx, "can't purge enabled space"))
Expand Down

0 comments on commit 62b6715

Please sign in to comment.