From 0b5c698f0d9d16960a098e4e58e6d685df25d691 Mon Sep 17 00:00:00 2001 From: "A.Unger" Date: Mon, 13 Sep 2021 15:28:39 +0200 Subject: [PATCH 1/6] sharing roles: create role Manager --- .../services/owncloud/ocs/conversions/role.go | 44 ++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/internal/http/services/owncloud/ocs/conversions/role.go b/internal/http/services/owncloud/ocs/conversions/role.go index c479df6c38..251fc542da 100644 --- a/internal/http/services/owncloud/ocs/conversions/role.go +++ b/internal/http/services/owncloud/ocs/conversions/role.go @@ -48,6 +48,8 @@ const ( RoleCoowner string = "coowner" // RoleUploader FIXME: uploader role with only write permission can use InitiateFileUpload, not anything else RoleUploader string = "uploader" + // RoleManager grants manager permissions on a resource. Semantically equivalent to co-owner. + RoleManager string = "manager" ) // CS3ResourcePermissions for the role @@ -129,8 +131,11 @@ func RoleFromName(name string) *Role { return NewCoownerRole() case RoleUploader: return NewUploaderRole() + case RoleManager: + return NewManagerRole() + default: + return NewUnknownRole() } - return NewUnknownRole() } // NewUnknownRole creates an unknown role @@ -278,6 +283,43 @@ func NewUploaderRole() *Role { } } +// NewManagerRole creates an editor role +func NewManagerRole() *Role { + return &Role{ + Name: RoleManager, + cS3ResourcePermissions: &provider.ResourcePermissions{ + // read + GetPath: true, + GetQuota: true, + InitiateFileDownload: true, + ListGrants: true, + ListContainer: true, + ListFileVersions: true, + ListRecycle: true, + Stat: true, + + // write + InitiateFileUpload: true, + RestoreFileVersion: true, + RestoreRecycleItem: true, + Move: true, + + // create + CreateContainer: true, + + // delete + Delete: true, + PurgeRecycle: true, + + // grants. These permissions only make sense to enforce them in the root of the storage space. + AddGrant: true, // managers can add users to the space + RemoveGrant: true, // managers can remove users from the space + UpdateGrant: true, + }, + ocsPermissions: PermissionAll, + } +} + // RoleFromOCSPermissions tries to map ocs permissions to a role func RoleFromOCSPermissions(p Permissions) *Role { if p.Contain(PermissionRead) { From e48853253762560f19724db91a2b266ae97bf81f Mon Sep 17 00:00:00 2001 From: "A.Unger" Date: Mon, 13 Sep 2021 15:28:51 +0200 Subject: [PATCH 2/6] spaces: assign role Manager to the creator of the space --- pkg/storage/utils/decomposedfs/spaces.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/storage/utils/decomposedfs/spaces.go b/pkg/storage/utils/decomposedfs/spaces.go index d26babf4f6..c98082347b 100644 --- a/pkg/storage/utils/decomposedfs/spaces.go +++ b/pkg/storage/utils/decomposedfs/spaces.go @@ -129,7 +129,7 @@ func (fs *Decomposedfs) CreateStorageSpace(ctx context.Context, req *provider.Cr UserId: u.Id, }, }, - Permissions: ocsconv.NewEditorRole().CS3ResourcePermissions(), + Permissions: ocsconv.NewManagerRole().CS3ResourcePermissions(), }); err != nil { return nil, err } From 40871a71498bb0704c7cabb995868df15441f521 Mon Sep 17 00:00:00 2001 From: "A.Unger" Date: Mon, 13 Sep 2021 15:33:20 +0200 Subject: [PATCH 3/6] add changelog --- changelog/unreleased/sharing-manager-role.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelog/unreleased/sharing-manager-role.md diff --git a/changelog/unreleased/sharing-manager-role.md b/changelog/unreleased/sharing-manager-role.md new file mode 100644 index 0000000000..ea58858dcb --- /dev/null +++ b/changelog/unreleased/sharing-manager-role.md @@ -0,0 +1,5 @@ +Enhancement: New sharing role Manager + +The new Manager role is equivalent to a Co-Owner with the difference that a Manager can create grants on the root of the Space. This means inviting a user to a space will not require an action from them, as the Manager assigns the grants. + +github.com/cs3org/reva/pull/2065 From 06159a1ceb5a1afdb98f1c7a90f6981fcf7bdf90 Mon Sep 17 00:00:00 2001 From: "A.Unger" Date: Mon, 13 Sep 2021 15:35:29 +0200 Subject: [PATCH 4/6] issue on changelog must be valid url --- changelog/unreleased/sharing-manager-role.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog/unreleased/sharing-manager-role.md b/changelog/unreleased/sharing-manager-role.md index ea58858dcb..b4debbe236 100644 --- a/changelog/unreleased/sharing-manager-role.md +++ b/changelog/unreleased/sharing-manager-role.md @@ -2,4 +2,4 @@ Enhancement: New sharing role Manager The new Manager role is equivalent to a Co-Owner with the difference that a Manager can create grants on the root of the Space. This means inviting a user to a space will not require an action from them, as the Manager assigns the grants. -github.com/cs3org/reva/pull/2065 +https://github.com/cs3org/reva/pull/2065 From 557e6b1750ba1af38079cc01a39faec6a2df9857 Mon Sep 17 00:00:00 2001 From: "A.Unger" Date: Tue, 14 Sep 2021 10:13:03 +0200 Subject: [PATCH 5/6] cleanup roles.go file --- .../services/owncloud/ocs/conversions/role.go | 138 +++++++----------- 1 file changed, 51 insertions(+), 87 deletions(-) diff --git a/internal/http/services/owncloud/ocs/conversions/role.go b/internal/http/services/owncloud/ocs/conversions/role.go index 251fc542da..f04bd7cabd 100644 --- a/internal/http/services/owncloud/ocs/conversions/role.go +++ b/internal/http/services/owncloud/ocs/conversions/role.go @@ -26,7 +26,7 @@ import ( provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" ) -// Role describes the interface to transform different permission sets into each other +// Role is a set of ocs permissions and cs3 resource permissions under a common name. type Role struct { Name string cS3ResourcePermissions *provider.ResourcePermissions @@ -34,22 +34,23 @@ type Role struct { } const ( - // RoleUnknown is used for unknown roles - RoleUnknown string = "unknown" - // RoleLegacy provides backwards compatibility - RoleLegacy string = "legacy" - // RoleViewer grants non-editor role on a resource - RoleViewer string = "viewer" - // RoleEditor grants editor permission on a resource, including folders - RoleEditor string = "editor" - // RoleFileEditor grants editor permission on a single file - RoleFileEditor string = "file-editor" - // RoleCoowner grants owner permissions on a resource - RoleCoowner string = "coowner" - // RoleUploader FIXME: uploader role with only write permission can use InitiateFileUpload, not anything else - RoleUploader string = "uploader" + // RoleViewer grants non-editor role on a resource. + RoleViewer = "viewer" + // RoleEditor grants editor permission on a resource, including folders. + RoleEditor = "editor" + // RoleFileEditor grants editor permission on a single file. + RoleFileEditor = "file-editor" + // RoleCoowner grants co-owner permissions on a resource. + RoleCoowner = "coowner" + // RoleUploader grants uploader permission to upload onto a resource. + RoleUploader = "uploader" // RoleManager grants manager permissions on a resource. Semantically equivalent to co-owner. - RoleManager string = "manager" + RoleManager = "manager" + + // RoleUnknown is used for unknown roles. + RoleUnknown = "unknown" + // RoleLegacy provides backwards compatibility. + RoleLegacy = "legacy" ) // CS3ResourcePermissions for the role @@ -93,7 +94,6 @@ func (r *Role) OCSPermissions() Permissions { // M = Mounted func (r *Role) WebDAVPermissions(isDir, isShared, isMountpoint, isPublic bool) string { var b strings.Builder - // b.Grow(7) if !isPublic && isShared { fmt.Fprintf(&b, "S") } @@ -138,7 +138,7 @@ func RoleFromName(name string) *Role { } } -// NewUnknownRole creates an unknown role +// NewUnknownRole creates an unknown role. An Unknown role has no permissions over a cs3 resource nor any ocs endpoint. func NewUnknownRole() *Role { return &Role{ Name: RoleUnknown, @@ -152,7 +152,6 @@ func NewViewerRole() *Role { return &Role{ Name: RoleViewer, cS3ResourcePermissions: &provider.ResourcePermissions{ - // read GetPath: true, GetQuota: true, InitiateFileDownload: true, @@ -171,7 +170,6 @@ func NewEditorRole() *Role { return &Role{ Name: RoleEditor, cS3ResourcePermissions: &provider.ResourcePermissions{ - // read GetPath: true, GetQuota: true, InitiateFileDownload: true, @@ -180,21 +178,13 @@ func NewEditorRole() *Role { ListFileVersions: true, ListRecycle: true, Stat: true, - - // write - InitiateFileUpload: true, - RestoreFileVersion: true, - RestoreRecycleItem: true, - - // create - CreateContainer: true, - - // delete - Delete: true, - - // not sure where to put these, but they are part of an editor - Move: true, - PurgeRecycle: true, + InitiateFileUpload: true, + RestoreFileVersion: true, + RestoreRecycleItem: true, + CreateContainer: true, + Delete: true, + Move: true, + PurgeRecycle: true, }, ocsPermissions: PermissionRead | PermissionCreate | PermissionWrite | PermissionDelete, } @@ -205,7 +195,6 @@ func NewFileEditorRole() *Role { return &Role{ Name: RoleEditor, cS3ResourcePermissions: &provider.ResourcePermissions{ - // read GetPath: true, GetQuota: true, InitiateFileDownload: true, @@ -214,11 +203,9 @@ func NewFileEditorRole() *Role { ListFileVersions: true, ListRecycle: true, Stat: true, - - // write - InitiateFileUpload: true, - RestoreFileVersion: true, - RestoreRecycleItem: true, + InitiateFileUpload: true, + RestoreFileVersion: true, + RestoreRecycleItem: true, }, ocsPermissions: PermissionRead | PermissionWrite, } @@ -229,7 +216,6 @@ func NewCoownerRole() *Role { return &Role{ Name: RoleCoowner, cS3ResourcePermissions: &provider.ResourcePermissions{ - // read GetPath: true, GetQuota: true, InitiateFileDownload: true, @@ -238,26 +224,16 @@ func NewCoownerRole() *Role { ListFileVersions: true, ListRecycle: true, Stat: true, - - // write - InitiateFileUpload: true, - RestoreFileVersion: true, - RestoreRecycleItem: true, - - // create - CreateContainer: true, - - // delete - Delete: true, - - // not sure where to put these, but they are part of an editor - Move: true, - PurgeRecycle: true, - - // grants - AddGrant: true, - UpdateGrant: true, - RemoveGrant: true, + InitiateFileUpload: true, + RestoreFileVersion: true, + RestoreRecycleItem: true, + CreateContainer: true, + Delete: true, + Move: true, + PurgeRecycle: true, + AddGrant: true, + UpdateGrant: true, + RemoveGrant: true, }, ocsPermissions: PermissionAll, } @@ -268,15 +244,10 @@ func NewUploaderRole() *Role { return &Role{ Name: RoleViewer, cS3ResourcePermissions: &provider.ResourcePermissions{ - // he will need to make stat requests - // TODO and List requests - Stat: true, - ListContainer: true, - // read - GetPath: true, - // mkdir - CreateContainer: true, - // upload + Stat: true, + ListContainer: true, + GetPath: true, + CreateContainer: true, InitiateFileUpload: true, }, ocsPermissions: PermissionCreate, @@ -288,7 +259,6 @@ func NewManagerRole() *Role { return &Role{ Name: RoleManager, cS3ResourcePermissions: &provider.ResourcePermissions{ - // read GetPath: true, GetQuota: true, InitiateFileDownload: true, @@ -297,21 +267,15 @@ func NewManagerRole() *Role { ListFileVersions: true, ListRecycle: true, Stat: true, - - // write - InitiateFileUpload: true, - RestoreFileVersion: true, - RestoreRecycleItem: true, - Move: true, - - // create - CreateContainer: true, - - // delete - Delete: true, - PurgeRecycle: true, - - // grants. These permissions only make sense to enforce them in the root of the storage space. + InitiateFileUpload: true, + RestoreFileVersion: true, + RestoreRecycleItem: true, + Move: true, + CreateContainer: true, + Delete: true, + PurgeRecycle: true, + + // these permissions only make sense to enforce them in the root of the storage space. AddGrant: true, // managers can add users to the space RemoveGrant: true, // managers can remove users from the space UpdateGrant: true, From 16204918b30df130b1a0018afebbcb07203d8935 Mon Sep 17 00:00:00 2001 From: "A.Unger" Date: Tue, 14 Sep 2021 10:42:18 +0200 Subject: [PATCH 6/6] trigger-ci