diff --git a/changelog/unreleased/deleteSpacePermissions.md b/changelog/unreleased/deleteSpacePermissions.md new file mode 100644 index 0000000000..877196f6a1 --- /dev/null +++ b/changelog/unreleased/deleteSpacePermissions.md @@ -0,0 +1,6 @@ +Bugfix: Check permissions when deleting spaces + +Do not allow viewers and editors to delete a space (you need to be manager) +Block deleting a space via dav service (should use graph to avoid accidental deletes) + +https://github.com/cs3org/reva/pull/2827 diff --git a/internal/http/services/owncloud/ocdav/delete.go b/internal/http/services/owncloud/ocdav/delete.go index b156d5fba5..eb26f7f181 100644 --- a/internal/http/services/owncloud/ocdav/delete.go +++ b/internal/http/services/owncloud/ocdav/delete.go @@ -154,5 +154,14 @@ func (s *svc) handleSpacesDelete(w http.ResponseWriter, r *http.Request, spaceID return } + // do not allow deleting spaces via dav endpoint - use graph endpoint instead + // we get a relative reference coming from the space root + // so if the path is "empty" we a referencing the space + if ref.GetPath() == "." { + sublog.Info().Msg("deleting spaces via dav is not allowed") + w.WriteHeader(http.StatusBadRequest) + return + } + s.handleDelete(ctx, w, r, ref, sublog) } diff --git a/pkg/storage/utils/decomposedfs/spaces.go b/pkg/storage/utils/decomposedfs/spaces.go index d50f47cd2f..c96c80ca73 100644 --- a/pkg/storage/utils/decomposedfs/spaces.go +++ b/pkg/storage/utils/decomposedfs/spaces.go @@ -510,6 +510,11 @@ func (fs *Decomposedfs) DeleteStorageSpace(ctx context.Context, req *provider.De return err } + // only managers are allowed to disable or purge a drive + if err := fs.checkManagerPermission(ctx, n); err != nil { + return errtypes.PermissionDenied(fmt.Sprintf("user is not allowed to delete spaces %s", n.ID)) + } + if purge { if !n.IsDisabled() { return errtypes.NewErrtypeFromStatus(status.NewInvalidArg(ctx, "can't purge enabled space"))