From 82c9cb1044a281df767ef36b97ca0a1bf25a7562 Mon Sep 17 00:00:00 2001 From: David Christofas Date: Tue, 28 Feb 2023 16:55:11 +0100 Subject: [PATCH] enforce the publiclink.create permission --- .../unreleased/public-link-permission.md | 5 ++ .../handlers/apps/sharing/shares/public.go | 46 +++++++++++++++++++ pkg/permission/manager/demo/demo.go | 2 + pkg/permission/permission.go | 2 + 4 files changed, 55 insertions(+) create mode 100644 changelog/unreleased/public-link-permission.md diff --git a/changelog/unreleased/public-link-permission.md b/changelog/unreleased/public-link-permission.md new file mode 100644 index 0000000000..98b27c757f --- /dev/null +++ b/changelog/unreleased/public-link-permission.md @@ -0,0 +1,5 @@ +Enhancement: Enforce the PublicLink.Write permission + +Added checks for the "PublicLink.Write" permission when creating or updating public links. + +https://github.com/cs3org/reva/pull/3693 diff --git a/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go b/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go index 58a373ceb6..0556794ede 100644 --- a/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go +++ b/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go @@ -24,6 +24,7 @@ import ( "net/http" "strconv" + permissionsv1beta1 "github.com/cs3org/go-cs3apis/cs3/permissions/v1beta1" rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1" link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1" provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" @@ -52,6 +53,30 @@ func (h *Handler) createPublicLinkShare(w http.ResponseWriter, r *http.Request, } } + user := ctxpkg.ContextMustGetUser(ctx) + resp, err := c.CheckPermission(ctx, &permissionsv1beta1.CheckPermissionRequest{ + SubjectRef: &permissionsv1beta1.SubjectReference{ + Spec: &permissionsv1beta1.SubjectReference_UserId{ + UserId: user.Id, + }, + }, + Permission: "PublicLink.Write", + }) + if err != nil { + return nil, &ocsError{ + Code: response.MetaServerError.StatusCode, + Message: "failed to check user permission", + Error: err, + } + } + + if resp.Status.Code != rpc.Code_CODE_OK { + return nil, &ocsError{ + Code: response.MetaForbidden.StatusCode, + Message: "user is not allowed to create a public link", + } + } + err = r.ParseForm() if err != nil { return nil, &ocsError{ @@ -270,6 +295,27 @@ func (h *Handler) updatePublicShare(w http.ResponseWriter, r *http.Request, shar return } + ctx := r.Context() + + user := ctxpkg.ContextMustGetUser(ctx) + resp, err := gwC.CheckPermission(ctx, &permissionsv1beta1.CheckPermissionRequest{ + SubjectRef: &permissionsv1beta1.SubjectReference{ + Spec: &permissionsv1beta1.SubjectReference_UserId{ + UserId: user.Id, + }, + }, + Permission: "PublicLink.Write", + }) + if err != nil { + response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "failed to check user permission", err) + return + } + + if resp.Status.Code != rpc.Code_CODE_OK { + response.WriteOCSError(w, r, response.MetaForbidden.StatusCode, "user is not allowed to create a public link", nil) + return + } + before, err := gwC.GetPublicShare(r.Context(), &link.GetPublicShareRequest{ Ref: &link.PublicShareReference{ Spec: &link.PublicShareReference_Id{ diff --git a/pkg/permission/manager/demo/demo.go b/pkg/permission/manager/demo/demo.go index 42da025314..fd55783dd5 100644 --- a/pkg/permission/manager/demo/demo.go +++ b/pkg/permission/manager/demo/demo.go @@ -42,6 +42,8 @@ func (m manager) CheckPermission(perm string, subject string, ref *provider.Refe // TODO Users can only create their own personal space // TODO guest accounts cannot create spaces return true + case permission.WritePublicLink: + return true case permission.ListAllSpaces: // TODO introduce an admin role to allow listing all spaces return false diff --git a/pkg/permission/permission.go b/pkg/permission/permission.go index 6aaa808845..c34589b24a 100644 --- a/pkg/permission/permission.go +++ b/pkg/permission/permission.go @@ -27,6 +27,8 @@ const ( ListAllSpaces string = "list-all-spaces" // CreateSpace is the hardcoded name for the create space permission CreateSpace string = "create-space" + // WritePublicLink is the hardcoded name for the PublicLink.Write permission + WritePublicLink string = "PublicLink.Write" ) // Manager defines the interface for the permission service driver