cs3org · C0rby · Mar 1, 2023 · Feb 28, 2023
@@ -0,0 +1,5 @@
+Enhancement: Enforce the PublicLink.Write permission
+
+Added checks for the "PublicLink.Write" permission when creating or updating public links.
+
+https://github.com/cs3org/reva/pull/3693
@@ -24,6 +24,7 @@ import (
 	"net/http"
 	"strconv"
 
+	permissionsv1beta1 "github.com/cs3org/go-cs3apis/cs3/permissions/v1beta1"
 	rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
@@ -52,6 +53,30 @@ func (h *Handler) createPublicLinkShare(w http.ResponseWriter, r *http.Request,
 		}
 	}
 
+	user := ctxpkg.ContextMustGetUser(ctx)
+	resp, err := c.CheckPermission(ctx, &permissionsv1beta1.CheckPermissionRequest{
+		SubjectRef: &permissionsv1beta1.SubjectReference{
+			Spec: &permissionsv1beta1.SubjectReference_UserId{
+				UserId: user.Id,
+			},
+		},
+		Permission: "PublicLink.Write",
+	})
+	if err != nil {
+		return nil, &ocsError{
+			Code:    response.MetaServerError.StatusCode,
+			Message: "failed to check user permission",
+			Error:   err,
+		}
+	}
+
+	if resp.Status.Code != rpc.Code_CODE_OK {
+		return nil, &ocsError{
+			Code:    response.MetaForbidden.StatusCode,
+			Message: "user is not allowed to create a public link",
+		}
+	}
+
 	err = r.ParseForm()
 	if err != nil {
 		return nil, &ocsError{
@@ -270,6 +295,27 @@ func (h *Handler) updatePublicShare(w http.ResponseWriter, r *http.Request, shar
 		return
 	}
 
+	ctx := r.Context()
+
+	user := ctxpkg.ContextMustGetUser(ctx)
+	resp, err := gwC.CheckPermission(ctx, &permissionsv1beta1.CheckPermissionRequest{
+		SubjectRef: &permissionsv1beta1.SubjectReference{
+			Spec: &permissionsv1beta1.SubjectReference_UserId{
+				UserId: user.Id,
+			},
+		},
+		Permission: "PublicLink.Write",
+	})
+	if err != nil {
+		response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "failed to check user permission", err)
+		return
+	}
+
+	if resp.Status.Code != rpc.Code_CODE_OK {
+		response.WriteOCSError(w, r, response.MetaForbidden.StatusCode, "user is not allowed to create a public link", nil)
+		return
+	}
+
 	before, err := gwC.GetPublicShare(r.Context(), &link.GetPublicShareRequest{
 		Ref: &link.PublicShareReference{
 			Spec: &link.PublicShareReference_Id{

@@ -42,6 +42,8 @@ func (m manager) CheckPermission(perm string, subject string, ref *provider.Refe
 		// TODO Users can only create their own personal space
 		// TODO guest accounts cannot create spaces
 		return true
+	case permission.WritePublicLink:
+		return true
 	case permission.ListAllSpaces:
 		// TODO introduce an admin role to allow listing all spaces
 		return false

@@ -27,6 +27,8 @@ const (
 	ListAllSpaces string = "list-all-spaces"
 	// CreateSpace is the hardcoded name for the create space permission
 	CreateSpace string = "create-space"
+	// WritePublicLink is the hardcoded name for the PublicLink.Write permission
+	WritePublicLink string = "PublicLink.Write"
 )
 
 // Manager defines the interface for the permission service driver