Merge pull request #3096 from rhafer/ocs-cs3

Fixes for /ocs/cloud/users when using the CS3 user backend
owncloud · Feb 3, 2022 · c4f1c1e · c4f1c1e
2 parents 6cc5bfd + ada93a9
commit c4f1c1e
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 2 deletions.
diff --git a/ocis-pkg/roles/manager.go b/ocis-pkg/roles/manager.go
@@ -67,3 +67,21 @@ func (m *Manager) FindPermissionByID(ctx context.Context, roleIDs []string, perm
 	}
 	return nil
 }
+
+// FindRoleIdsForUser returns all roles that are assigned to the supplied userid
+func (m *Manager) FindRoleIDsForUser(ctx context.Context, userID string) ([]string, error) {
+	req := &settingssvc.ListRoleAssignmentsRequest{AccountUuid: userID}
+	assignmentResponse, err := m.roleService.ListRoleAssignments(ctx, req)
+
+	if err != nil {
+		return nil, err
+	}
+
+	roleIDs := make([]string, 0, len(assignmentResponse.Assignments))
+
+	for _, assignment := range assignmentResponse.Assignments {
+		roleIDs = append(roleIDs, assignment.RoleId)
+	}
+
+	return roleIDs, nil
+}
diff --git a/ocs/pkg/middleware/requireselforadmin.go b/ocs/pkg/middleware/requireselforadmin.go
@@ -11,6 +11,7 @@ import (
 	"github.com/owncloud/ocis/ocis-pkg/roles"
 	"github.com/owncloud/ocis/ocs/pkg/service/v0/data"
 	"github.com/owncloud/ocis/ocs/pkg/service/v0/response"
+	settingsService "github.com/owncloud/ocis/settings/pkg/service/v0"
 )
 
 // RequireSelfOrAdmin middleware is used to require the requesting user to be an admin or the requested user himself
@@ -38,8 +39,20 @@ func RequireSelfOrAdmin(opts ...Option) func(next http.Handler) http.Handler {
 			// get roles from context
 			roleIDs, ok := roles.ReadRoleIDsFromContext(r.Context())
 			if !ok {
-				mustRender(w, r, response.ErrRender(data.MetaUnauthorized.StatusCode, "Unauthorized"))
-				return
+				opt.Logger.Debug().Str("userid", u.Id.OpaqueId).Msg("No roles in context, contacting settings service")
+				var err error
+				roleIDs, err = opt.RoleManager.FindRoleIDsForUser(r.Context(), u.Id.OpaqueId)
+				if err != nil {
+					opt.Logger.Err(err).Str("userid", u.Id.OpaqueId).Msg("failed to get roles for user")
+					mustRender(w, r, response.ErrRender(data.MetaUnauthorized.StatusCode, "Unauthorized"))
+					return
+				}
+				if len(roleIDs) == 0 {
+					roleIDs = append(roleIDs, settingsService.BundleUUIDRoleUser, settingsService.SelfManagementPermissionID)
+					// if roles are empty, assume we haven't seen the user before and assign a default user role. At least until
+					// proper roles are provided. See https://github.com/owncloud/ocis/issues/1825 for more context.
+					//return user, nil
+				}
 			}
 
 			// check if account management permission is present in roles of the authenticated account

diff --git a/ocs/pkg/service/v0/groups.go b/ocs/pkg/service/v0/groups.go
@@ -30,6 +30,11 @@ func (o Ocs) ListUserGroups(w http.ResponseWriter, r *http.Request) {
 	}
 	var account *accountsmsg.Account
 
+	if o.config.AccountBackend == "cs3" {
+		o.mustRender(w, r, response.DataRender(&data.Groups{}))
+		return
+	}
+
 	// short circuit if there is a user already in the context
 	if u, ok := revactx.ContextGetUser(r.Context()); ok {
 		// we are not sure whether the current user in the context is the admin or the authenticated user.