Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trying to update a share permissions role of a shared resource to a disabled role is possible #10768

Closed
PrajwolAmatya opened this issue Dec 13, 2024 · 2 comments
Closed

Trying to update a share permissions role of a shared resource to a disabled role is possible #10768

PrajwolAmatya opened this issue Dec 13, 2024 · 2 comments
Labels
Type:Bug Type:Discussion

Comments

@PrajwolAmatya
Copy link
Contributor

Describe the bug

When updating a share permissions role of a shared resource to any disabled role, the result is success.

Steps to reproduce

  1. user Alice create a folder folderToShare
  2. Alice shares folder folderToShare with any enabled share permissions role, for example, Viewer
  3. Alice updates the share permissions role which is not enabled, for example, Secure Viewer
curl -kv -XPATCH 'https://localhost:9200/graph/v1beta1/drives/<drive-id>/items/<item-id>/permissions/<permissions-id>' \
-u alice:123456 \
-d '{
    "roles": [
        "aa97fe03-7980-45ac-9e50-b325749fd7e6"
    ]
}'

Actual behavior

The share update shows the successful result, the role is not assigned as the roles property is not listed in the response instead the response contains the available permissions actions.

{
    "@libre.graph.permissions.actions": [
        "libre.graph/driveItem/path/read",
        "libre.graph/driveItem/children/read",
        "libre.graph/driveItem/basic/read"
    ],
    "createdDateTime": "2024-12-13T12:11:31.544516667+05:45",
    "grantedToV2": {
        "user": {
            "@libre.graph.userType": "Member",
            "displayName": "Brian Murphy",
            "id": "1480417a-dbe1-4058-a511-99682915970c"
        }
    },
    "id": "d5727cf1-f2ea-4a4a-9725-0b97d9068c73:670bcf96-8fdb-4945-879b-3646dbb65f88:5fd78b77-4440-4cfa-be96-c5eff6d5816c",
    "invitation": {
        "invitedBy": {
            "user": {
                "@libre.graph.userType": "Member",
                "displayName": "Alice Hansen",
                "id": "670bcf96-8fdb-4945-879b-3646dbb65f88"
            }
        }
    }
}

Expected behavior

Not sure what should be the expected behavior. Is the current behavior valid or should the update fail?
@PrajwolAmatya PrajwolAmatya mentioned this issue Dec 13, 2024
Open
9 tasks
@micbar
Copy link
Contributor

micbar commented Dec 13, 2024
edited
Loading

This is expected behavior.

Clarification

  1. Roles are just "permission sets"-
  2. Users can theoretically directly use the "available actions" to set individual permissions on a share or space membership.
  3. The backend validates the request and enforces that only "lower or equal" permissions of the sharer are granted to the receiver.

@PrajwolAmatya
Copy link
Contributor Author

This is expected behavior.

Closing this issue as the current behavior is the expected one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type:Bug Type:Discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@micbar @PrajwolAmatya