Project Space has owner

[SwikritiT]

1. As user admin make user Einstein a space admin
2. As user Einstein create a project space New Space
3. Now as user Einstein lists the drives using the graph API

curl -u einstein:relativity -k -X GET https://host.docker.internal:9200/graph/v1.0/me/drives -v | jq

{
  "value": [
    {
      "driveAlias": "personal/einstein",
      "driveType": "personal",
      "id": "1284d238-aa92-42ce-bdc4-0b0000009157$4c510ada-c86b-4815-8820-42cdf82c3d51",
      "lastModifiedDateTime": "2022-08-19T06:29:21.502281385Z",
      "name": "Albert Einstein",
      "owner": {
        "user": {
          "id": "4c510ada-c86b-4815-8820-42cdf82c3d51"
        }
      },
      "quota": {
        "remaining": 73360531456,
        "state": "normal",
        "total": 0,
        "used": 0
      },
      "root": {
        "eTag": "\"5d1f40840f2c33c7b674310bb93e52a7\"",
        "id": "1284d238-aa92-42ce-bdc4-0b0000009157$4c510ada-c86b-4815-8820-42cdf82c3d51",
        "webDavUrl": "https://host.docker.internal:9200/dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157$4c510ada-c86b-4815-8820-42cdf82c3d51"
      }
    },
    {
      "driveAlias": "project/new-space",
      "driveType": "project",
      "id": "1284d238-aa92-42ce-bdc4-0b0000009157$e51b1c29-81e2-4431-9b75-39e2e85e5422",
      "lastModifiedDateTime": "2022-08-19T06:31:48.866847353Z",
      "name": "New space",
      "owner": {
        "user": {
          "id": "e51b1c29-81e2-4431-9b75-39e2e85e5422"
        }
      },
      "quota": {
        "remaining": 999999837,
        "state": "normal",
        "total": 1000000000,
        "used": 163
      },
      "root": {
        "eTag": "\"d54fbfe013c5805f5154c0ada4667df3\"",
        "id": "1284d238-aa92-42ce-bdc4-0b0000009157$e51b1c29-81e2-4431-9b75-39e2e85e5422",
        "permissions": [
          {
            "grantedTo": [
              {
                "user": {
                  "id": "4c510ada-c86b-4815-8820-42cdf82c3d51"
                }
              }
            ],
            "roles": [
              "manager"
            ]
          }
        ],
        "webDavUrl": "https://host.docker.internal:9200/dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157$e51b1c29-81e2-4431-9b75-39e2e85e5422"
      },
      "special": [
        {
          "eTag": "\"2840cf0cebfc1527b75037a840933bde\"",
          "file": {
            "mimeType": "text/markdown"
          },
          "id": "1284d238-aa92-42ce-bdc4-0b0000009157$e51b1c29-81e2-4431-9b75-39e2e85e5422!c27ef0cc-c68b-43bd-8630-70fa19a457fe",
          "lastModifiedDateTime": "2022-08-19T06:31:48.86231683Z",
          "name": "readme.md",
          "size": 163,
          "specialFolder": {
            "name": "readme"
          },
          "webDavUrl": "https://host.docker.internal:9200/dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157$e51b1c29-81e2-4431-9b75-39e2e85e5422%21e51b1c29-81e2-4431-9b75-39e2e85e5422/.space/readme.md"
        }
      ]
    }
  ]
}

As per #4419 (comment) and #4419 (comment) the project spaces owner should not be exposed but in the current implementation, we can see the owner of a project space.

[SwikritiT]

cc @phil-davis @individual-it @micbar

[phil-davis]

"something happened" (tm) a little while ago about this, from memory. One of the problems was that a project space can have multiple users that have "all rights" to manage the space. And if the "owner" is set to the user who created the space, then there is the problem of what to do if that user is deleted, disabled, or has their rights to the space removed.

IMO @micbar is offline at the moment. Maybe @kulmann you can point to the discussion and design/implementation that happened?

[individual-it]

@butonic can you clarify?

[butonic]

@micbar added a technical owner to spaces which is impersonated when using public links to access a space. Public links are no longer tied to the user that creates them, but the space. For that to work introduced a technical user for every space, because we wanted to prevent a public link from ever accessing a different space.

cc @C0rby please don't hate us: cs3org/reva#3091 (comment)

[micbar]

Now that you pinged me, I can also contribute 😄

What @butonic says is correct. But this should not be exposed. Neither cs3 api nor graph api should have an owner on project spaces. So this needs to be fixed.

[micbar]

@SwikritiT @individual-it @butonic @phil-davis please always refer to #4316

[SwikritiT]

Now that you pinged me, I can also contribute smile

What @butonic says is correct. But this should not be exposed. Neither cs3 api nor graph api should have an owner on project spaces. So this needs to be fixed.

for this is there a separate ticket or should I create one?

[SwikritiT]

@micbar I've updated the title and description.