Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Activities. Sharee can get the shared file activities using the file-id #9849

Closed
Tracked by #9683
prashant-gurung899 opened this issue Aug 19, 2024 · 8 comments · Fixed by #10136
Closed
Tracked by #9683

Activities. Sharee can get the shared file activities using the file-id #9849

prashant-gurung899 opened this issue Aug 19, 2024 · 8 comments · Fixed by #10136
Labels

Comments

@prashant-gurung899
Copy link
Contributor

prashant-gurung899 commented Aug 19, 2024

Steps to reproduce

  1. share a folder to demo user

  2. as demo, create some files in the received share

  3. as demo, check the shared file activities using share mountpoint id (same as webUI)

    curl 'https://localhost:9200/graph/v1beta1/extensions/org.libregraph/activities?kql=itemid%3A{folder-share-mountpoint}' \
    -udemo:demo -vk | jq 
    
    {"value": []}
  4. as demo, check the shared file activities using shared file id ❓

    curl 'https://localhost:9200/graph/v1beta1/extensions/org.libregraph/activities?kql=itemid%3A{folder-fileid}' \
    -udemo:demo -vk | jq
    
    {"value": [
      {
       ... # activities
      }
    ]}
@saw-jan saw-jan changed the title Activities. Sharee checking activities of a shared resource Activities. Sharee can get the shared file activities using the file-id Aug 19, 2024
@prashant-gurung899
Copy link
Contributor Author

prashant-gurung899 commented Sep 18, 2024

@ScharfViktor

This case : #9860 (comment) has been fixed by PR: #10092 but
the following scenario where sharee tries to get the activities of a shared folder with it's folder-id is not fixed.
Steps:

  • admin shares folder f1 to einstein
  • einstein gets the folderId of folder f1 in the Shares -> copy folderId from Propfind response body
  • put folderId to
curl 'https://localhost:9200/graph/v1beta1/extensions/org.libregraph/activities?kql=itemid%3A{folderId}' \
-ueinstein:relativity -vk | jq

expected: 403 error

Actual: einstein can see all action of folder f1

Same applies with files inside the folder f1. Einstein can get the activities of files with their fileId.

@ScharfViktor
Copy link
Contributor

ScharfViktor commented Sep 18, 2024

Actual: einstein can see all action of folder f1

user can see not only activity of the shared folder f1. he can see all activity of the admin personal space if he uses kql=itemid%3A{spaceUUID} - couldn't reproduce it CC @kobergj

2 question: @tbsbdr should be einstein see activity of the shared folder?
or the recipient should not see activity of the shared resources anyway?

@ScharfViktor ScharfViktor moved this from Qualification to Prio 1 in Infinite Scale Team Board Sep 18, 2024
@ScharfViktor ScharfViktor added the Priority:p1-urgent Consider a hotfix release with only that fix label Sep 18, 2024
@ScharfViktor
Copy link
Contributor

related #9860

@ScharfViktor ScharfViktor moved this from Prio 1 to Qualification in Infinite Scale Team Board Sep 19, 2024
@ScharfViktor ScharfViktor removed the Priority:p1-urgent Consider a hotfix release with only that fix label Sep 19, 2024
@tbsbdr
Copy link

tbsbdr commented Sep 19, 2024

@ScharfViktor lets do it this way: recipients should not see activity of the shared resources. Lets keep it simple and gdpr compliant

@kobergj
Copy link
Collaborator

kobergj commented Sep 19, 2024

Currently view access is enough to query activities. (That was agreed on for initial implementation). We will need to check for another permission instead.

@micbar should we use ListGrants? This should probably be enough as you cannot share with Share permission any more.

@micbar
Copy link
Contributor

micbar commented Sep 23, 2024

@kobergj @tbsbdr

I like the idea to use ListGrants. Then we would see activitites only in "Transparent" Shares.

@tbsbdr
Copy link

tbsbdr commented Sep 23, 2024

I'm not a fan of having too many variations of the product behaviour, but I do not veto your propsal @micbar . I just want to document my concerns: I expect "transparent shares" to be a project specific feature, so same would then apply to the visibility of activities.

@ScharfViktor ScharfViktor moved this from Qualification to Prio 2 in Infinite Scale Team Board Sep 23, 2024
@micbar
Copy link
Contributor

micbar commented Sep 23, 2024

@kobergj Please add that to the dev docs on the unified Roles Page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: Done
Development

Successfully merging a pull request may close this issue.

6 participants