diff --git a/changelog/unreleased/bump-reva.md b/changelog/unreleased/bump-reva.md index 0f991662c92..59227f696a7 100644 --- a/changelog/unreleased/bump-reva.md +++ b/changelog/unreleased/bump-reva.md @@ -2,3 +2,4 @@ Enhancement: Update Reva https://github.com/owncloud/ocis/pull/6305 +https://github.com/owncloud/ocis/pull/6322 diff --git a/go.mod b/go.mod index dafc53e8149..9ad566c5956 100644 --- a/go.mod +++ b/go.mod @@ -321,3 +321,5 @@ require ( ) replace github.com/cs3org/go-cs3apis => github.com/c0rby/go-cs3apis v0.0.0-20230110100311-5b424f1baa35 + +replace github.com/cs3org/reva/v2 => github.com/kobergj/reva/v2 v2.0.0-20230516132649-0a46537a9d28 diff --git a/go.sum b/go.sum index fa5b28fd1ba..47b4d5c5077 100644 --- a/go.sum +++ b/go.sum @@ -627,8 +627,6 @@ github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4= github.com/crewjam/saml v0.4.13 h1:TYHggH/hwP7eArqiXSJUvtOPNzQDyQ7vwmwEqlFWhMc= github.com/crewjam/saml v0.4.13/go.mod h1:igEejV+fihTIlHXYP8zOec3V5A8y3lws5bQBFsTm4gA= -github.com/cs3org/reva/v2 v2.13.3-0.20230515105000-30125f104ba1 h1:M3+4wZvZolLs90wCjkJYslakQ3JAp/zs16mOwxvieJQ= -github.com/cs3org/reva/v2 v2.13.3-0.20230515105000-30125f104ba1/go.mod h1:MoymB39kU/myG7LFkaCwqtoXQHct+/8uoZAvJEmNi+I= github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8 h1:Z9lwXumT5ACSmJ7WGnFl+OMLLjpz5uR2fyz7dC255FI= github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8/go.mod h1:4abs/jPXcmJzYoYGF91JF9Uq9s/KL5n1jvFDix8KcqY= github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4= @@ -1179,6 +1177,8 @@ github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa02 github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= github.com/klauspost/cpuid/v2 v2.1.0 h1:eyi1Ad2aNJMW95zcSbmGg7Cg6cq3ADwLpMAP96d8rF0= github.com/klauspost/cpuid/v2 v2.1.0/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY= +github.com/kobergj/reva/v2 v2.0.0-20230516132649-0a46537a9d28 h1:XJLjv57r+npHOYeIdn+pguuMRlEe+RUjxbg8+TyXBQ8= +github.com/kobergj/reva/v2 v2.0.0-20230516132649-0a46537a9d28/go.mod h1:MoymB39kU/myG7LFkaCwqtoXQHct+/8uoZAvJEmNi+I= github.com/kolo/xmlrpc v0.0.0-20200310150728-e0350524596b/go.mod h1:o03bZfuBwAXHetKXuInt4S7omeXUu62/A845kiycsSQ= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= diff --git a/services/settings/pkg/store/defaults/defaults.go b/services/settings/pkg/store/defaults/defaults.go index 3e078f65d46..abd52407d41 100644 --- a/services/settings/pkg/store/defaults/defaults.go +++ b/services/settings/pkg/store/defaults/defaults.go @@ -420,6 +420,21 @@ func generateBundleSpaceAdminRole() *settingsmsg.Bundle { }, }, }, + { + Id: DeleteAllSpacesPermissionID, + Name: DeleteAllSpacesPermissionName, + DisplayName: "Delete AllSpaces", + Description: "This permission allows to delete all spaces.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SYSTEM, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_DELETE, + Constraint: settingsmsg.Permission_CONSTRAINT_ALL, + }, + }, + }, { Id: SetProjectSpaceQuotaPermissionID, Name: SetProjectSpaceQuotaPermissionName, diff --git a/vendor/github.com/cs3org/reva/v2/pkg/storage/utils/decomposedfs/spaces.go b/vendor/github.com/cs3org/reva/v2/pkg/storage/utils/decomposedfs/spaces.go index 12f264aeb0b..77fda613610 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/storage/utils/decomposedfs/spaces.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/storage/utils/decomposedfs/spaces.go @@ -604,6 +604,7 @@ func (fs *Decomposedfs) UpdateStorageSpace(ctx context.Context, req *provider.Up }, nil } } + metadata[prefixes.TreeMTimeAttr] = []byte(time.Now().UTC().Format(time.RFC3339Nano)) err = spaceNode.SetXattrs(metadata, true) if err != nil { @@ -651,26 +652,9 @@ func (fs *Decomposedfs) DeleteStorageSpace(ctx context.Context, req *provider.De return errtypes.InternalError(fmt.Sprintf("space %s does not have a spacetype, possible corrupt decompsedfs", n.ID)) } - // - a User with the "delete-all-spaces" permission can delete any space - // - spaces of type personal can also be deleted by users with the "delete-all-home-spaces" permission - // - otherwise a space can be deleted by its manager (i.e. users have the "remove" grant) - switch { - case fs.p.DeleteAllSpaces(ctx): - // We are allowed to delete any space, no further permission checks needed - case st == "personal": - if !fs.p.DeleteAllHomeSpaces(ctx) { - return errtypes.PermissionDenied(fmt.Sprintf("user is not allowed to delete home space %s", n.ID)) - } - default: - // managers and users with 'space ability' permission are allowed to disable or purge a drive - if !fs.p.SpaceAbility(ctx, spaceID) { - rp, err := fs.p.AssemblePermissions(ctx, n) - if err != nil || !IsManager(rp) { - return errtypes.PermissionDenied(fmt.Sprintf("user is not allowed to delete spaces %s", n.ID)) - } - } + if err := canDeleteSpace(ctx, spaceID, st, purge, n, fs.p); err != nil { + return err } - if purge { if !n.IsDisabled() { return errtypes.NewErrtypeFromStatus(status.NewInvalid(ctx, "can't purge enabled space")) @@ -1055,3 +1039,35 @@ func isGrantExpired(g *provider.Grant) bool { func (fs *Decomposedfs) getSpaceRoot(spaceID string) string { return filepath.Join(fs.o.Root, "spaces", lookup.Pathify(spaceID, 1, 2)) } + +// Space deletion can be tricky as there are lots of different cases: +// - spaces of type personal can only be disabled and deleted by users with the "delete-all-home-spaces" permission +// - a user with the "delete-all-spaces" permission may delete but not enable/disable any project space +// - a user with the "Drive.ReadWriteEnabled" permission may enable/disable but not delete any project space +// - a project space can always be enabled/disabled/deleted by its manager (i.e. users have the "remove" grant) +func canDeleteSpace(ctx context.Context, spaceID string, typ string, purge bool, n *node.Node, p Permissions) error { + // delete-all-home spaces allows to disable and delete a personal space + if typ == "personal" { + if p.DeleteAllHomeSpaces(ctx) { + return nil + } + return errtypes.PermissionDenied("user is not allowed to delete a personal space") + } + + // space managers are allowed to disable and delete their project spaces + if rp, err := p.AssemblePermissions(ctx, n); err == nil && IsManager(rp) { + return nil + } + + // delete-all-spaces permissions allows to delete (purge, NOT disable) project spaces + if purge && p.DeleteAllSpaces(ctx) { + return nil + } + + // Drive.ReadWriteEnabled allows to disable a space + if !purge && p.SpaceAbility(ctx, spaceID) { + return nil + } + + return errtypes.PermissionDenied(fmt.Sprintf("user is not allowed to delete space %s", n.ID)) +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 94dea06ad3e..86416f079ad 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -349,7 +349,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1 github.com/cs3org/go-cs3apis/cs3/types/v1beta1 -# github.com/cs3org/reva/v2 v2.13.3-0.20230515105000-30125f104ba1 +# github.com/cs3org/reva/v2 v2.13.3-0.20230515105000-30125f104ba1 => github.com/kobergj/reva/v2 v2.0.0-20230516132649-0a46537a9d28 ## explicit; go 1.19 github.com/cs3org/reva/v2/cmd/revad/internal/grace github.com/cs3org/reva/v2/cmd/revad/runtime @@ -2124,3 +2124,4 @@ stash.kopano.io/kgol/oidc-go ## explicit; go 1.13 stash.kopano.io/kgol/rndm # github.com/cs3org/go-cs3apis => github.com/c0rby/go-cs3apis v0.0.0-20230110100311-5b424f1baa35 +# github.com/cs3org/reva/v2 => github.com/kobergj/reva/v2 v2.0.0-20230516132649-0a46537a9d28