feat: hide version panel with insufficient permissions

Users that have insufficient permissions to view file versions don't see the version sidebar panel anymore. This currently affects regular share receivers, space viewers and space editors without the `versions/read` permission.
owncloud · Aug 30, 2024 · 19a3469 · 19a3469
1 parent 536d821
commit 19a3469
Show file tree

Hide file tree

Showing 11 changed files with 138 additions and 44 deletions.
diff --git a/changelog/unreleased/enhancement-hide-versions-panel b/changelog/unreleased/enhancement-hide-versions-panel
@@ -0,0 +1,6 @@
+Enhancement: Hide versions panel with insufficient permissions
+
+Users that have insufficient permissions to view file versions don't see the versions sidebar panel anymore. This currently affects regular share receivers, space viewers and space editors without the permission to view versions.
+
+https://github.com/owncloud/web/pull/11484
+https://github.com/owncloud/web/issues/11359
diff --git a/packages/web-app-files/src/composables/extensions/useFileSideBars.ts b/packages/web-app-files/src/composables/extensions/useFileSideBars.ts
@@ -20,15 +20,13 @@ import {
   SidebarPanelExtension,
   useIsFilesAppActive,
   useGetMatchingSpace,
-  useUserStore,
-  useCapabilityStore
+  useCapabilityStore,
+  useCanListVersions
 } from '@ownclouders/web-pkg'
 import {
-  isPersonalSpaceResource,
   isProjectSpaceResource,
   isShareResource,
   isShareSpaceResource,
-  isSpaceResource,
   SpaceResource
 } from '@ownclouders/web-client'
 import { Resource } from '@ownclouders/web-client'
@@ -44,7 +42,7 @@ export const useSideBarPanels = (): SidebarPanelExtension<SpaceResource, Resourc
   const { $gettext } = useGettext()
   const isFilesAppActive = useIsFilesAppActive()
   const { isPersonalSpaceRoot } = useGetMatchingSpace()
-  const userStore = useUserStore()
+  const { canListVersions } = useCanListVersions()
 
   return [
     {
@@ -268,23 +266,7 @@ export const useSideBarPanels = (): SidebarPanelExtension<SpaceResource, Resourc
           if (items?.length !== 1) {
             return false
           }
-          if (isProjectSpaceResource(items[0])) {
-            // project space roots don't support versions
-            return false
-          }
-
-          const userIsSpaceMember =
-            (isProjectSpaceResource(root) && root.isMember(userStore.user)) ||
-            (isPersonalSpaceResource(root) && root.isOwner(userStore.user))
-
-          if (
-            isLocationTrashActive(router, 'files-trash-generic') ||
-            !userIsSpaceMember ||
-            isSpaceResource(items[0])
-          ) {
-            return false
-          }
-          return items[0].type !== 'folder'
+          return canListVersions({ space: root, resource: items[0] })
         }
       }
     },

diff --git a/packages/web-client/src/helpers/share/types.ts b/packages/web-client/src/helpers/share/types.ts
@@ -11,9 +11,11 @@ export enum GraphSharePermission {
   readContent = 'libre.graph/driveItem/content/read',
   readChildren = 'libre.graph/driveItem/children/read',
   readDeleted = 'libre.graph/driveItem/deleted/read',
+  readVersions = 'libre.graph/driveItem/versions/read',
   updatePath = 'libre.graph/driveItem/path/update',
   updateDeleted = 'libre.graph/driveItem/deleted/update',
   updatePermissions = 'libre.graph/driveItem/permissions/update',
+  updateVersions = 'libre.graph/driveItem/versions/update',
   deleteStandard = 'libre.graph/driveItem/standard/delete',
   deleteDeleted = 'libre.graph/driveItem/deleted/delete',
   deletePermissions = 'libre.graph/driveItem/permissions/delete'

diff --git a/packages/web-client/src/helpers/space/functions.ts b/packages/web-client/src/helpers/space/functions.ts
@@ -8,6 +8,7 @@ import {
 } from '../resource'
 import {
   isPersonalSpaceResource,
+  isPublicSpaceResource,
   PublicSpaceResource,
   ShareSpaceResource,
   SpaceMember,
@@ -296,6 +297,12 @@ export function buildSpace(
         GraphSharePermission.deletePermissions
       )
     },
+    canListVersions: function ({ user }: { user?: User } = {}) {
+      if (isPersonalSpaceResource(this) && this.isOwner(user)) {
+        return true
+      }
+      return getPermissionsForSpaceMember(this, user).includes(GraphSharePermission.readVersions)
+    },
     canCreate: function () {
       return true
     },
@@ -325,6 +332,9 @@ export function buildSpace(
       return urlJoin(webDavTrashUrl, path)
     },
     isMember(user: User): boolean {
+      if (isPublicSpaceResource(this)) {
+        return false
+      }
       if (this.isOwner(user) || !!this.members[user.id]) {
         return true
       }

diff --git a/packages/web-client/src/helpers/space/types.ts b/packages/web-client/src/helpers/space/types.ts
@@ -42,6 +42,7 @@ export interface SpaceResource extends Resource {
   canRestore(args?: { user?: User; ability?: Ability }): boolean
   canDeleteFromTrashBin(args?: { user?: User }): boolean
   canRestoreFromTrashbin(args?: { user?: User }): boolean
+  canListVersions(args?: { user?: User }): boolean
 
   getWebDavUrl({ path }: { path: string }): string
   getWebDavTrashUrl({ path }: { path: string }): string

diff --git a/packages/web-pkg/src/components/SideBar/FileSideBar.vue b/packages/web-pkg/src/components/SideBar/FileSideBar.vue
@@ -52,16 +52,15 @@ import {
   useResourcesStore,
   useUserStore,
   useConfigStore,
-  useAppsStore
+  useAppsStore,
+  useCanListVersions
 } from '../../composables'
 import {
   isProjectSpaceResource,
   SpaceResource,
   Resource,
   ShareRole,
   call,
-  isSpaceResource,
-  isPersonalSpaceResource,
   isCollaboratorShare,
   isLinkShare
 } from '@ownclouders/web-client'
@@ -98,6 +97,7 @@ export default defineComponent({
     const userStore = useUserStore()
     const configStore = useConfigStore()
     const appsStore = useAppsStore()
+    const { canListVersions } = useCanListVersions()
 
     const resourcesStore = useResourcesStore()
     const { currentFolder } = storeToRefs(resourcesStore)
@@ -175,12 +175,6 @@ export default defineComponent({
       return unref(isShareLocation) || unref(isSearchLocation) || unref(isFavoritesLocation)
     })
 
-    const userIsSpaceMember = computed(
-      () =>
-        (isProjectSpaceResource(props.space) && props.space.isMember(userStore.user)) ||
-        (isPersonalSpaceResource(props.space) && props.space.isOwner(userStore.user))
-    )
-
     const availablePanels = computed(() =>
       extensionRegistry
         .requestExtensions<SidebarPanelExtension<SpaceResource, Resource, Resource>>({
@@ -303,17 +297,14 @@ export default defineComponent({
           loadVersionsTask.cancelAll()
         }
 
-        if (
-          !resource.isFolder &&
-          !isSpaceResource(resource) &&
-          unref(userIsSpaceMember) &&
-          !unref(isTrashLocation)
-        ) {
-          try {
-            await loadVersionsTask.perform(resource)
-          } catch (e) {
-            console.error(e)
-          }
+        if (!canListVersions({ space: props.space, resource })) {
+          return
+        }
+
+        try {
+          await loadVersionsTask.perform(resource)
+        } catch (e) {
+          console.error(e)
         }
       },
       { immediate: true, deep: true }
@@ -339,7 +330,7 @@ export default defineComponent({
         }
 
         isMetaDataLoading.value = true
-        if (unref(userIsSpaceMember) && !unref(isTrashLocation)) {
+        if (props.space?.isMember(userStore.user) && !unref(isTrashLocation)) {
           try {
             if (loadSharesTask.isRunning) {
               loadSharesTask.cancelAll()

diff --git a/packages/web-pkg/src/composables/resources/index.ts b/packages/web-pkg/src/composables/resources/index.ts
@@ -1,3 +1,4 @@
 export * from './useCanBeOpenedWithSecureView'
+export * from './useCanListVersions'
 export * from './useGetResourceContext'
 export * from './useResourceContents'
diff --git a/packages/web-pkg/src/composables/resources/useCanListVersions.ts b/packages/web-pkg/src/composables/resources/useCanListVersions.ts
@@ -0,0 +1,26 @@
+import { useUserStore } from '../piniaStores'
+import { isSpaceResource, isTrashResource, Resource, SpaceResource } from '@ownclouders/web-client'
+
+export const useCanListVersions = () => {
+  const userStore = useUserStore()
+
+  const canListVersions = ({ space, resource }: { space: SpaceResource; resource: Resource }) => {
+    if (resource.type === 'folder') {
+      return false
+    }
+    if (isSpaceResource(resource)) {
+      return false
+    }
+    if (isTrashResource(resource)) {
+      return false
+    }
+    if (!space.canListVersions({ user: userStore.user })) {
+      return false
+    }
+    return true
+  }
+
+  return {
+    canListVersions
+  }
+}
diff --git a/packages/web-pkg/tests/unit/components/sidebar/FileSideBar.spec.ts b/packages/web-pkg/tests/unit/components/sidebar/FileSideBar.spec.ts
@@ -24,6 +24,9 @@ const InnerSideBarComponent = defineComponent({
 })
 
 vi.mock('../../../../src/composables/selection', () => ({ useSelectedResources: vi.fn() }))
+vi.mock('../../../../src/composables/resources/useCanListVersions', () => ({
+  useCanListVersions: () => ({ canListVersions: vi.fn() })
+}))
 
 const selectors = {
   sideBar: '.files-side-bar',

diff --git a/packages/web-pkg/tests/unit/composables/resources/useCanListVersions.spec.ts b/packages/web-pkg/tests/unit/composables/resources/useCanListVersions.spec.ts
@@ -0,0 +1,72 @@
+import { getComposableWrapper } from 'web-test-helpers'
+import { mock } from 'vitest-mock-extended'
+import { Resource, SpaceResource, TrashResource } from '@ownclouders/web-client'
+import { useCanListVersions } from '../../../../src/composables/resources'
+
+describe('useCanListVersions', () => {
+  describe('canListVersions', () => {
+    it('returns true for files when user has sufficient permissions in space', () => {
+      getWrapper({
+        setup: ({ canListVersions }) => {
+          const space = mock<SpaceResource>({ canListVersions: () => true })
+          const resource = mock<Resource>({ type: 'file' })
+          const canList = canListVersions({ space, resource })
+          expect(canList).toBeTruthy()
+        }
+      })
+    })
+    it('returns false for folders', () => {
+      getWrapper({
+        setup: ({ canListVersions }) => {
+          const space = mock<SpaceResource>({ canListVersions: () => true })
+          const resource = mock<Resource>({ type: 'folder' })
+          const canList = canListVersions({ space, resource })
+          expect(canList).toBeFalsy()
+        }
+      })
+    })
+    it('returns false for space resources', () => {
+      getWrapper({
+        setup: ({ canListVersions }) => {
+          const space = mock<SpaceResource>({ canListVersions: () => true })
+          const resource = mock<SpaceResource>({ type: 'space' })
+          const canList = canListVersions({ space, resource })
+          expect(canList).toBeFalsy()
+        }
+      })
+    })
+    it('returns false for trash resources', () => {
+      getWrapper({
+        setup: ({ canListVersions }) => {
+          const space = mock<SpaceResource>({ canListVersions: () => true })
+          const resource = mock<TrashResource>({ type: 'file', ddate: '' })
+          const canList = canListVersions({ space, resource })
+          expect(canList).toBeFalsy()
+        }
+      })
+    })
+    it('returns false when user does not have sufficient permissions in space', () => {
+      getWrapper({
+        setup: ({ canListVersions }) => {
+          const space = mock<SpaceResource>({ canListVersions: () => false })
+          const resource = mock<Resource>({ type: 'file' })
+          const canList = canListVersions({ space, resource })
+          expect(canList).toBeFalsy()
+        }
+      })
+    })
+  })
+})
+
+function getWrapper({
+  setup
+}: {
+  setup: (instance: ReturnType<typeof useCanListVersions>) => void
+}) {
+  return {
+    wrapper: getComposableWrapper(() => {
+      const instance = useCanListVersions()
+      setup(instance)
+    })
+  }
+}
diff --git a/tests/e2e/cucumber/features/spaces/project.feature b/tests/e2e/cucumber/features/spaces/project.feature
@@ -152,7 +152,7 @@ Feature: spaces.personal
 
     When "Carol" logs in
     And "Carol" navigates to the project space "team.1"
-    And "Carol" should not see the version of the file
+    And "Carol" should not see the version panel for the file
       | resource     | to     |
       | textfile.txt | parent |
     And "Carol" logs out