Migrate deny-acl UI code from CERNbox

changelog/unreleased/enhancement-deny-subfolder-share

@@ -0,0 +1,5 @@
+Enhancement: Deny subfolders inside share
+
+Subfolders within non-link shares can now be denied for certain share receivers if the backend is capabable of negative ACLs.
+
+https://github.com/owncloud/web/pull/7190

packages/web-app-files/src/components/SideBar/Shares/Collaborators/RoleDropdown.vue

@@ -170,6 +170,8 @@ export default defineComponent({
     inviteLabel() {
       if (this.selectedRole.hasCustomPermissions) {
         return this.$gettext('Invite with custom permissions')
+      } else if (this.selectedRole.permissions().includes(SharePermissions.deny)) {
+        return this.$gettext('Deny access')
       } else {
         return this.$gettextInterpolate(this.$gettext('Invite as %{ name }'), {
           name: this.$gettext(this.selectedRole.inlineLabel) || ''
@@ -187,7 +189,7 @@ export default defineComponent({
     },
     availableRoles() {
       if (this.resourceIsSpace) {
-        return SpacePeopleShareRoles.list()
+        return SpacePeopleShareRoles.list(this.resource.canDeny())
       }
 
       if (this.incomingParentShare.value && this.resourceIsSharable) {
@@ -199,7 +201,11 @@ export default defineComponent({
         )
       }
 
-      return PeopleShareRoles.list(this.resource.isFolder, this.allowCustomSharing !== false)
+      return PeopleShareRoles.list(
+        this.resource.isFolder,
+        this.allowCustomSharing !== false,
+        this.resource.canDeny()
+      )
     },
     availablePermissions() {
       if (this.incomingParentShare.value && this.resourceIsSharable) {
@@ -234,7 +240,10 @@ export default defineComponent({
       } else if (this.resourceIsSpace) {
         this.selectedRole = SpacePeopleShareRoles.list()[0]
       } else {
-        this.selectedRole = PeopleShareRoles.list(this.resource.isFolder)[0]
+        this.selectedRole = PeopleShareRoles.list(
+          this.resource.isFolder,
+          this.resource.canDeny()
+        )[0]
       }
 
       if (this.selectedRole.hasCustomPermissions) {

packages/web-app-files/src/helpers/resources.ts

@@ -107,6 +107,9 @@ export function buildResource(resource): Resource {
     isReceivedShare: function () {
       return this.permissions.indexOf(DavPermission.Shared) >= 0
     },
+    canDeny: function () {
+      return this.permissions.indexOf(DavPermission.Deny) >= 0
+    },
     getDomSelector: () => extractDomSelector(id)
   }
 }
@@ -269,6 +272,7 @@ export function buildSharedResource(
     resource.canShare = () => true
     resource.canRename = () => true
     resource.canBeDeleted = () => true
+    resource.canDeny = () => SharePermissions.deny.enabled(share.permissions)
   }
 
   resource.extension = extractExtensionFromFile(resource)

packages/web-client/src/helpers/resource/types.ts

@@ -34,6 +34,7 @@ export interface Resource {
   canRename?(): boolean
   canBeDeleted?(): boolean
   canBeRestored?(): boolean
+  canDeny?(): boolean
 
   isReceivedShare?(): boolean
   isMounted?(): boolean

packages/web-client/src/helpers/share/permission.ts

@@ -61,6 +61,8 @@ export abstract class SharePermissions {
 
   static readonly share = new SharePermission('share', SharePermissionBit.Share, $gettext('Share'))
 
+  static readonly deny = new SharePermission('deny', 64, $gettext('Deny'))
+
   static permissionsToBitmask(permissions: SharePermission[]): number {
     return (permissions || []).reduce((b: number, p: SharePermission) => b | p.bit, 0)
   }

packages/web-client/src/helpers/share/role.ts

@@ -185,6 +185,14 @@ export const peopleRoleCustomFolder = new CustomShareRole(
     SharePermissions.share
   ]
 )
+export const peopleRoleDenyFolder = new PeopleShareRole(
+  'deny',
+  true,
+  $gettext('Deny'),
+  $gettext('deny'),
+  'user -unfollow',
+  [SharePermissions.deny]
+)
 export const linkRoleInternalFile = new LinkShareRole(
   'none',
   false,
@@ -288,7 +296,8 @@ export abstract class SpacePeopleShareRoles {
   }
 
   static getByBitmask(bitmask: number): ShareRole {
-    return this.all.find((r) => r.bitmask(true) === bitmask)
+    return this.all // Retrieve all possible options always, even if deny is not enabled
+      .find((r) => r.bitmask(true) === bitmask)
   }
 }
 
@@ -302,16 +311,19 @@ export abstract class PeopleShareRoles {
 
   static readonly allWithCustom = [...this.all, peopleRoleCustomFile, peopleRoleCustomFolder]
 
-  static list(isFolder: boolean, hasCustom = true): ShareRole[] {
-    return (hasCustom ? this.allWithCustom : this.all).filter((r) => r.folder === isFolder)
+  static list(isFolder: boolean, hasCustom = true, canDeny = false): ShareRole[] {
+    return [
+      ...(hasCustom ? this.allWithCustom : this.all),
+      ...(canDeny ? [peopleRoleDenyFolder] : [])
+    ].filter((r) => r.folder === isFolder)
   }
 
   static custom(isFolder: boolean): ShareRole {
     return this.allWithCustom.find((r) => r.folder === isFolder && r.hasCustomPermissions)
   }
 
   static getByBitmask(bitmask: number, isFolder: boolean, allowSharing: boolean): ShareRole {
-    const role = this.allWithCustom
+    const role = [...this.allWithCustom, peopleRoleDenyFolder] // Retrieve all possible options always, even if deny is not enabled
       .filter((r) => !r.hasCustomPermissions)
       .find((r) => r.folder === isFolder && r.bitmask(allowSharing) === bitmask)
     return role || this.custom(isFolder)
@@ -401,7 +413,8 @@ const shareRoleDescriptions = {
   [peopleRoleEditorFolder.bitmask(false)]: $gettext('Upload, edit, delete, download and preview'),
   [peopleRoleEditorFolder.bitmask(true)]: $gettext(
     'Upload, edit, delete, download, preview and share'
-  )
+  ),
+  [peopleRoleDenyFolder.bitmask(false)]: $gettext('Deny access')
 }
 
 /**

packages/web-pkg/src/constants/dav.ts

@@ -8,6 +8,7 @@ export abstract class DavPermission {
   static readonly Updateable: string = 'NV'
   static readonly FileUpdateable: string = 'W'
   static readonly FolderCreateable: string = 'CK'
+  static readonly Deny: string = 'Z'
 }
 
 export abstract class DavProperty {