From 476165d678c2d3fb36f55812b7f7c96a0ba87165 Mon Sep 17 00:00:00 2001
From: Jannik Stehle <jannik.stehle@gmail.com>
Date: Wed, 3 Aug 2022 15:15:59 +0200
Subject: [PATCH 1/4] Respect space quota permission

---
 .../unreleased/bugfix-space-quota-permission  |  6 ++++++
 .../src/mixins/spaces/actions/editQuota.js    |  4 ++++
 .../web-pkg/src/services/permissionManager.ts | 19 +++++++++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 changelog/unreleased/bugfix-space-quota-permission

diff --git a/changelog/unreleased/bugfix-space-quota-permission b/changelog/unreleased/bugfix-space-quota-permission
new file mode 100644
index 00000000000..bd034d38be2
--- /dev/null
+++ b/changelog/unreleased/bugfix-space-quota-permission
@@ -0,0 +1,6 @@
+Bugfix: Respect space quota permission
+
+By taking the space quota permission into account, we've fixed a bug where a regular space member could see the "Edit space quota" action.
+
+https://github.com/owncloud/web/issues/7400
+https://github.com/owncloud/web/pull/7401
diff --git a/packages/web-app-files/src/mixins/spaces/actions/editQuota.js b/packages/web-app-files/src/mixins/spaces/actions/editQuota.js
index 4ec5903151c..238b92671b5 100644
--- a/packages/web-app-files/src/mixins/spaces/actions/editQuota.js
+++ b/packages/web-app-files/src/mixins/spaces/actions/editQuota.js
@@ -29,6 +29,10 @@ export default {
               return false
             }
 
+            if (!this.$permissionManager.canEditSpaceQuota()) {
+              return false
+            }
+
             return resources[0].canEditQuota({ user: this.user })
           },
           componentType: 'oc-button',
diff --git a/packages/web-pkg/src/services/permissionManager.ts b/packages/web-pkg/src/services/permissionManager.ts
index b7c449a10d9..23cdd10a692 100644
--- a/packages/web-pkg/src/services/permissionManager.ts
+++ b/packages/web-pkg/src/services/permissionManager.ts
@@ -1,6 +1,21 @@
 import { Store } from 'vuex'
+interface RoleSetting {
+  description: string
+  displayName: string
+  id: string
+  name: string
+  permissionValue: {
+    constraint: string
+    operation: string
+  }
+  resource: {
+    id: string
+    type: string
+  }
+}
 interface Role {
   name: 'admin' | 'spaceadmin' | 'user' | 'guest'
+  settings: Array<RoleSetting>
 }
 interface User {
   role: Role
@@ -21,6 +36,10 @@ export class PermissionManager {
     return ['admin', 'spaceadmin'].includes(this.user.role?.name)
   }
 
+  public canEditSpaceQuota() {
+    return !!this.user.role?.settings.find((s) => s.name === 'role-management')
+  }
+
   get user(): User {
     return this.store.getters.user
   }

From c1ee9e616e478045cd1f6a4bbc53f0f675cf53cf Mon Sep 17 00:00:00 2001
From: Jannik Stehle <jannik.stehle@gmail.com>
Date: Wed, 3 Aug 2022 15:31:39 +0200
Subject: [PATCH 2/4] Remove outdated code, adjust unit tests

---
 packages/web-app-files/src/helpers/resources.ts |  4 ----
 .../src/mixins/spaces/actions/editQuota.js      |  6 +-----
 .../tests/unit/mixins/spaces/editQuota.spec.js  | 17 +++++++++++------
 3 files changed, 12 insertions(+), 15 deletions(-)

diff --git a/packages/web-app-files/src/helpers/resources.ts b/packages/web-app-files/src/helpers/resources.ts
index 89e43cfe918..fe384ec0a82 100644
--- a/packages/web-app-files/src/helpers/resources.ts
+++ b/packages/web-app-files/src/helpers/resources.ts
@@ -220,10 +220,6 @@ export function buildSpace(space) {
       ]
       return user && allowedRoles.includes(user.uuid)
     },
-    canEditQuota: function ({ user }: { user?: User } = {}) {
-      const allowedRoles = [...this.spaceRoles[spaceRoleManager.name]]
-      return user && allowedRoles.includes(user.uuid)
-    },
     canCreate: function () {
       return true
     },
diff --git a/packages/web-app-files/src/mixins/spaces/actions/editQuota.js b/packages/web-app-files/src/mixins/spaces/actions/editQuota.js
index 238b92671b5..041f7e0885f 100644
--- a/packages/web-app-files/src/mixins/spaces/actions/editQuota.js
+++ b/packages/web-app-files/src/mixins/spaces/actions/editQuota.js
@@ -29,11 +29,7 @@ export default {
               return false
             }
 
-            if (!this.$permissionManager.canEditSpaceQuota()) {
-              return false
-            }
-
-            return resources[0].canEditQuota({ user: this.user })
+            return this.$permissionManager.canEditSpaceQuota()
           },
           componentType: 'oc-button',
           class: 'oc-files-actions-edit-quota-trigger'
diff --git a/packages/web-app-files/tests/unit/mixins/spaces/editQuota.spec.js b/packages/web-app-files/tests/unit/mixins/spaces/editQuota.spec.js
index 7aacdd4e296..07be8f93152 100644
--- a/packages/web-app-files/tests/unit/mixins/spaces/editQuota.spec.js
+++ b/packages/web-app-files/tests/unit/mixins/spaces/editQuota.spec.js
@@ -20,7 +20,7 @@ describe('editQuota', () => {
       const wrapper = getWrapper()
       expect(wrapper.vm.$_editQuota_items[0].isEnabled({ resources: [] })).toBe(false)
     })
-    it('should be true when the current user is a manager', () => {
+    it('should be true when the current user has the "role-management"-permission', () => {
       const spaceMock = {
         id: '1',
         quota: {},
@@ -28,20 +28,20 @@ describe('editQuota', () => {
           permissions: [{ roles: ['manager'], grantedTo: [{ user: { id: 1 } }] }]
         }
       }
-      const wrapper = getWrapper()
+      const wrapper = getWrapper({ canEditSpaceQuota: true })
       expect(
         wrapper.vm.$_editQuota_items[0].isEnabled({ resources: [buildSpace(spaceMock)] })
       ).toBe(true)
     })
-    it('should be false when the current user is a viewer', () => {
+    it('should be false when the current user does not have the "role-management"-permission', () => {
       const spaceMock = {
         id: '1',
         quota: {},
         root: {
-          permissions: [{ roles: ['viewer'], grantedTo: [{ user: { id: 1 } }] }]
+          permissions: [{ roles: ['manager'], grantedTo: [{ user: { id: 1 } }] }]
         }
       }
-      const wrapper = getWrapper()
+      const wrapper = getWrapper({ canEditSpaceQuota: false })
       expect(
         wrapper.vm.$_editQuota_items[0].isEnabled({ resources: [buildSpace(spaceMock)] })
       ).toBe(false)
@@ -49,9 +49,14 @@ describe('editQuota', () => {
   })
 })
 
-function getWrapper() {
+function getWrapper({ canEditSpaceQuota = false } = {}) {
   return mount(Component, {
     localVue,
+    mocks: {
+      $permissionManager: {
+        canEditSpaceQuota: () => canEditSpaceQuota
+      }
+    },
     store: createStore(Vuex.Store, {
       modules: {
         user: {

From 96c2409d0a67d908ed0d28bec86214577ecb06ea Mon Sep 17 00:00:00 2001
From: Jannik Stehle <jannik.stehle@gmail.com>
Date: Wed, 3 Aug 2022 15:56:57 +0200
Subject: [PATCH 3/4] Fix setting name

---
 .../web-app-files/tests/unit/mixins/spaces/editQuota.spec.js  | 4 ++--
 packages/web-pkg/src/services/permissionManager.ts            | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/packages/web-app-files/tests/unit/mixins/spaces/editQuota.spec.js b/packages/web-app-files/tests/unit/mixins/spaces/editQuota.spec.js
index 07be8f93152..bebcef9ff11 100644
--- a/packages/web-app-files/tests/unit/mixins/spaces/editQuota.spec.js
+++ b/packages/web-app-files/tests/unit/mixins/spaces/editQuota.spec.js
@@ -20,7 +20,7 @@ describe('editQuota', () => {
       const wrapper = getWrapper()
       expect(wrapper.vm.$_editQuota_items[0].isEnabled({ resources: [] })).toBe(false)
     })
-    it('should be true when the current user has the "role-management"-permission', () => {
+    it('should be true when the current user has the "set-space-quota"-permission', () => {
       const spaceMock = {
         id: '1',
         quota: {},
@@ -33,7 +33,7 @@ describe('editQuota', () => {
         wrapper.vm.$_editQuota_items[0].isEnabled({ resources: [buildSpace(spaceMock)] })
       ).toBe(true)
     })
-    it('should be false when the current user does not have the "role-management"-permission', () => {
+    it('should be false when the current user does not have the "set-space-quota"-permission', () => {
       const spaceMock = {
         id: '1',
         quota: {},
diff --git a/packages/web-pkg/src/services/permissionManager.ts b/packages/web-pkg/src/services/permissionManager.ts
index 23cdd10a692..257c9865e91 100644
--- a/packages/web-pkg/src/services/permissionManager.ts
+++ b/packages/web-pkg/src/services/permissionManager.ts
@@ -37,7 +37,7 @@ export class PermissionManager {
   }
 
   public canEditSpaceQuota() {
-    return !!this.user.role?.settings.find((s) => s.name === 'role-management')
+    return !!this.user.role?.settings.find((s) => s.name === 'set-space-quota')
   }
 
   get user(): User {

From 6240fc71e87b5e3b3ddb69750aa83181590e6d91 Mon Sep 17 00:00:00 2001
From: Jannik Stehle <jannik.stehle@gmail.com>
Date: Thu, 4 Aug 2022 08:26:57 +0200
Subject: [PATCH 4/4] Adjust permission interface name

---
 packages/web-pkg/src/services/permissionManager.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/web-pkg/src/services/permissionManager.ts b/packages/web-pkg/src/services/permissionManager.ts
index 257c9865e91..7c2a4e7f26f 100644
--- a/packages/web-pkg/src/services/permissionManager.ts
+++ b/packages/web-pkg/src/services/permissionManager.ts
@@ -1,5 +1,5 @@
 import { Store } from 'vuex'
-interface RoleSetting {
+interface Permission {
   description: string
   displayName: string
   id: string
@@ -15,7 +15,7 @@ interface RoleSetting {
 }
 interface Role {
   name: 'admin' | 'spaceadmin' | 'user' | 'guest'
-  settings: Array<RoleSetting>
+  settings: Array<Permission>
 }
 interface User {
   role: Role