Merge pull request #4643 from JammingBen/feat/secure-view-role

feat: add secure view share role
cs3org · Apr 22, 2024 · 51ab765 · 51ab765
2 parents f92da96 + e60a7fd
commit 51ab765
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 0 deletions.
diff --git a/changelog/unreleased/secure-view-share-role.md b/changelog/unreleased/secure-view-share-role.md
@@ -0,0 +1,5 @@
+Enhancement: Secure viewer share role
+
+A new share role "Secure viewer" has been added. This role only allows viewing resources, no downloading, editing or deleting.
+
+https://github.com/cs3org/reva/pull/4643
diff --git a/pkg/conversions/role.go b/pkg/conversions/role.go
@@ -52,6 +52,8 @@ const (
  RoleUploader = "uploader"
  // RoleManager grants manager permissions on a resource. Semantically equivalent to co-owner.
  RoleManager = "manager"
+ // RoleSecureViewer grants secure view permissions on a resource or space.
+ RoleSecureViewer = "secure-viewer"
 
  // RoleUnknown is used for unknown roles.
  RoleUnknown = "unknown"
@@ -159,6 +161,8 @@ func RoleFromName(name string) *Role {
  return NewUploaderRole()
  case RoleManager:
  return NewManagerRole()
+ case RoleSecureViewer:
+ return NewSecureViewerRole()
  default:
  return NewUnknownRole()
  }
@@ -363,6 +367,18 @@ func NewManagerRole() *Role {
  }
 }
 
+// NewSecureViewerRole creates a secure viewer role
+func NewSecureViewerRole() *Role {
+ return &Role{
+ Name: RoleSecureViewer,
+ cS3ResourcePermissions: &provider.ResourcePermissions{
+ GetPath: true,
+ ListContainer: true,
+ Stat: true,
+ },
+ }
+}
+
 // RoleFromOCSPermissions tries to map ocs permissions to a role
 // TODO: rethink using this. ocs permissions cannot be assigned 1:1 to roles
 func RoleFromOCSPermissions(p Permissions, ri *provider.ResourceInfo) *Role {

diff --git a/pkg/conversions/role_test.go b/pkg/conversions/role_test.go
@@ -74,6 +74,21 @@ func TestSufficientPermissions(t *testing.T) {
  Requested: RoleFromName("denied").CS3ResourcePermissions(),
  Sufficient: false,
  },
+ {
+ Existing: RoleFromName("secure-viewer").CS3ResourcePermissions(),
+ Requested: RoleFromName("secure-viewer").CS3ResourcePermissions(),
+ Sufficient: true,
+ },
+ {
+ Existing: RoleFromName("secure-viewer").CS3ResourcePermissions(),
+ Requested: RoleFromName("viewer").CS3ResourcePermissions(),
+ Sufficient: false,
+ },
+ {
+ Existing: RoleFromName("secure-viewer").CS3ResourcePermissions(),
+ Requested: RoleFromName("editor").CS3ResourcePermissions(),
+ Sufficient: false,
+ },
  {
  Existing: &providerv1beta1.ResourcePermissions{
  // all permissions, used for personal space owners