From b5c09443e1e92b57434ba55b64209552edfb6851 Mon Sep 17 00:00:00 2001
From: Michael Barz <mbarz@owncloud.com>
Date: Mon, 7 Mar 2022 12:18:04 +0100
Subject: [PATCH] improve grant handling for space members (#2620)

---
 changelog/unreleased/use-share-api-spaces.md  |  1 +
 .../services/gateway/usershareprovider.go     | 31 ++++++++++++++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/changelog/unreleased/use-share-api-spaces.md b/changelog/unreleased/use-share-api-spaces.md
index 401fa4acbb..80c0f7f610 100644
--- a/changelog/unreleased/use-share-api-spaces.md
+++ b/changelog/unreleased/use-share-api-spaces.md
@@ -3,3 +3,4 @@ Change: Use the cs3 share api to manage spaces
 We now use the cs3 share Api to manage the space roles. We do not send the request to the share manager, the permissions are stored in the storage provider
 
 https://github.com/cs3org/reva/pull/2600
+https://github.com/cs3org/reva/pull/2620
diff --git a/internal/grpc/services/gateway/usershareprovider.go b/internal/grpc/services/gateway/usershareprovider.go
index 5d45475a9e..4a07923b71 100644
--- a/internal/grpc/services/gateway/usershareprovider.go
+++ b/internal/grpc/services/gateway/usershareprovider.go
@@ -701,7 +701,16 @@ func (s *svc) removeSpaceShare(ctx context.Context, ref *provider.ResourceId, gr
 	if err != nil {
 		return nil, errors.Wrap(err, "gateway: error getting grant to remove from storage")
 	}
-	removeGrantStatus, err := s.removeGrant(ctx, ref, grantee, listGrantRes.Grants[0].Permissions)
+	var permissions *provider.ResourcePermissions
+	for _, g := range listGrantRes.Grants {
+		if isEqualGrantee(g.Grantee, grantee) {
+			permissions = g.Permissions
+		}
+	}
+	if permissions == nil {
+		return nil, errors.New("gateway: error getting grant to remove from storage")
+	}
+	removeGrantStatus, err := s.removeGrant(ctx, ref, grantee, permissions)
 	if err != nil {
 		return nil, errors.Wrap(err, "gateway: error removing grant from storage")
 	}
@@ -733,3 +742,23 @@ func shareIsSpaceRoot(key *collaboration.ShareKey) bool {
 	}
 	return refIsSpaceRoot(key.ResourceId)
 }
+
+func isEqualGrantee(a, b *provider.Grantee) bool {
+	// Ideally we would want to use utils.GranteeEqual()
+	// but the grants stored in the decomposedfs aren't complete (missing usertype and idp)
+	// because of that the check would fail so we can only check the ... for now.
+	if a.Type != b.Type {
+		return false
+	}
+
+	var aID, bID string
+	switch a.Type {
+	case provider.GranteeType_GRANTEE_TYPE_GROUP:
+		aID = a.GetGroupId().OpaqueId
+		bID = b.GetGroupId().OpaqueId
+	case provider.GranteeType_GRANTEE_TYPE_USER:
+		aID = a.GetUserId().OpaqueId
+		bID = b.GetUserId().OpaqueId
+	}
+	return aID == bID
+}