Allow updating to internal link

changelog/unreleased/allow-updating-to-private-link.md

@@ -0,0 +1,5 @@
+Bugfix: Allow updating to internal link
+
+We now allow updating any link to an internal link when the user has UpdateGrant permissions
+
+https://github.com/cs3org/reva/pull/3436

internal/http/services/owncloud/ocdav/propfind/propfind.go

@@ -949,7 +949,7 @@ func mdToPropResponse(ctx context.Context, pf *XML, md *provider.ResourceInfo, p
 		shareTypes = utils.ReadPlainFromOpaque(md.Opaque, "share-types")
 	}
 
-	role := conversions.RoleFromResourcePermissions(md.PermissionSet)
+	role := conversions.RoleFromResourcePermissions(md.PermissionSet, ls != nil)
 
 	if md.Space != nil && md.Space.SpaceType != "grant" && utils.ResourceIDEqual(md.Space.Root, md.Id) {
 		// a space root is never shared

internal/http/services/owncloud/ocdav/tus.go

@@ -327,7 +327,7 @@ func (s *svc) handleTusPost(ctx context.Context, w http.ResponseWriter, r *http.
 				}
 			}
 			isShared := !net.IsCurrentUserOwner(ctx, info.Owner)
-			role := conversions.RoleFromResourcePermissions(info.PermissionSet)
+			role := conversions.RoleFromResourcePermissions(info.PermissionSet, isPublic)
 			permissions := role.WebDAVPermissions(
 				info.Type == provider.ResourceType_RESOURCE_TYPE_CONTAINER,
 				isShared,

internal/http/services/owncloud/ocs/conversions/main.go

@@ -236,8 +236,8 @@ func CS3Share2ShareData(ctx context.Context, share *collaboration.Share) (*Share
 	if share.Id != nil {
 		sd.ID = share.Id.OpaqueId
 	}
-	if share.GetPermissions() != nil && share.GetPermissions().GetPermissions() != nil {
-		sd.Permissions = RoleFromResourcePermissions(share.GetPermissions().GetPermissions()).OCSPermissions()
+	if share.GetPermissions().GetPermissions() != nil {
+		sd.Permissions = RoleFromResourcePermissions(share.GetPermissions().GetPermissions(), false).OCSPermissions()
 	}
 	if share.Ctime != nil {
 		sd.STime = share.Ctime.Seconds // TODO CS3 api birth time = btime
@@ -262,9 +262,11 @@ func PublicShare2ShareData(share *link.PublicShare, r *http.Request, publicURL s
 	if share.Id != nil {
 		sd.ID = share.Id.OpaqueId
 	}
-	if share.GetPermissions() != nil && share.GetPermissions().GetPermissions() != nil {
-		sd.Permissions = RoleFromResourcePermissions(share.GetPermissions().GetPermissions()).OCSPermissions()
+
+	if s := share.GetPermissions().GetPermissions(); s != nil {
+		sd.Permissions = RoleFromResourcePermissions(share.GetPermissions().GetPermissions(), true).OCSPermissions()
 	}
+
 	if share.Expiration != nil {
 		sd.Expiration = timestampToExpiration(share.Expiration)
 	}

internal/http/services/owncloud/ocs/conversions/role.go

@@ -410,7 +410,9 @@ func NewLegacyRoleFromOCSPermissions(p Permissions) *Role {
 }
 
 // RoleFromResourcePermissions tries to map cs3 resource permissions to a role
-func RoleFromResourcePermissions(rp *provider.ResourcePermissions) *Role {
+// It needs to know whether this is a link or not, because empty permissions on links mean "INTERNAL LINK"
+// while empty permissions on other resources mean "DENIAL". Obviously this is not optimal.
+func RoleFromResourcePermissions(rp *provider.ResourcePermissions, islink bool) *Role {
 	r := &Role{
 		Name:                   RoleUnknown,
 		ocsPermissions:         PermissionInvalid,
@@ -420,8 +422,10 @@ func RoleFromResourcePermissions(rp *provider.ResourcePermissions) *Role {
 		return r
 	}
 	if grants.PermissionsEqual(rp, &provider.ResourcePermissions{}) {
-		r.ocsPermissions = PermissionsNone
-		r.Name = RoleDenied
+		if !islink {
+			r.ocsPermissions = PermissionsNone
+			r.Name = RoleDenied
+		}
 		return r
 	}
 	if rp.ListContainer &&

internal/http/services/owncloud/ocs/handlers/apps/sharing/sharees/token.go

@@ -116,7 +116,7 @@ func buildTokenInfo(owner *user.User, tkn string, token string, passProtected bo
 	t.SpaceID = sRes.Share.ResourceId.GetSpaceId()
 	t.OpaqueID = sRes.Share.ResourceId.GetOpaqueId()
 
-	role := conversions.RoleFromResourcePermissions(sRes.Share.Permissions.GetPermissions())
+	role := conversions.RoleFromResourcePermissions(sRes.Share.Permissions.GetPermissions(), true)
 	t.Aliaslink = role.OCSPermissions() == 0
 
 	return t, nil

internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go

@@ -112,14 +112,15 @@ func (h *Handler) createPublicLinkShare(w http.ResponseWriter, r *http.Request,
 
 	if statInfo != nil && statInfo.Type == provider.ResourceType_RESOURCE_TYPE_FILE {
 		// Single file shares should never have delete or create permissions
-		role := conversions.RoleFromResourcePermissions(newPermissions)
+		role := conversions.RoleFromResourcePermissions(newPermissions, true)
 		permissions := role.OCSPermissions()
 		permissions &^= conversions.PermissionCreate
 		permissions &^= conversions.PermissionDelete
 		newPermissions = conversions.RoleFromOCSPermissions(permissions).CS3ResourcePermissions()
 	}
 
-	if !sufficientPermissions(statInfo.PermissionSet, newPermissions) {
+	if !sufficientPermissions(statInfo.PermissionSet, newPermissions, true) {
+		response.WriteOCSError(w, r, http.StatusNotFound, "no share permission", nil)
 		return nil, &ocsError{
 			Code:    http.StatusNotFound,
 			Message: "Cannot set the requested share permissions",
@@ -355,7 +356,8 @@ func (h *Handler) updatePublicShare(w http.ResponseWriter, r *http.Request, shar
 		return
 	}
 
-	if !sufficientPermissions(statRes.Info.PermissionSet, newPermissions) {
+	// empty permissions mean internal link here - NOT denial. Hence we need an extra check
+	if !sufficientPermissions(statRes.Info.PermissionSet, newPermissions, true) {
 		response.WriteOCSError(w, r, http.StatusNotFound, "no share permission", nil)
 		return
 	}

internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go

@@ -240,7 +240,7 @@ func (h *Handler) CreateShare(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// check user has share permissions
-	if !conversions.RoleFromResourcePermissions(statRes.Info.PermissionSet).OCSPermissions().Contain(conversions.PermissionShare) {
+	if !conversions.RoleFromResourcePermissions(statRes.Info.PermissionSet, false).OCSPermissions().Contain(conversions.PermissionShare) {
 		response.WriteOCSError(w, r, http.StatusNotFound, "No share permission", nil)
 		return
 	}
@@ -447,7 +447,7 @@ func (h *Handler) extractPermissions(reqRole string, reqPermissions string, ri *
 		role = conversions.RoleFromOCSPermissions(permissions)
 	}
 
-	if !sufficientPermissions(ri.PermissionSet, role.CS3ResourcePermissions()) && role.Name != conversions.RoleDenied {
+	if !sufficientPermissions(ri.PermissionSet, role.CS3ResourcePermissions(), false) && role.Name != conversions.RoleDenied {
 		return nil, nil, &ocsError{
 			Code:    http.StatusNotFound,
 			Message: "Cannot set the requested share permissions",
@@ -1521,8 +1521,8 @@ func (h *Handler) granteeExists(ctx context.Context, g *provider.Grantee, rid *p
 }
 
 // sufficientPermissions returns true if the `existing` permissions contain the `requested` permissions
-func sufficientPermissions(existing, requested *provider.ResourcePermissions) bool {
-	ep := conversions.RoleFromResourcePermissions(existing).OCSPermissions()
-	rp := conversions.RoleFromResourcePermissions(requested).OCSPermissions()
+func sufficientPermissions(existing, requested *provider.ResourcePermissions, islink bool) bool {
+	ep := conversions.RoleFromResourcePermissions(existing, islink).OCSPermissions()
+	rp := conversions.RoleFromResourcePermissions(requested, islink).OCSPermissions()
 	return ep.Contain(rp)
 }

pkg/share/manager/owncloudsql/conversions.go

@@ -194,7 +194,7 @@ func resourceTypeToItem(r provider.ResourceType) string {
 }
 
 func sharePermToInt(p *provider.ResourcePermissions) int {
-	return int(conversions.RoleFromResourcePermissions(p).OCSPermissions())
+	return int(conversions.RoleFromResourcePermissions(p, false).OCSPermissions())
 }
 
 func intTosharePerm(p int) (*provider.ResourcePermissions, error) {

pkg/storage/fs/owncloudsql/owncloudsql.go

@@ -768,7 +768,7 @@ func (fs *owncloudsqlfs) CreateDir(ctx context.Context, ref *provider.Reference)
 
 	permissions := 31 // 1: READ, 2: UPDATE, 4: CREATE, 8: DELETE, 16: SHARE
 	if perm, err := fs.readPermissions(ctx, filepath.Dir(ip)); err == nil {
-		permissions = int(conversions.RoleFromResourcePermissions(perm).OCSPermissions()) // inherit permissions of parent
+		permissions = int(conversions.RoleFromResourcePermissions(perm, false).OCSPermissions()) // inherit permissions of parent
 	}
 	data := map[string]interface{}{
 		"path":          fs.toDatabasePath(ip),
@@ -835,7 +835,7 @@ func (fs *owncloudsqlfs) TouchFile(ctx context.Context, ref *provider.Reference)
 		"path":          fs.toDatabasePath(ip),
 		"etag":          calcEtag(ctx, fi),
 		"mimetype":      mime.Detect(false, ip),
-		"permissions":   int(conversions.RoleFromResourcePermissions(parentPerms).OCSPermissions()), // inherit permissions of parent
+		"permissions":   int(conversions.RoleFromResourcePermissions(parentPerms, false).OCSPermissions()), // inherit permissions of parent
 		"mtime":         mtime,
 		"storage_mtime": mtime,
 	}

pkg/storage/fs/owncloudsql/upload.go

@@ -244,7 +244,7 @@ func (fs *owncloudsqlfs) NewUpload(ctx context.Context, info tusd.FileInfo) (upl
 		"Type":                "OwnCloudStore",
 		"BinPath":             binPath,
 		"InternalDestination": ip,
-		"Permissions":         strconv.Itoa((int)(conversions.RoleFromResourcePermissions(perm).OCSPermissions())),
+		"Permissions":         strconv.Itoa((int)(conversions.RoleFromResourcePermissions(perm, false).OCSPermissions())),
 
 		"Idp":      usr.Id.Idp,
 		"UserId":   usr.Id.OpaqueId,