From 422751da92d4abcf1cb606a4a4750ba3d50db5de Mon Sep 17 00:00:00 2001 From: Michael Barz Date: Wed, 10 Apr 2024 11:46:18 +0200 Subject: [PATCH] fix: permission check in public share update --- changelog/unreleased/fix-public-share-update.md | 6 ++++++ .../publicshareprovider/publicshareprovider.go | 12 ++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 changelog/unreleased/fix-public-share-update.md diff --git a/changelog/unreleased/fix-public-share-update.md b/changelog/unreleased/fix-public-share-update.md new file mode 100644 index 0000000000..e7f70bd07a --- /dev/null +++ b/changelog/unreleased/fix-public-share-update.md @@ -0,0 +1,6 @@ +Bugfix: Fix public share update + +We fixed the permission check for updating public shares. When updating the permissions of a public share while not providing a password, the check must be against the new permissions to take into account that users can opt out only for view permissions. + +https://github.com/cs3org/reva/pull/4626 +https://github.com/cs3org/reva/pull/4622 \ No newline at end of file diff --git a/internal/grpc/services/publicshareprovider/publicshareprovider.go b/internal/grpc/services/publicshareprovider/publicshareprovider.go index 3df749f882..a18401b5c2 100644 --- a/internal/grpc/services/publicshareprovider/publicshareprovider.go +++ b/internal/grpc/services/publicshareprovider/publicshareprovider.go @@ -554,12 +554,24 @@ func (s *service) UpdatePublicShare(ctx context.Context, req *link.UpdatePublicS } updatePassword := req.GetUpdate().GetType() == link.UpdatePublicShareRequest_Update_TYPE_PASSWORD setPassword := grant.GetPassword() + + // we update permissions with an empty password and password is not set on the public share + emptyPasswordInPermissionUpdate := len(setPassword) == 0 && updatePermissions && !ps.PasswordProtected + + // password is updated, we use the current permissions to check if the user can opt out if updatePassword && !isInternalLink && enforcePassword(canOptOut, ps.GetPermissions().GetPermissions(), s.conf) && len(setPassword) == 0 { return &link.UpdatePublicShareResponse{ Status: status.NewInvalidArg(ctx, "password protection is enforced"), }, nil } + // permissions are updated, we use the new permissions to check if the user can opt out + if emptyPasswordInPermissionUpdate && !isInternalLink && enforcePassword(canOptOut, grant.GetPermissions().GetPermissions(), s.conf) && len(setPassword) == 0 { + return &link.UpdatePublicShareResponse{ + Status: status.NewInvalidArg(ctx, "password protection is enforced"), + }, nil + } + // validate password policy if updatePassword && len(setPassword) > 0 { if err := s.passwordValidator.Validate(setPassword); err != nil {