Add share attributes + prevent download permission #32482

PVince81 · 2022-05-18T12:55:53Z

brings in share attributes column in oc_share
store download permission in extended share attributes
enforces download restriction

PVince81 · 2022-05-24T08:30:41Z

to test:

Share a folder "test" with another local user
Upload some files into "test", for example and a file "test.odt"
Find share id in the network console
Run curl with the share id:

curl -u admin:admin 'https://domain.tld/ocs/v2.php/apps/files_sharing/api/v1/shares/$shareId` \
  -X 'PUT' \
  -H 'OCS-APIRequest: true' \
-H 'Accept: application/json, text/plain, */*' \
  -H 'Content-Type: application/json' \
  --data-raw '{"attributes":[{"scope": "permissions", "key": "download", "enabled": "false"}]}'

Login as the share recipient
Try downloading the file

=> "Access denied".

Note: this PR doesn't adjust the frontend yet, so the download action is still visible

PVince81 · 2022-05-25T09:43:21Z

consider renaming "enabled" to "value" as we likely want more than a boolean there for flexibility ? (also change the method interfaces then)
- need to consider what happens when merging shares (aka super shares / when receiving the same file/folder through multiple shares). with bools, true would have precedence

=> no, keep booleans due to prioritization

PVince81 · 2022-05-25T14:23:26Z

I've fixed more tests, hope they all pass now (minus the node one that is broken on master)

PVince81 · 2022-05-25T15:19:39Z

sqlite only not reproducible locally 😮

1) Test\Share20\DefaultShareProviderTest::testGetShareByIdUserShare
Invalid argument supplied for foreach()

/drone/src/lib/private/Share20/DefaultShareProvider.php:1563
/drone/src/lib/private/Share20/DefaultShareProvider.php:1082
/drone/src/lib/private/Share20/DefaultShareProvider.php:814
/drone/src/tests/lib/Share20/DefaultShareProviderTest.php:221

PVince81 · 2022-05-31T11:00:11Z

rebased for CI, hopefully everything green after that!

PVince81 · 2022-06-02T07:17:24Z

simplify permissions in DB ?
- ex: ["permissions","download",false] or even: {'permissions': {'download': false}}
- => seems it's already stored
JSON / HTTP: [{scope:'', permission: 'download': 'enabled': true}, {...}]
DB `` [$scope, $permission, $enabled]```

=> let's keep this as is

PVince81 · 2022-06-02T09:34:44Z

I've added a "Allow download" checkbox now in the frontend and also the logic to read and save it.
Additionally, the share attributes are now available in a "nc:share-attributes" DAV property for clients and is also used by the web UI.

More work needed to:

make sure resharing cannot increase download perms
make sure public link page doesn't show download action when resharing a received share that has no download perm
see if possible to have JS tests for the new bits (at first look it seems we don't have any)

PVince81 · 2022-06-02T09:36:14Z

would be good to have a first pass review already.
I'll fix conflicts/CI in my next pass

apps/files_sharing/lib/AppInfo/Application.php

apps/files_sharing/lib/Controller/ShareAPIController.php

apps/files_sharing/lib/ViewOnly.php

PVince81 · 2022-06-02T15:25:48Z

apps/files_sharing/src/components/SharingEntry.vue

+			if (this.share.hasDownloadPermission !== isDownloadChecked) {
+				this.share.hasDownloadPermission = isDownloadChecked
+				this.queueUpdate('attributes')
+			}


optional: check if we can also skip "permissions"

- Fix tests - Use non deprecated event stuff - Add a bit of type hinting to the new stuff - More safe handling of instanceOfStorage (share might not be the first wrapper) - Fix resharing Signed-off-by: Carl Schwan <carl@carlschwan.eu>

CarlSchwan

ci issue unrelated

PVince81 · 2022-08-01T08:06:27Z

/backport to stable24

elhananjair · 2022-08-17T19:04:47Z

Hello, @PVince81
I was waiting for this commit for so long, I tested it recently, and didn't work well with PDF files 😢. It works fine with other files I tested such as .docx .md.

PVince81 · 2022-08-26T07:12:08Z

@elhananjair yes, the different apps also need to be adjusted to properly recognize the permission and act accordingly.
for apps that don't support view only, they should simply not view the document at all

juliusknorr · 2022-08-26T07:39:59Z

I filed nextcloud/files_pdfviewer#649 about this

iMoshi · 2022-11-01T17:31:54Z

So, I've finally tried the feature, and unchecked "Allow download" when sharing a folder with an internal user, and the user would get "Access forbidden" with basically any document including .pdf.

Is there something I'm missing inside the Administration Settings?

Also, can we have the option to "Allow download" when sharing a single file with an internal user?

PVince81 added the 2. developing Work in progress label May 18, 2022

PVince81 added this to the Nextcloud 25 milestone May 18, 2022

PVince81 self-assigned this May 18, 2022

szaimen mentioned this pull request May 18, 2022

Download Permission restriction like Hide Download option for internal (user/group) shares #16413

Closed

PVince81 force-pushed the enh/noid/share-attributes branch from 0bb8ded to ffc23cd Compare May 18, 2022 14:29

This comment was marked as outdated.

Sign in to view

PVince81 force-pushed the enh/noid/share-attributes branch from 39e0151 to 98fa5b9 Compare May 19, 2022 15:05

PVince81 force-pushed the enh/noid/share-attributes branch from 98fa5b9 to e35f472 Compare May 24, 2022 10:08

PVince81 force-pushed the enh/noid/share-attributes branch 2 times, most recently from d79d7aa to d70c3e3 Compare May 25, 2022 14:23

PVince81 mentioned this pull request May 30, 2022

View-only permission for internal shares #30744

Closed

PVince81 force-pushed the enh/noid/share-attributes branch from d70c3e3 to 4661ad3 Compare May 30, 2022 09:12

PVince81 requested review from artonge and CarlSchwan May 30, 2022 09:12

PVince81 force-pushed the enh/noid/share-attributes branch from 4661ad3 to 9def5b3 Compare May 31, 2022 11:00

PVince81 requested a review from juliusknorr June 2, 2022 09:35

PVince81 marked this pull request as ready for review June 2, 2022 09:35