Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: fix deny access to prevent a regression #10627

Merged
merged 1 commit into from
Nov 25, 2024
Merged

Conversation

micbar
Copy link
Contributor

@micbar micbar commented Nov 22, 2024

Regression in ocis 7.0.0-rc.3

After updating an ocis 5.0.9 to ocis 7.0.0-rc.3, existing denials are breaking the web client.

deny-regression

Related Issue

  • Fixes <issue_link>

Motivation and Context

How Has This Been Tested?

  • test environment:
  • test case 1:
  • test case 2:
  • ...

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests only (no source changes)

Checklist:

  • Code changes
  • Unit tests added
  • Acceptance tests added
  • Documentation ticket raised:

Copy link

update-docs bot commented Nov 22, 2024

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

@micbar micbar force-pushed the fix-denials-graph branch 2 times, most recently from d4b6566 to 28d8b7d Compare November 22, 2024 10:47
@ScharfViktor
Copy link
Contributor

ScharfViktor commented Nov 22, 2024

@micbar micbar marked this pull request as ready for review November 22, 2024 11:55
@micbar micbar requested a review from kulmann as a code owner November 22, 2024 11:55
@mmattel
Copy link
Contributor

mmattel commented Nov 22, 2024

If this gets merged, I will do the needed translation on transifex for the new strings.

Note, if TX needs to be added quickly befor final releasing, one needs to initiate a manualy sync, I will do the TX and another sync needs to be done. Then all is up to date.

@ScharfViktor
Copy link
Contributor

ScharfViktor commented Nov 22, 2024

tested:

  • creating/changing/deleting share with role cannot access - works correct
  • user can see/change/delete cannot access share which was created in 5.0 version

remarks:

  • 500 error when deleting deny share (was created in version 5.0) but looks like works -> user recipient can see resource
    steps:
    • switch ocis version 5
    • admin creates folder and shares folder to Users group
    • admin shares folder to einstein with denied role
    • upgrade ocis to version 7
    • admin deletes denied role
      log:
      {"level":"error","service":"sharing","pkg":"rgrpc","traceid":"56df2dfcf09102480861bcf5efb79e17","hostname":"","userID":"9955764e-d4f7-4191-96ea-7d559e8f7955","shareID":"b1b4a413-4987-45ed-8cee-986911d246cd:9955764e-d4f7-4191-96ea-7d559e8f7955:fa3ce1ec-9cd8-475e-80f9-053e86c1c836","error":"error: already exists: already exists","time":"2024-11-22T17:23:14+01:00","message":"persisting removed share failed"}

@micbar today I saw that you had similar issue and fixed it. it was case with project space - it works

  • no german translation
image

@micbar
Copy link
Contributor Author

micbar commented Nov 22, 2024

@micbar today I saw that you had similar issue and fixed it. it was case with project space - it works

Correct. That was a general issue with sharing and has been fixed in reva cs3org/reva#4968.

Needs a reva bump to arrive in ocis master.

@micbar micbar mentioned this pull request Nov 22, 2024
85 tasks
@micbar micbar requested a review from rhafer November 22, 2024 17:07
@@ -482,6 +482,10 @@ func (g BaseGraphService) cs3UserShareToPermission(ctx context.Context, share *c
perm.SetRoles([]string{role.GetId()})
} else {
actions := unifiedrole.CS3ResourcePermissionsToLibregraphActions(share.GetPermissions().GetPermissions())
// neither a role nor actions are set, that is a full denial
if len(actions) == 0 {
actions = []string{"access denied"}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rhafer Not the "nicest" solution, I admit.

We have the contract with the clients that we

  • either set a value on roles
  • or set a value on @libre.graph.permissions.actions

That means, if we disable the role "RoleDenied" and have existing shares, we need to return at least a hint to the user.

Fine for me, if you want to solve it differently.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After discussion with @butonic and @kobergj we decided to return none in that case.

@@ -482,6 +482,10 @@ func (g BaseGraphService) cs3UserShareToPermission(ctx context.Context, share *c
perm.SetRoles([]string{role.GetId()})
} else {
actions := unifiedrole.CS3ResourcePermissionsToLibregraphActions(share.GetPermissions().GetPermissions())
// neither a role nor actions are set, that is a full denial
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important Info: We decided long ago, that we will only go with a "full denial", we do not intend to think about negative permissions in the future. So my assumption here is valid.

@mmattel
Copy link
Contributor

mmattel commented Nov 22, 2024

  • put FRONTEND_OCS_ENABLE_DENIALS to deprecated envs

Before merging, if the var has been deprecated, please run make -C docs docs-generate to add the changed env_vars.yaml to the PR. I need to do afterwards with a separate PR the changed envvar magic... 😅

@micbar
Copy link
Contributor Author

micbar commented Nov 22, 2024

Before merging, if the var has been deprecated, please run make -C docs docs-generate to add the changed env_vars.yaml to the PR. I need to do afterwards with a separate PR the changed envvar magic... 😅

Needs to be discussed with @kobergj

We deprecated the whole OCS Api with 5.0.0.

I would have removed it already but the clients were not able to move to the LibreGraph API in time.

@butonic
Copy link
Member

butonic commented Nov 25, 2024

@micbar
Copy link
Contributor Author

micbar commented Nov 25, 2024

@micbar micbar force-pushed the fix-denials-graph branch 2 times, most recently from f93a001 to c5d0cc2 Compare November 25, 2024 09:54
@micbar micbar merged commit b5decc6 into master Nov 25, 2024
4 checks passed
@micbar micbar deleted the fix-denials-graph branch November 25, 2024 12:30
ownclouders pushed a commit that referenced this pull request Nov 25, 2024
fix: fix deny access to prevent a regression
@micbar micbar mentioned this pull request Dec 17, 2024
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants