Graph User Capabilities

changelog/unreleased/bump-reva.md

@@ -16,3 +16,4 @@ Changelog for reva 2.13.3 (2023-05-17)
 *   Enhancement [cs3org/reva#3895](https://github.com/cs3org/reva/pull/3895): Add missing expiry date to shares
 
 https://github.com/owncloud/ocis/pull/6305
+https://github.com/owncloud/ocis/pull/6339

changelog/unreleased/graph-user-capabilities.md

@@ -0,0 +1,5 @@
+Enhancement: Graph user capabilities
+
+Adds capablities to show if users are writeable in LDAP so clients can block their specific fields
+
+https://github.com/owncloud/ocis/pull/6339

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/coreos/go-oidc/v3 v3.4.0
 	github.com/cs3org/go-cs3apis v0.0.0-20221012090518-ef2996678965
-	github.com/cs3org/reva/v2 v2.13.3
+	github.com/cs3org/reva/v2 v2.13.4-0.20230517171752-b39e78fd7b28
 	github.com/disintegration/imaging v1.6.2
 	github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e
 	github.com/egirna/icap-client v0.1.1

go.sum

@@ -627,8 +627,8 @@ github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo
 github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4=
 github.com/crewjam/saml v0.4.13 h1:TYHggH/hwP7eArqiXSJUvtOPNzQDyQ7vwmwEqlFWhMc=
 github.com/crewjam/saml v0.4.13/go.mod h1:igEejV+fihTIlHXYP8zOec3V5A8y3lws5bQBFsTm4gA=
-github.com/cs3org/reva/v2 v2.13.3 h1:XP17/bl2EtwYcoX755hcg43EIagP1CAw/+loVFvHHM4=
-github.com/cs3org/reva/v2 v2.13.3/go.mod h1:MoymB39kU/myG7LFkaCwqtoXQHct+/8uoZAvJEmNi+I=
+github.com/cs3org/reva/v2 v2.13.4-0.20230517171752-b39e78fd7b28 h1:y8oUHEWGXrs9/jdU0sG3zNRyoDBONyxCRJJfb9Nsbqw=
+github.com/cs3org/reva/v2 v2.13.4-0.20230517171752-b39e78fd7b28/go.mod h1:MoymB39kU/myG7LFkaCwqtoXQHct+/8uoZAvJEmNi+I=
 github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8 h1:Z9lwXumT5ACSmJ7WGnFl+OMLLjpz5uR2fyz7dC255FI=
 github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8/go.mod h1:4abs/jPXcmJzYoYGF91JF9Uq9s/KL5n1jvFDix8KcqY=
 github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4=

services/frontend/pkg/config/config.go

@@ -47,6 +47,7 @@ type Config struct {
 	OCS                    OCS         `yaml:"ocs"`
 	Checksums              Checksums   `yaml:"checksums"`
 	ReadOnlyUserAttributes []string    `yaml:"read_only_user_attributes" env:"FRONTEND_READONLY_USER_ATTRIBUTES" desc:"Comma separated list of user attributes to indicate as read-only. Supported values: 'user.onPremisesSamAccountName' (username), 'user.displayName', 'user.mail', 'user.passwordProfile' (password), 'user.appRoleAssignments' (role), 'user.accountEnabled' (login allowed), 'drive.quota' (quota)."`
+	LDAPServerWriteEnabled bool        `yaml:"ldap_server_write_enabled" env:"OCIS_LDAP_SERVER_WRITE_ENABLED;FRONTEND_LDAP_SERVER_WRITE_ENABLED" desc:"Allow to create, modify and delete LDAP users via the GRAPH API."`
 
 	Middleware Middleware `yaml:"middleware"`
 

services/frontend/pkg/revaconfig/config.go

@@ -200,8 +200,13 @@ func FrontendConfigFromStruct(cfg *config.Config) (map[string]interface{}, error
 								"support_url_signing": true,
 							},
 							"graph": map[string]interface{}{
-								"personal_data_export":      true,
-								"read_only_user_attributes": readOnlyUserAttributes,
+								"personal_data_export": true,
+								"users": map[string]interface{}{
+									"read_only_attributes":          readOnlyUserAttributes,
+									"create_disabled":               !cfg.LDAPServerWriteEnabled,
+									"delete_disabled":               !cfg.LDAPServerWriteEnabled,
+									"change_password_self_disabled": !cfg.LDAPServerWriteEnabled,
+								},
 							},
 							"checksums": map[string]interface{}{
 								"supported_types":       cfg.Checksums.SupportedTypes,

services/graph/pkg/config/config.go

@@ -53,7 +53,7 @@ type LDAP struct {
 	BindPassword       string `yaml:"bind_password" env:"LDAP_BIND_PASSWORD;GRAPH_LDAP_BIND_PASSWORD" desc:"Password to use for authenticating the 'bind_dn'."`
 	UseServerUUID      bool   `yaml:"use_server_uuid" env:"GRAPH_LDAP_SERVER_UUID" desc:"If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using 'entryUUID' as the user ID attribute."`
 	UsePasswordModExOp bool   `yaml:"use_password_modify_exop" env:"GRAPH_LDAP_SERVER_USE_PASSWORD_MODIFY_EXOP" desc:"Use the 'Password Modify Extended Operation' for updating user passwords."`
-	WriteEnabled       bool   `yaml:"write_enabled" env:"GRAPH_LDAP_SERVER_WRITE_ENABLED" desc:"Allow to create, modify and delete LDAP users via GRAPH API. This is only works when the default Schema is used."`
+	WriteEnabled       bool   `yaml:"write_enabled" env:"OCIS_LDAP_SERVER_WRITE_ENABLED;GRAPH_LDAP_SERVER_WRITE_ENABLED" desc:"Allow to create, modify and delete LDAP users via the GRAPH API. This is only works when the default Schema is used."`
 	RefintEnabled      bool   `yaml:"refint_enabled" env:"GRAPH_LDAP_REFINT_ENABLED" desc:"Signals that the server has the refint plugin enabled, which makes some actions not needed."`
 
 	UserBaseDN               string `yaml:"user_base_dn" env:"OCIS_LDAP_USER_BASE_DN;LDAP_USER_BASE_DN;GRAPH_LDAP_USER_BASE_DN" desc:"Search base DN for looking up LDAP users." deprecationVersion:"3.0" removalVersion:"4.0.0" deprecationInfo:"LDAP_USER_BASE_DN changing name for consistency" deprecationReplacement:"OCIS_LDAP_USER_BASE_DN"`

services/settings/pkg/store/defaults/defaults.go

@@ -420,6 +420,21 @@ func generateBundleSpaceAdminRole() *settingsmsg.Bundle {
 					},
 				},
 			},
+			{
+				Id:          DeleteAllSpacesPermissionID,
+				Name:        DeleteAllSpacesPermissionName,
+				DisplayName: "Delete AllSpaces",
+				Description: "This permission allows to delete all spaces.",
+				Resource: &settingsmsg.Resource{
+					Type: settingsmsg.Resource_TYPE_SYSTEM,
+				},
+				Value: &settingsmsg.Setting_PermissionValue{
+					PermissionValue: &settingsmsg.Permission{
+						Operation:  settingsmsg.Permission_OPERATION_DELETE,
+						Constraint: settingsmsg.Permission_CONSTRAINT_ALL,
+					},
+				},
+			},
 			{
 				Id:          SetProjectSpaceQuotaPermissionID,
 				Name:        SetProjectSpaceQuotaPermissionName,

vendor/modules.txt

@@ -349,7 +349,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1
 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1
 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1
 github.com/cs3org/go-cs3apis/cs3/types/v1beta1
-# github.com/cs3org/reva/v2 v2.13.3
+# github.com/cs3org/reva/v2 v2.13.4-0.20230517171752-b39e78fd7b28
 ## explicit; go 1.19
 github.com/cs3org/reva/v2/cmd/revad/internal/grace
 github.com/cs3org/reva/v2/cmd/revad/runtime