Merge pull request #3690 from kobergj/CheckSetProjectSpaceQuotaPermis…

…sion

Check for SetProjectSpaceQuota permission

changelog/unreleased/check-project-quota-permission.md

@@ -0,0 +1,5 @@
+Enhancement: Check set project space quota permission
+
+Instead of checking for `set-space-quota` we now check for `Drive.ReadWriteQuota.Project` when changing project space quotas.
+
+https://github.com/cs3org/reva/pull/3690

pkg/storage/utils/decomposedfs/decomposedfs.go

@@ -467,7 +467,7 @@ func (fs *Decomposedfs) CreateHome(ctx context.Context) (err error) {
 
 	u := ctxpkg.ContextMustGetUser(ctx)
 	res, err := fs.CreateStorageSpace(ctx, &provider.CreateStorageSpaceRequest{
-		Type:  spaceTypePersonal,
+		Type:  _spaceTypePersonal,
 		Owner: u,
 	})
 	if err != nil {

pkg/storage/utils/decomposedfs/spacepermissions.go

@@ -43,8 +43,15 @@ func (p Permissions) CreateSpace(ctx context.Context, spaceid string) bool {
 }
 
 // SetSpaceQuota returns true when the user is allowed to change the spaces quota
-func (p Permissions) SetSpaceQuota(ctx context.Context, spaceid string) bool {
-	return p.checkPermission(ctx, "set-space-quota", spaceRef(spaceid))
+func (p Permissions) SetSpaceQuota(ctx context.Context, spaceid string, spaceType string) bool {
+	switch spaceType {
+	default:
+		return false // only quotas of personal and project space may be changed
+	case _spaceTypePersonal:
+		return p.checkPermission(ctx, "set-space-quota", spaceRef(spaceid))
+	case _spaceTypeProject:
+		return p.checkPermission(ctx, "Drive.ReadWriteQuota.Project", spaceRef(spaceid))
+	}
 }
 
 // ManageSpaceProperties returns true when the user is allowed to change space properties (name/subtitle)

pkg/storage/utils/decomposedfs/spaces.go

@@ -49,12 +49,12 @@ import (
 )
 
 const (
-	spaceTypePersonal = "personal"
-	// spaceTypeProject  = "project"
-	spaceTypeShare = "share"
-	spaceTypeAny   = "*"
-	spaceIDAny     = "*"
-	userIDAny      = "*"
+	_spaceTypePersonal = "personal"
+	_spaceTypeProject  = "project"
+	spaceTypeShare     = "share"
+	spaceTypeAny       = "*"
+	spaceIDAny         = "*"
+	userIDAny          = "*"
 
 	quotaUnrestricted = 0
 )
@@ -78,7 +78,7 @@ func (fs *Decomposedfs) CreateStorageSpace(ctx context.Context, req *provider.Cr
 	}
 	// TODO enforce a uuid?
 	// TODO clarify if we want to enforce a single personal storage space or if we want to allow sending the spaceid
-	if req.Type == spaceTypePersonal {
+	if req.Type == _spaceTypePersonal {
 		spaceID = req.GetOwner().GetId().GetOpaqueId()
 		alias = templates.WithSpacePropertiesAndUser(u, req.Type, req.Name, fs.o.PersonalSpaceAliasTemplate)
 	}
@@ -157,7 +157,7 @@ func (fs *Decomposedfs) CreateStorageSpace(ctx context.Context, req *provider.Cr
 
 	ctx = context.WithValue(ctx, utils.SpaceGrant, struct{ SpaceType string }{SpaceType: req.Type})
 
-	if req.Type != spaceTypePersonal {
+	if req.Type != _spaceTypePersonal {
 		u := ctxpkg.ContextMustGetUser(ctx)
 		if err := fs.AddGrant(ctx, &provider.Reference{
 			ResourceId: &provider.ResourceId{
@@ -531,10 +531,22 @@ func (fs *Decomposedfs) UpdateStorageSpace(ctx context.Context, req *provider.Up
 		}
 	}
 
-	if mapHasKey(metadata, prefixes.QuotaAttr) && !fs.p.SetSpaceQuota(ctx, spaceID) {
-		return &provider.UpdateStorageSpaceResponse{
-			Status: &v1beta11.Status{Code: v1beta11.Code_CODE_PERMISSION_DENIED},
-		}, nil
+	if mapHasKey(metadata, prefixes.QuotaAttr) {
+		typ, err := spaceNode.SpaceRoot.Xattr(prefixes.SpaceTypeAttr)
+		if err != nil {
+			return &provider.UpdateStorageSpaceResponse{
+				Status: &v1beta11.Status{
+					Code:    v1beta11.Code_CODE_INTERNAL,
+					Message: "space has no type",
+				},
+			}, nil
+		}
+
+		if !fs.p.SetSpaceQuota(ctx, spaceID, string(typ)) {
+			return &provider.UpdateStorageSpaceResponse{
+				Status: &v1beta11.Status{Code: v1beta11.Code_CODE_PERMISSION_DENIED},
+			}, nil
+		}
 	}
 
 	err = spaceNode.SetXattrs(metadata, true)