From 6b252881615f3c64f3df9904d91b8f70b2ca8cf9 Mon Sep 17 00:00:00 2001
From: jkoberg <jkoberg@owncloud.com>
Date: Mon, 27 Feb 2023 11:04:00 +0100
Subject: [PATCH] check set-project-space-quota permission

Signed-off-by: jkoberg <jkoberg@owncloud.com>
---
 .../check-project-quota-permission.md         |  5 +++
 .../utils/decomposedfs/decomposedfs.go        |  2 +-
 .../utils/decomposedfs/spacepermissions.go    | 11 ++++--
 pkg/storage/utils/decomposedfs/spaces.go      | 36 ++++++++++++-------
 4 files changed, 39 insertions(+), 15 deletions(-)
 create mode 100644 changelog/unreleased/check-project-quota-permission.md

diff --git a/changelog/unreleased/check-project-quota-permission.md b/changelog/unreleased/check-project-quota-permission.md
new file mode 100644
index 0000000000..58867a5cff
--- /dev/null
+++ b/changelog/unreleased/check-project-quota-permission.md
@@ -0,0 +1,5 @@
+Enhancement: Check set project space quota permission
+
+Instead of checking for `set-space-quota` we now check for `Drive.ReadWriteQuota.Project` when changing project space quotas.
+
+https://github.com/cs3org/reva/pull/3690
diff --git a/pkg/storage/utils/decomposedfs/decomposedfs.go b/pkg/storage/utils/decomposedfs/decomposedfs.go
index 9e5db2ff98..f3fbf1d5b3 100644
--- a/pkg/storage/utils/decomposedfs/decomposedfs.go
+++ b/pkg/storage/utils/decomposedfs/decomposedfs.go
@@ -467,7 +467,7 @@ func (fs *Decomposedfs) CreateHome(ctx context.Context) (err error) {
 
 	u := ctxpkg.ContextMustGetUser(ctx)
 	res, err := fs.CreateStorageSpace(ctx, &provider.CreateStorageSpaceRequest{
-		Type:  spaceTypePersonal,
+		Type:  _spaceTypePersonal,
 		Owner: u,
 	})
 	if err != nil {
diff --git a/pkg/storage/utils/decomposedfs/spacepermissions.go b/pkg/storage/utils/decomposedfs/spacepermissions.go
index cd163a04bd..43ab99cefe 100644
--- a/pkg/storage/utils/decomposedfs/spacepermissions.go
+++ b/pkg/storage/utils/decomposedfs/spacepermissions.go
@@ -43,8 +43,15 @@ func (p Permissions) CreateSpace(ctx context.Context, spaceid string) bool {
 }
 
 // SetSpaceQuota returns true when the user is allowed to change the spaces quota
-func (p Permissions) SetSpaceQuota(ctx context.Context, spaceid string) bool {
-	return p.checkPermission(ctx, "set-space-quota", spaceRef(spaceid))
+func (p Permissions) SetSpaceQuota(ctx context.Context, spaceid string, spaceType string) bool {
+	switch spaceType {
+	default:
+		return false // only quotas of personal and project space may be changed
+	case _spaceTypePersonal:
+		return p.checkPermission(ctx, "set-space-quota", spaceRef(spaceid))
+	case _spaceTypeProject:
+		return p.checkPermission(ctx, "Drive.ReadWriteQuota.Project", spaceRef(spaceid))
+	}
 }
 
 // ManageSpaceProperties returns true when the user is allowed to change space properties (name/subtitle)
diff --git a/pkg/storage/utils/decomposedfs/spaces.go b/pkg/storage/utils/decomposedfs/spaces.go
index 91d1926f1e..e3cd4d59f0 100644
--- a/pkg/storage/utils/decomposedfs/spaces.go
+++ b/pkg/storage/utils/decomposedfs/spaces.go
@@ -49,12 +49,12 @@ import (
 )
 
 const (
-	spaceTypePersonal = "personal"
-	// spaceTypeProject  = "project"
-	spaceTypeShare = "share"
-	spaceTypeAny   = "*"
-	spaceIDAny     = "*"
-	userIDAny      = "*"
+	_spaceTypePersonal = "personal"
+	_spaceTypeProject  = "project"
+	spaceTypeShare     = "share"
+	spaceTypeAny       = "*"
+	spaceIDAny         = "*"
+	userIDAny          = "*"
 
 	quotaUnrestricted = 0
 )
@@ -78,7 +78,7 @@ func (fs *Decomposedfs) CreateStorageSpace(ctx context.Context, req *provider.Cr
 	}
 	// TODO enforce a uuid?
 	// TODO clarify if we want to enforce a single personal storage space or if we want to allow sending the spaceid
-	if req.Type == spaceTypePersonal {
+	if req.Type == _spaceTypePersonal {
 		spaceID = req.GetOwner().GetId().GetOpaqueId()
 		alias = templates.WithSpacePropertiesAndUser(u, req.Type, req.Name, fs.o.PersonalSpaceAliasTemplate)
 	}
@@ -157,7 +157,7 @@ func (fs *Decomposedfs) CreateStorageSpace(ctx context.Context, req *provider.Cr
 
 	ctx = context.WithValue(ctx, utils.SpaceGrant, struct{ SpaceType string }{SpaceType: req.Type})
 
-	if req.Type != spaceTypePersonal {
+	if req.Type != _spaceTypePersonal {
 		u := ctxpkg.ContextMustGetUser(ctx)
 		if err := fs.AddGrant(ctx, &provider.Reference{
 			ResourceId: &provider.ResourceId{
@@ -531,10 +531,22 @@ func (fs *Decomposedfs) UpdateStorageSpace(ctx context.Context, req *provider.Up
 		}
 	}
 
-	if mapHasKey(metadata, prefixes.QuotaAttr) && !fs.p.SetSpaceQuota(ctx, spaceID) {
-		return &provider.UpdateStorageSpaceResponse{
-			Status: &v1beta11.Status{Code: v1beta11.Code_CODE_PERMISSION_DENIED},
-		}, nil
+	if mapHasKey(metadata, prefixes.QuotaAttr) {
+		typ, err := spaceNode.SpaceRoot.Xattr(prefixes.SpaceTypeAttr)
+		if err != nil {
+			return &provider.UpdateStorageSpaceResponse{
+				Status: &v1beta11.Status{
+					Code:    v1beta11.Code_CODE_INTERNAL,
+					Message: "space has no type",
+				},
+			}, nil
+		}
+
+		if !fs.p.SetSpaceQuota(ctx, spaceID, string(typ)) {
+			return &provider.UpdateStorageSpaceResponse{
+				Status: &v1beta11.Status{Code: v1beta11.Code_CODE_PERMISSION_DENIED},
+			}, nil
+		}
 	}
 
 	err = spaceNode.SetXattrs(metadata, true)