-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: fix deny access to prevent a regression #10627
Conversation
Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes. |
d4b6566
to
28d8b7d
Compare
|
28d8b7d
to
fdc10b1
Compare
If this gets merged, I will do the needed translation on transifex for the new strings. Note, if TX needs to be added quickly befor final releasing, one needs to initiate a manualy sync, I will do the TX and another sync needs to be done. Then all is up to date. |
tested:
remarks:
@micbar today I saw that you had similar issue and fixed it. it was case with project space - it works
|
Correct. That was a general issue with sharing and has been fixed in reva cs3org/reva#4968. Needs a reva bump to arrive in ocis master. |
fdc10b1
to
028fab2
Compare
@@ -482,6 +482,10 @@ func (g BaseGraphService) cs3UserShareToPermission(ctx context.Context, share *c | |||
perm.SetRoles([]string{role.GetId()}) | |||
} else { | |||
actions := unifiedrole.CS3ResourcePermissionsToLibregraphActions(share.GetPermissions().GetPermissions()) | |||
// neither a role nor actions are set, that is a full denial | |||
if len(actions) == 0 { | |||
actions = []string{"access denied"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rhafer Not the "nicest" solution, I admit.
We have the contract with the clients that we
- either set a value on
roles
- or set a value on
@libre.graph.permissions.actions
That means, if we disable the role "RoleDenied" and have existing shares, we need to return at least a hint to the user.
Fine for me, if you want to solve it differently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -482,6 +482,10 @@ func (g BaseGraphService) cs3UserShareToPermission(ctx context.Context, share *c | |||
perm.SetRoles([]string{role.GetId()}) | |||
} else { | |||
actions := unifiedrole.CS3ResourcePermissionsToLibregraphActions(share.GetPermissions().GetPermissions()) | |||
// neither a role nor actions are set, that is a full denial |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Important Info: We decided long ago, that we will only go with a "full denial", we do not intend to think about negative permissions in the future. So my assumption here is valid.
028fab2
to
31a80fa
Compare
Before merging, if the var has been deprecated, please run |
Needs to be discussed with @kobergj We deprecated the whole OCS Api with 5.0.0. I would have removed it already but the clients were not able to move to the LibreGraph API in time. |
31a80fa
to
cb1b07e
Compare
f93a001
to
c5d0cc2
Compare
c5d0cc2
to
bac2256
Compare
Quality Gate passedIssues Measures |
fix: fix deny access to prevent a regression
Regression in ocis 7.0.0-rc.3
After updating an ocis 5.0.9 to ocis 7.0.0-rc.3, existing denials are breaking the web client.
Related Issue
Motivation and Context
How Has This Been Tested?
Screenshots (if appropriate):
Types of changes
Checklist: