Skip to content

Commit

Permalink
Migrate deny-acl UI code from CERNbox
Browse files Browse the repository at this point in the history
  • Loading branch information
pascalwengerter committed Jun 28, 2022
1 parent a5417d3 commit 92a70d3
Show file tree
Hide file tree
Showing 7 changed files with 52 additions and 11 deletions.
5 changes: 5 additions & 0 deletions changelog/unreleased/enhancement-deny-subfolder-share
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Enhancement: Deny subfolders inside share

Subfolders within non-link shares can now be denied for certain share receivers if the backend is capabable of negative ACLs.

https://github.com/owncloud/web/pull/7190
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,8 @@ export default {
inviteLabel() {
if (this.selectedRole.hasCustomPermissions) {
return this.$gettext('Invite with custom permissions')
} else if (this.selectedRole.permissions().includes(SharePermissions.deny)) {
return this.$gettext('Deny access')
} else {
return this.$gettextInterpolate(this.$gettext('Invite as %{ name }'), {
name: this.selectedRole.inlineLabel || ''
Expand All @@ -168,7 +170,7 @@ export default {
},
availableRoles() {
if (this.resourceIsSpace) {
return SpacePeopleShareRoles.list()
return SpacePeopleShareRoles.list(this.resource.canDeny())
}
if (this.resource.isReceivedShare() && this.resourceIsSharable && this.share) {
Expand All @@ -180,7 +182,11 @@ export default {
)
}
return PeopleShareRoles.list(this.resource.isFolder, this.allowCustomSharing !== false)
return PeopleShareRoles.list(
this.resource.isFolder,
this.allowCustomSharing !== false,
this.resource.canDeny()
)
},
availablePermissions() {
if (this.resource.isReceivedShare() && this.resourceIsSharable && this.share) {
Expand Down Expand Up @@ -211,9 +217,12 @@ export default {
if (this.existingRole) {
this.selectedRole = this.existingRole
} else if (this.resourceIsSpace) {
this.selectedRole = SpacePeopleShareRoles.list()[0]
this.selectedRole = SpacePeopleShareRoles.list(this.resource.canDeny())[0]
} else {
this.selectedRole = PeopleShareRoles.list(this.resource.isFolder)[0]
this.selectedRole = PeopleShareRoles.list(
this.resource.isFolder,
this.resource.canDeny()
)[0]
}
if (this.selectedRole.hasCustomPermissions) {
Expand Down
1 change: 1 addition & 0 deletions packages/web-app-files/src/helpers/resource/resource.ts
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ export interface Resource {
canRename?(): boolean
canBeDeleted?(): boolean
canBeRestored?(): boolean
canDeny?(): boolean

isReceivedShare?(): boolean
isMounted?(): boolean
Expand Down
12 changes: 12 additions & 0 deletions packages/web-app-files/src/helpers/resources.ts
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import {
ShareTypes,
SpacePeopleShareRoles,
spaceRoleEditor,
spaceRoleDeny,
spaceRoleManager,
spaceRoleViewer
} from './share'
Expand Down Expand Up @@ -109,6 +110,9 @@ export function buildResource(resource): Resource {
isReceivedShare: function () {
return this.permissions.indexOf(DavPermission.Shared) >= 0
},
canDeny: function () {
return this.permissions.indexOf(DavPermission.Deny) >= 0
},
getDomSelector: () => extractDomSelector(id)
}
}
Expand Down Expand Up @@ -238,6 +242,9 @@ export function buildSpace(space) {
isReceivedShare: function () {
return false
},
canDeny: function () {
return false // FIXME
},
getDomSelector: () => extractDomSelector(space.id)
}
}
Expand Down Expand Up @@ -402,6 +409,7 @@ export function buildSharedResource(
resource.canShare = () => true
resource.canRename = () => true
resource.canBeDeleted = () => true
resource.canDeny = () => SharePermissions.deny.enabled(share.permissions)
}

resource.extension = extractExtensionFromFile(resource)
Expand Down Expand Up @@ -441,6 +449,10 @@ export function buildSpaceShare(s, storageId): Share {
permissions = spaceRoleViewer.bitmask(true)
role = spaceRoleViewer
break
case spaceRoleDeny.name:
permissions = spaceRoleDeny.bitmask(true)
role = spaceRoleDeny
break
}

return {
Expand Down
1 change: 1 addition & 0 deletions packages/web-app-files/src/helpers/share/permission.ts
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ export abstract class SharePermissions {
static readonly create = new SharePermission('create', 4, $gettext('Create'))
static readonly delete = new SharePermission('delete', 8, $gettext('Delete'))
static readonly share = new SharePermission('share', 16, $gettext('Share'))
static readonly deny = new SharePermission('deny', 64, $gettext('Deny'))

static permissionsToBitmask(permissions: SharePermission[]): number {
return (permissions || []).reduce((b: number, p: SharePermission) => b | p.bit, 0)
Expand Down
26 changes: 19 additions & 7 deletions packages/web-app-files/src/helpers/share/role.ts
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,13 @@ export const peopleRoleCustomFolder = new CustomShareRole(
SharePermissions.share
]
)
export const peopleRoleDenyFolder = new PeopleShareRole(
'deny',
true,
$gettext('Deny'),
$gettext('deny'),
[SharePermissions.deny]
)
export const linkRoleViewerFile = new LinkShareRole(
'viewer',
false,
Expand Down Expand Up @@ -214,6 +221,9 @@ export const linkRoleUploaderFolder = new LinkShareRole(
$gettext('uploader'),
[SharePermissions.create]
)
export const spaceRoleDeny = new SpaceShareRole('deny', false, $gettext('Deny'), $gettext('deny'), [
SharePermissions.deny
])
export const spaceRoleViewer = new SpaceShareRole(
'viewer',
false,
Expand Down Expand Up @@ -245,12 +255,13 @@ export const spaceRoleManager = new SpaceShareRole(
export abstract class SpacePeopleShareRoles {
static readonly all = [spaceRoleViewer, spaceRoleEditor, spaceRoleManager]

static list(): ShareRole[] {
return this.all
static list(canDeny: boolean = false): ShareRole[] {
return [...this.all, ...(canDeny ? [spaceRoleDeny] : [])]
}

static getByBitmask(bitmask: number): ShareRole {
return this.all.find((r) => r.bitmask(true) === bitmask)
return [...this.all, spaceRoleDeny] // Retrieve all possible options always, even if deny is not enabled
.find((r) => r.bitmask(true) === bitmask)
}
}

Expand All @@ -264,16 +275,16 @@ export abstract class PeopleShareRoles {

static readonly allWithCustom = [...this.all, peopleRoleCustomFile, peopleRoleCustomFolder]

static list(isFolder: boolean, hasCustom = true): ShareRole[] {
return (hasCustom ? this.allWithCustom : this.all).filter((r) => r.folder === isFolder)
static list(isFolder: boolean, hasCustom: boolean = true, canDeny: boolean = false): ShareRole[] {
return [...(hasCustom ? this.allWithCustom : this.all), ...(canDeny ? [peopleRoleDenyFolder] : [])].filter((r) => r.folder === isFolder)
}

static custom(isFolder: boolean): ShareRole {
return this.allWithCustom.find((r) => r.folder === isFolder && r.hasCustomPermissions)
}

static getByBitmask(bitmask: number, isFolder: boolean, allowSharing: boolean): ShareRole {
const role = this.allWithCustom
const role = [...this.allWithCustom, peopleRoleDenyFolder] // Retrieve all possible options always, even if deny is not enabled
.filter((r) => !r.hasCustomPermissions)
.find((r) => r.folder === isFolder && r.bitmask(allowSharing) === bitmask)
return role || this.custom(isFolder)
Expand Down Expand Up @@ -339,7 +350,8 @@ const shareRoleDescriptions = {
[peopleRoleEditorFolder.bitmask(false)]: $gettext('Upload, edit, delete, download and preview'),
[peopleRoleEditorFolder.bitmask(true)]: $gettext(
'Upload, edit, delete, download, preview and share'
)
),
[peopleRoleDenyFolder.bitmask(false)]: $gettext('Deny access')
}

/**
Expand Down
1 change: 1 addition & 0 deletions packages/web-pkg/src/constants/dav.ts
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ export abstract class DavPermission {
static readonly Updateable: string = 'NV'
static readonly FileUpdateable: string = 'W'
static readonly FolderCreateable: string = 'CK'
static readonly Deny: string = 'Z'
}

export abstract class DavProperty {
Expand Down

0 comments on commit 92a70d3

Please sign in to comment.