Fix scope checks

cs3org · Apr 19, 2022 · 9c02d6b · 9c02d6b
1 parent 7a1083d
commit 9c02d6b
Showing 1 changed file with 17 additions and 17 deletions.
diff --git a/internal/grpc/interceptors/auth/scope.go b/internal/grpc/interceptors/auth/scope.go
@@ -64,15 +64,7 @@ func expandAndVerifyScope(ctx context.Context, req interface{}, tokenScope map[s
 		return err
 	}
 
-	highestRole := authpb.Role_ROLE_VIEWER
-	for _, v := range tokenScope {
-		if roleRankings[v.Role] > roleRankings[highestRole] {
-			highestRole = v.Role
-			break
-		}
-	}
-
-	if ref, ok := extractRef(req, highestRole); ok {
+	if ref, ok := extractRef(req, tokenScope); ok {
 		// The request is for a storage reference. This can be the case for multiple scenarios:
 		// - If the path is not empty, the request might be coming from a share where the accessor is
 		//   trying to impersonate the owner, since the share manager doesn't know the
@@ -295,22 +287,30 @@ func extractRefForUploaderRole(req interface{}) (*provider.Reference, bool) {
 
 }
 
-func extractRef(req interface{}, role authpb.Role) (*provider.Reference, bool) {
-	switch role {
-	case authpb.Role_ROLE_UPLOADER:
-		return extractRefForUploaderRole(req)
-	case authpb.Role_ROLE_VIEWER:
-		return extractRefForReaderRole(req)
-	default: // Owner or editor role
+func extractRef(req interface{}, tokenScope map[string]*authpb.Scope) (*provider.Reference, bool) {
+	var readPerm, editPerm bool
+	for _, v := range tokenScope {
+		if v.Role == authpb.Role_ROLE_OWNER || v.Role == authpb.Role_ROLE_EDITOR || v.Role == authpb.Role_ROLE_VIEWER {
+			readPerm = true
+		}
+		if v.Role == authpb.Role_ROLE_OWNER || v.Role == authpb.Role_ROLE_EDITOR || v.Role == authpb.Role_ROLE_UPLOADER {
+			editPerm = true
+		}
+	}
+
+	if readPerm {
 		ref, ok := extractRefForReaderRole(req)
 		if ok {
 			return ref, true
 		}
-		ref, ok = extractRefForUploaderRole(req)
+	}
+	if editPerm {
+		ref, ok := extractRefForUploaderRole(req)
 		if ok {
 			return ref, true
 		}
 	}
+
 	return nil, false
 }