Fix scope checks

cs3org · Apr 19, 2022 · d1cdc26 · d1cdc26
1 parent 7a1083d
commit d1cdc26
Showing 1 changed file with 37 additions and 19 deletions.
diff --git a/internal/grpc/interceptors/auth/scope.go b/internal/grpc/interceptors/auth/scope.go
@@ -64,15 +64,7 @@ func expandAndVerifyScope(ctx context.Context, req interface{}, tokenScope map[s
 		return err
 	}
 
-	highestRole := authpb.Role_ROLE_VIEWER
-	for _, v := range tokenScope {
-		if roleRankings[v.Role] > roleRankings[highestRole] {
-			highestRole = v.Role
-			break
-		}
-	}
-
-	if ref, ok := extractRef(req, highestRole); ok {
+	if ref, ok := extractRef(req, tokenScope); ok {
 		// The request is for a storage reference. This can be the case for multiple scenarios:
 		// - If the path is not empty, the request might be coming from a share where the accessor is
 		//   trying to impersonate the owner, since the share manager doesn't know the
@@ -279,12 +271,21 @@ func extractRefForUploaderRole(req interface{}) (*provider.Reference, bool) {
 		return v.GetRef(), true
 	case *provider.TouchFileRequest:
 		return v.GetRef(), true
+	case *provider.InitiateFileUploadRequest:
+		return v.GetRef(), true
+	}
+
+	return nil, false
+
+}
+
+func extractRefForEditorRole(req interface{}) (*provider.Reference, bool) {
+	switch v := req.(type) {
+	// Remaining edit Requests
 	case *provider.DeleteRequest:
 		return v.GetRef(), true
 	case *provider.MoveRequest:
 		return v.GetSource(), true
-	case *provider.InitiateFileUploadRequest:
-		return v.GetRef(), true
 	case *provider.SetArbitraryMetadataRequest:
 		return v.GetRef(), true
 	case *provider.UnsetArbitraryMetadataRequest:
@@ -295,22 +296,39 @@ func extractRefForUploaderRole(req interface{}) (*provider.Reference, bool) {
 
 }
 
-func extractRef(req interface{}, role authpb.Role) (*provider.Reference, bool) {
-	switch role {
-	case authpb.Role_ROLE_UPLOADER:
-		return extractRefForUploaderRole(req)
-	case authpb.Role_ROLE_VIEWER:
-		return extractRefForReaderRole(req)
-	default: // Owner or editor role
+func extractRef(req interface{}, tokenScope map[string]*authpb.Scope) (*provider.Reference, bool) {
+	var readPerm, uploadPerm, editPerm bool
+	for _, v := range tokenScope {
+		if v.Role == authpb.Role_ROLE_OWNER || v.Role == authpb.Role_ROLE_EDITOR || v.Role == authpb.Role_ROLE_VIEWER {
+			readPerm = true
+		}
+		if v.Role == authpb.Role_ROLE_OWNER || v.Role == authpb.Role_ROLE_EDITOR || v.Role == authpb.Role_ROLE_UPLOADER {
+			uploadPerm = true
+		}
+		if v.Role == authpb.Role_ROLE_OWNER || v.Role == authpb.Role_ROLE_EDITOR {
+			editPerm = true
+		}
+	}
+
+	if readPerm {
 		ref, ok := extractRefForReaderRole(req)
 		if ok {
 			return ref, true
 		}
-		ref, ok = extractRefForUploaderRole(req)
+	}
+	if uploadPerm {
+		ref, ok := extractRefForUploaderRole(req)
+		if ok {
+			return ref, true
+		}
+	}
+	if editPerm {
+		ref, ok := extractRefForEditorRole(req)
 		if ok {
 			return ref, true
 		}
 	}
+
 	return nil, false
 }