Spaces: Create Sharing role Manager (#2065)

cs3org · Sep 14, 2021 · d2e3daa · d2e3daa
1 parent 42dc62e
commit d2e3daa
Show file tree

Hide file tree

Showing 3 changed files with 83 additions and 72 deletions.
diff --git a/changelog/unreleased/sharing-manager-role.md b/changelog/unreleased/sharing-manager-role.md
@@ -0,0 +1,5 @@
+Enhancement: New sharing role Manager
+
+The new Manager role is equivalent to a Co-Owner with the difference that a Manager can create grants on the root of the Space. This means inviting a user to a space will not require an action from them, as the Manager assigns the grants.
+
+https://github.com/cs3org/reva/pull/2065
diff --git a/internal/http/services/owncloud/ocs/conversions/role.go b/internal/http/services/owncloud/ocs/conversions/role.go
@@ -26,28 +26,31 @@ import (
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 )
 
-// Role describes the interface to transform different permission sets into each other
+// Role is a set of ocs permissions and cs3 resource permissions under a common name.
 type Role struct {
 	Name                   string
 	cS3ResourcePermissions *provider.ResourcePermissions
 	ocsPermissions         Permissions
 }
 
 const (
-	// RoleUnknown is used for unknown roles
-	RoleUnknown string = "unknown"
-	// RoleLegacy provides backwards compatibility
-	RoleLegacy string = "legacy"
-	// RoleViewer grants non-editor role on a resource
-	RoleViewer string = "viewer"
-	// RoleEditor grants editor permission on a resource, including folders
-	RoleEditor string = "editor"
-	// RoleFileEditor grants editor permission on a single file
-	RoleFileEditor string = "file-editor"
-	// RoleCoowner grants owner permissions on a resource
-	RoleCoowner string = "coowner"
-	// RoleUploader FIXME: uploader role with only write permission can use InitiateFileUpload, not anything else
-	RoleUploader string = "uploader"
+	// RoleViewer grants non-editor role on a resource.
+	RoleViewer = "viewer"
+	// RoleEditor grants editor permission on a resource, including folders.
+	RoleEditor = "editor"
+	// RoleFileEditor grants editor permission on a single file.
+	RoleFileEditor = "file-editor"
+	// RoleCoowner grants co-owner permissions on a resource.
+	RoleCoowner = "coowner"
+	// RoleUploader grants uploader permission to upload onto a resource.
+	RoleUploader = "uploader"
+	// RoleManager grants manager permissions on a resource. Semantically equivalent to co-owner.
+	RoleManager = "manager"
+
+	// RoleUnknown is used for unknown roles.
+	RoleUnknown = "unknown"
+	// RoleLegacy provides backwards compatibility.
+	RoleLegacy = "legacy"
 )
 
 // CS3ResourcePermissions for the role
@@ -91,7 +94,6 @@ func (r *Role) OCSPermissions() Permissions {
 // M = Mounted
 func (r *Role) WebDAVPermissions(isDir, isShared, isMountpoint, isPublic bool) string {
 	var b strings.Builder
-	// b.Grow(7)
 	if !isPublic && isShared {
 		fmt.Fprintf(&b, "S")
 	}
@@ -129,11 +131,14 @@ func RoleFromName(name string) *Role {
 		return NewCoownerRole()
 	case RoleUploader:
 		return NewUploaderRole()
+	case RoleManager:
+		return NewManagerRole()
+	default:
+		return NewUnknownRole()
 	}
-	return NewUnknownRole()
 }
 
-// NewUnknownRole creates an unknown role
+// NewUnknownRole creates an unknown role. An Unknown role has no permissions over a cs3 resource nor any ocs endpoint.
 func NewUnknownRole() *Role {
 	return &Role{
 		Name:                   RoleUnknown,
@@ -147,7 +152,6 @@ func NewViewerRole() *Role {
 	return &Role{
 		Name: RoleViewer,
 		cS3ResourcePermissions: &provider.ResourcePermissions{
-			// read
 			GetPath:              true,
 			GetQuota:             true,
 			InitiateFileDownload: true,
@@ -166,7 +170,6 @@ func NewEditorRole() *Role {
 	return &Role{
 		Name: RoleEditor,
 		cS3ResourcePermissions: &provider.ResourcePermissions{
-			// read
 			GetPath:              true,
 			GetQuota:             true,
 			InitiateFileDownload: true,
@@ -175,21 +178,13 @@ func NewEditorRole() *Role {
 			ListFileVersions:     true,
 			ListRecycle:          true,
 			Stat:                 true,
-
-			// write
-			InitiateFileUpload: true,
-			RestoreFileVersion: true,
-			RestoreRecycleItem: true,
-
-			// create
-			CreateContainer: true,
-
-			// delete
-			Delete: true,
-
-			// not sure where to put these, but they are part of an editor
-			Move:         true,
-			PurgeRecycle: true,
+			InitiateFileUpload:   true,
+			RestoreFileVersion:   true,
+			RestoreRecycleItem:   true,
+			CreateContainer:      true,
+			Delete:               true,
+			Move:                 true,
+			PurgeRecycle:         true,
 		},
 		ocsPermissions: PermissionRead | PermissionCreate | PermissionWrite | PermissionDelete,
 	}
@@ -200,7 +195,6 @@ func NewFileEditorRole() *Role {
 	return &Role{
 		Name: RoleEditor,
 		cS3ResourcePermissions: &provider.ResourcePermissions{
-			// read
 			GetPath:              true,
 			GetQuota:             true,
 			InitiateFileDownload: true,
@@ -209,11 +203,9 @@ func NewFileEditorRole() *Role {
 			ListFileVersions:     true,
 			ListRecycle:          true,
 			Stat:                 true,
-
-			// write
-			InitiateFileUpload: true,
-			RestoreFileVersion: true,
-			RestoreRecycleItem: true,
+			InitiateFileUpload:   true,
+			RestoreFileVersion:   true,
+			RestoreRecycleItem:   true,
 		},
 		ocsPermissions: PermissionRead | PermissionWrite,
 	}
@@ -224,7 +216,6 @@ func NewCoownerRole() *Role {
 	return &Role{
 		Name: RoleCoowner,
 		cS3ResourcePermissions: &provider.ResourcePermissions{
-			// read
 			GetPath:              true,
 			GetQuota:             true,
 			InitiateFileDownload: true,
@@ -233,26 +224,16 @@ func NewCoownerRole() *Role {
 			ListFileVersions:     true,
 			ListRecycle:          true,
 			Stat:                 true,
-
-			// write
-			InitiateFileUpload: true,
-			RestoreFileVersion: true,
-			RestoreRecycleItem: true,
-
-			// create
-			CreateContainer: true,
-
-			// delete
-			Delete: true,
-
-			// not sure where to put these, but they are part of an editor
-			Move:         true,
-			PurgeRecycle: true,
-
-			// grants
-			AddGrant:    true,
-			UpdateGrant: true,
-			RemoveGrant: true,
+			InitiateFileUpload:   true,
+			RestoreFileVersion:   true,
+			RestoreRecycleItem:   true,
+			CreateContainer:      true,
+			Delete:               true,
+			Move:                 true,
+			PurgeRecycle:         true,
+			AddGrant:             true,
+			UpdateGrant:          true,
+			RemoveGrant:          true,
 		},
 		ocsPermissions: PermissionAll,
 	}
@@ -263,21 +244,46 @@ func NewUploaderRole() *Role {
 	return &Role{
 		Name: RoleViewer,
 		cS3ResourcePermissions: &provider.ResourcePermissions{
-			// he will need to make stat requests
-			// TODO and List requests
-			Stat:          true,
-			ListContainer: true,
-			// read
-			GetPath: true,
-			// mkdir
-			CreateContainer: true,
-			// upload
+			Stat:               true,
+			ListContainer:      true,
+			GetPath:            true,
+			CreateContainer:    true,
 			InitiateFileUpload: true,
 		},
 		ocsPermissions: PermissionCreate,
 	}
 }
 
+// NewManagerRole creates an editor role
+func NewManagerRole() *Role {
+	return &Role{
+		Name: RoleManager,
+		cS3ResourcePermissions: &provider.ResourcePermissions{
+			GetPath:              true,
+			GetQuota:             true,
+			InitiateFileDownload: true,
+			ListGrants:           true,
+			ListContainer:        true,
+			ListFileVersions:     true,
+			ListRecycle:          true,
+			Stat:                 true,
+			InitiateFileUpload:   true,
+			RestoreFileVersion:   true,
+			RestoreRecycleItem:   true,
+			Move:                 true,
+			CreateContainer:      true,
+			Delete:               true,
+			PurgeRecycle:         true,
+
+			// these permissions only make sense to enforce them in the root of the storage space.
+			AddGrant:    true, // managers can add users to the space
+			RemoveGrant: true, // managers can remove users from the space
+			UpdateGrant: true,
+		},
+		ocsPermissions: PermissionAll,
+	}
+}
+
 // RoleFromOCSPermissions tries to map ocs permissions to a role
 func RoleFromOCSPermissions(p Permissions) *Role {
 	if p.Contain(PermissionRead) {

diff --git a/pkg/storage/utils/decomposedfs/spaces.go b/pkg/storage/utils/decomposedfs/spaces.go
@@ -129,7 +129,7 @@ func (fs *Decomposedfs) CreateStorageSpace(ctx context.Context, req *provider.Cr
 				UserId: u.Id,
 			},
 		},
-		Permissions: ocsconv.NewEditorRole().CS3ResourcePermissions(),
+		Permissions: ocsconv.NewManagerRole().CS3ResourcePermissions(),
 	}); err != nil {
 		return nil, err
 	}