mirror of https://github.com/nextcloud/bookmarks
fix(Authorization): Create WRITE permission to signify the permission to edit children
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
This commit is contained in:
parent
a08673525c
commit
642eac3a0a
|
@ -417,7 +417,7 @@ class BookmarkController extends ApiController {
|
|||
foreach ($folders as $folder) {
|
||||
$permissions &= $this->authorizer->getPermissionsForFolder($folder, $this->request);
|
||||
}
|
||||
if (!Authorizer::hasPermission(Authorizer::PERM_EDIT, $permissions) || $this->authorizer->getUserId() === null) {
|
||||
if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $permissions) || $this->authorizer->getUserId() === null) {
|
||||
return new JSONResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
|
||||
}
|
||||
|
||||
|
@ -472,7 +472,7 @@ class BookmarkController extends ApiController {
|
|||
foreach ($folders as $folder) {
|
||||
$permissions &= $this->authorizer->getPermissionsForFolder($folder, $this->request);
|
||||
}
|
||||
if (!Authorizer::hasPermission(Authorizer::PERM_EDIT, $permissions)) {
|
||||
if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $permissions)) {
|
||||
return new JSONResponse(['status' => 'error', 'data' => ['Insufficient permissions']], Http::STATUS_FORBIDDEN);
|
||||
}
|
||||
}
|
||||
|
@ -651,7 +651,7 @@ class BookmarkController extends ApiController {
|
|||
* @PublicPage
|
||||
*/
|
||||
public function importBookmark($folder = null): JSONResponse {
|
||||
if (!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForFolder($folder ?? -1, $this->request))) {
|
||||
if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $this->authorizer->getPermissionsForFolder($folder ?? -1, $this->request))) {
|
||||
return new JSONResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
|
||||
}
|
||||
|
||||
|
@ -806,7 +806,7 @@ class BookmarkController extends ApiController {
|
|||
* @PublicPage
|
||||
*/
|
||||
public function acquireLock(): JSONResponse {
|
||||
if (!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForFolder(-1, $this->request))) {
|
||||
if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $this->authorizer->getPermissionsForFolder(-1, $this->request))) {
|
||||
return new JSONResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
|
||||
}
|
||||
|
||||
|
@ -831,7 +831,7 @@ class BookmarkController extends ApiController {
|
|||
* @PublicPage
|
||||
*/
|
||||
public function releaseLock(): JSONResponse {
|
||||
if (!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForFolder(-1, $this->request))) {
|
||||
if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $this->authorizer->getPermissionsForFolder(-1, $this->request))) {
|
||||
return new JSONResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
|
||||
}
|
||||
|
||||
|
|
|
@ -170,7 +170,7 @@ class FoldersController extends ApiController {
|
|||
* @PublicPage
|
||||
*/
|
||||
public function addFolder($title = '', $parent_folder = -1): JSONResponse {
|
||||
if (!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForFolder($parent_folder, $this->request))) {
|
||||
if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $this->authorizer->getPermissionsForFolder($parent_folder, $this->request))) {
|
||||
return new JSONResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
|
||||
}
|
||||
try {
|
||||
|
@ -222,7 +222,7 @@ class FoldersController extends ApiController {
|
|||
* @PublicPage
|
||||
*/
|
||||
public function addToFolder($folderId, $bookmarkId): JSONResponse {
|
||||
if (!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForFolder($folderId, $this->request)) &&
|
||||
if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $this->authorizer->getPermissionsForFolder($folderId, $this->request)) &&
|
||||
!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForBookmark($bookmarkId, $this->request))) {
|
||||
return new JSONResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
|
||||
}
|
||||
|
@ -247,7 +247,7 @@ class FoldersController extends ApiController {
|
|||
* @PublicPage
|
||||
*/
|
||||
public function removeFromFolder($folderId, $bookmarkId): JSONResponse {
|
||||
if (!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForFolder($folderId, $this->request)) &&
|
||||
if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $this->authorizer->getPermissionsForFolder($folderId, $this->request)) &&
|
||||
!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForFolder($bookmarkId, $this->request))) {
|
||||
return new JSONResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
|
||||
}
|
||||
|
@ -415,7 +415,7 @@ class FoldersController extends ApiController {
|
|||
* @PublicPage
|
||||
*/
|
||||
public function setFolderChildrenOrder($folderId, $data = []): JSONResponse {
|
||||
if (!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForFolder($folderId, $this->request))) {
|
||||
if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $this->authorizer->getPermissionsForFolder($folderId, $this->request))) {
|
||||
return new JSONResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
|
||||
}
|
||||
$folderId = $this->toInternalFolderId($folderId);
|
||||
|
@ -640,7 +640,7 @@ class FoldersController extends ApiController {
|
|||
return new Http\DataResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
|
||||
}
|
||||
try {
|
||||
$canWrite = $canWrite && Authorizer::hasPermission(Authorizer::PERM_EDIT, $permissions);
|
||||
$canWrite = $canWrite && Authorizer::hasPermission(Authorizer::PERM_WRITE, $permissions);
|
||||
$share = $this->folders->createShare($folderId, $participant, $type, $canWrite, $canShare);
|
||||
return new Http\DataResponse(['status' => 'success', 'item' => $share->toArray()]);
|
||||
} catch (DoesNotExistException $e) {
|
||||
|
@ -675,8 +675,7 @@ class FoldersController extends ApiController {
|
|||
return new Http\DataResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
|
||||
}
|
||||
|
||||
|
||||
$canWrite = $canWrite && Authorizer::hasPermission(Authorizer::PERM_EDIT, $permissions);
|
||||
$canWrite = $canWrite && Authorizer::hasPermission(Authorizer::PERM_WRITE, $permissions);
|
||||
$share->setCanWrite($canWrite);
|
||||
$share->setCanShare($canShare);
|
||||
$this->shareMapper->update($share);
|
||||
|
|
|
@ -24,9 +24,10 @@ use OCP\IUserSession;
|
|||
class Authorizer {
|
||||
public const PERM_NONE = 0;
|
||||
public const PERM_READ = 1;
|
||||
public const PERM_EDIT = 2;
|
||||
public const PERM_EDIT = 2; // Allows editing the direct item
|
||||
public const PERM_RESHARE = 4;
|
||||
public const PERM_ALL = 7;
|
||||
public const PERM_WRITE = 8; // Allows adding and editing the item's descendants
|
||||
public const PERM_ALL = 15;
|
||||
|
||||
private $userId;
|
||||
private $token = null;
|
||||
|
@ -167,6 +168,7 @@ class Authorizer {
|
|||
$perms = self::PERM_READ;
|
||||
if ($canWrite) {
|
||||
$perms |= self::PERM_EDIT;
|
||||
$perms |= self::PERM_WRITE;
|
||||
}
|
||||
if ($canShare) {
|
||||
$perms |= self::PERM_RESHARE;
|
||||
|
@ -261,7 +263,7 @@ class Authorizer {
|
|||
if ($share->getFolderId() === $itemId && $type === TreeMapper::TYPE_FOLDER) {
|
||||
// If the sought folder is the root folder of the share, we give EDIT permissions + optionally RESHARE
|
||||
// because the user can edit the shared folder
|
||||
$perms = $this->getMaskFromFlags(true, $share->getCanShare());
|
||||
$perms = $this->getMaskFromFlags(true, $share->getCanShare()) | self::PERM_EDIT;
|
||||
} elseif ($this->treeMapper->hasDescendant($share->getFolderId(), $type, $itemId)) {
|
||||
$perms = $this->getMaskFromFlags($share->getCanWrite(), $share->getCanShare());
|
||||
} else {
|
||||
|
|
Loading…
Reference in New Issue