nextcloud
/
bookmarks
mirror of https://github.com/nextcloud/bookmarks
0
0
Fork 0
Code Issues Releases Wiki Activity

fix(Authorization): Create WRITE permission to signify the permission to edit children 

Signed-off-by: Marcel Klehr <mklehr@gmx.net>
This commit is contained in:
Marcel Klehr 2023-07-16 17:03:20 +02:00
parent a08673525c
commit 642eac3a0a
3 changed files with 16 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/Controller/BookmarkController.php
View File

@ -417,7 +417,7 @@ class BookmarkController extends ApiController {
foreach ($folders as $folder) {
$permissions &= $this->authorizer->getPermissionsForFolder($folder, $this->request);
}
if (!Authorizer::hasPermission(Authorizer::PERM_EDIT, $permissions) || $this->authorizer->getUserId() === null) {
if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $permissions) || $this->authorizer->getUserId() === null) {
return new JSONResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
}
@ -472,7 +472,7 @@ class BookmarkController extends ApiController {
foreach ($folders as $folder) {
$permissions &= $this->authorizer->getPermissionsForFolder($folder, $this->request);
}
if (!Authorizer::hasPermission(Authorizer::PERM_EDIT, $permissions)) {
if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $permissions)) {
return new JSONResponse(['status' => 'error', 'data' => ['Insufficient permissions']], Http::STATUS_FORBIDDEN);
}
}
@ -651,7 +651,7 @@ class BookmarkController extends ApiController {
* @PublicPage
*/
public function importBookmark($folder = null): JSONResponse {
if (!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForFolder($folder ?? -1, $this->request))) {
if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $this->authorizer->getPermissionsForFolder($folder ?? -1, $this->request))) {
return new JSONResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
}
@ -806,7 +806,7 @@ class BookmarkController extends ApiController {
* @PublicPage
*/
public function acquireLock(): JSONResponse {
if (!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForFolder(-1, $this->request))) {
if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $this->authorizer->getPermissionsForFolder(-1, $this->request))) {
return new JSONResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
}
@ -831,7 +831,7 @@ class BookmarkController extends ApiController {
* @PublicPage
*/
public function releaseLock(): JSONResponse {
if (!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForFolder(-1, $this->request))) {
if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $this->authorizer->getPermissionsForFolder(-1, $this->request))) {
return new JSONResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
}

13
lib/Controller/FoldersController.php
View File

@ -170,7 +170,7 @@ class FoldersController extends ApiController {
* @PublicPage
*/
public function addFolder($title = '', $parent_folder = -1): JSONResponse {
if (!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForFolder($parent_folder, $this->request))) {
if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $this->authorizer->getPermissionsForFolder($parent_folder, $this->request))) {
return new JSONResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
}
try {
@ -222,7 +222,7 @@ class FoldersController extends ApiController {
* @PublicPage
*/
public function addToFolder($folderId, $bookmarkId): JSONResponse {
if (!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForFolder($folderId, $this->request)) &&
if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $this->authorizer->getPermissionsForFolder($folderId, $this->request)) &&
!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForBookmark($bookmarkId, $this->request))) {
return new JSONResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
}
@ -247,7 +247,7 @@ class FoldersController extends ApiController {
* @PublicPage
*/
public function removeFromFolder($folderId, $bookmarkId): JSONResponse {
if (!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForFolder($folderId, $this->request)) &&
if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $this->authorizer->getPermissionsForFolder($folderId, $this->request)) &&
!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForFolder($bookmarkId, $this->request))) {
return new JSONResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
}
@ -415,7 +415,7 @@ class FoldersController extends ApiController {
* @PublicPage
*/
public function setFolderChildrenOrder($folderId, $data = []): JSONResponse {
if (!Authorizer::hasPermission(Authorizer::PERM_EDIT, $this->authorizer->getPermissionsForFolder($folderId, $this->request))) {
if (!Authorizer::hasPermission(Authorizer::PERM_WRITE, $this->authorizer->getPermissionsForFolder($folderId, $this->request))) {
return new JSONResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
}
$folderId = $this->toInternalFolderId($folderId);
@ -640,7 +640,7 @@ class FoldersController extends ApiController {
return new Http\DataResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
}
try {
$canWrite = $canWrite && Authorizer::hasPermission(Authorizer::PERM_EDIT, $permissions);
$canWrite = $canWrite && Authorizer::hasPermission(Authorizer::PERM_WRITE, $permissions);
$share = $this->folders->createShare($folderId, $participant, $type, $canWrite, $canShare);
return new Http\DataResponse(['status' => 'success', 'item' => $share->toArray()]);
} catch (DoesNotExistException $e) {
@ -675,8 +675,7 @@ class FoldersController extends ApiController {
return new Http\DataResponse(['status' => 'error', 'data' => 'Unauthorized'], Http::STATUS_FORBIDDEN);
}
$canWrite = $canWrite && Authorizer::hasPermission(Authorizer::PERM_EDIT, $permissions);
$canWrite = $canWrite && Authorizer::hasPermission(Authorizer::PERM_WRITE, $permissions);
$share->setCanWrite($canWrite);
$share->setCanShare($canShare);
$this->shareMapper->update($share);

8
lib/Service/Authorizer.php
View File

@ -24,9 +24,10 @@ use OCP\IUserSession;
class Authorizer {
public const PERM_NONE = 0;
public const PERM_READ = 1;
public const PERM_EDIT = 2;
public const PERM_EDIT = 2; // Allows editing the direct item
public const PERM_RESHARE = 4;
public const PERM_ALL = 7;
public const PERM_WRITE = 8; // Allows adding and editing the item's descendants
public const PERM_ALL = 15;
private $userId;
private $token = null;
@ -167,6 +168,7 @@ class Authorizer {
$perms = self::PERM_READ;
if ($canWrite) {
$perms |= self::PERM_EDIT;
$perms |= self::PERM_WRITE;
}
if ($canShare) {
$perms |= self::PERM_RESHARE;
@ -261,7 +263,7 @@ class Authorizer {
if ($share->getFolderId() === $itemId && $type === TreeMapper::TYPE_FOLDER) {
// If the sought folder is the root folder of the share, we give EDIT permissions + optionally RESHARE
// because the user can edit the shared folder
$perms = $this->getMaskFromFlags(true, $share->getCanShare());
$perms = $this->getMaskFromFlags(true, $share->getCanShare()) | self::PERM_EDIT;
} elseif ($this->treeMapper->hasDescendant($share->getFolderId(), $type, $itemId)) {
$perms = $this->getMaskFromFlags($share->getCanWrite(), $share->getCanShare());
} else {