From 30ef495c92fbd6aaae1436c5cd588e3e962c2faa Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <r.haferkamp@opencloud.eu>
Date: Thu, 30 Oct 2025 11:06:15 +0100
Subject: [PATCH] feat(collaboration): Set IsAdminUser property for Collabora

This set the 'IsAdminUser' Property correctly in the CheckFileInfo
Response. For that a new Permission 'WebOffice.Manage' is introduced. By
default this permission is only assigned to the Admin role.
User with this permission get access to certain admin features in
Collabora (e.g. the 'Server Audit' dashboard)

Closes: #796
---
 .../pkg/connector/fileconnector.go            |  8 ++++++++
 .../pkg/connector/fileconnector_test.go       |  7 +++++++
 .../pkg/connector/fileinfo/collabora.go       |  4 ++++
 .../pkg/connector/fileinfo/fileinfo.go        |  1 +
 .../settings/pkg/store/defaults/defaults.go   |  7 ++++---
 .../pkg/store/defaults/permissions.go         | 19 +++++++++++++++++++
 6 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/services/collaboration/pkg/connector/fileconnector.go b/services/collaboration/pkg/connector/fileconnector.go
index dc1afb29ca..20f516f369 100644
--- a/services/collaboration/pkg/connector/fileconnector.go
+++ b/services/collaboration/pkg/connector/fileconnector.go
@@ -1198,6 +1198,7 @@ func (f *FileConnector) CheckFileInfo(ctx context.Context) (*ConnectorResponse,
 	isAnonymousUser := true
 
 	isPublicShare := false
+	isAdminUser := false
 	user := ctxpkg.ContextMustGetUser(ctx)
 	if user.String() != "" {
 		// if we have a wopiContext.User
@@ -1207,6 +1208,12 @@ func (f *FileConnector) CheckFileInfo(ctx context.Context) (*ConnectorResponse,
 			isAnonymousUser = false
 			userFriendlyName = user.GetDisplayName()
 			userId = hexEncodedWopiUserId
+
+			isAdminUser, err = utils.CheckPermission(ctx, "WebOffice.Manage", gwc)
+			if err != nil {
+				logger.Error().Err(err).Msg("CheckPermission failed")
+				isAdminUser = false
+			}
 		}
 	}
 
@@ -1268,6 +1275,7 @@ func (f *FileConnector) CheckFileInfo(ctx context.Context) (*ConnectorResponse,
 		fileinfo.KeySupportsRename:             true,
 
 		fileinfo.KeyIsAnonymousUser:  isAnonymousUser,
+		fileinfo.KeyIsAdminUser:      isAdminUser,
 		fileinfo.KeyUserFriendlyName: userFriendlyName,
 		fileinfo.KeyUserID:           userId,
 
diff --git a/services/collaboration/pkg/connector/fileconnector_test.go b/services/collaboration/pkg/connector/fileconnector_test.go
index 3fdeae3aae..4a326fe448 100644
--- a/services/collaboration/pkg/connector/fileconnector_test.go
+++ b/services/collaboration/pkg/connector/fileconnector_test.go
@@ -1671,6 +1671,13 @@ var _ = Describe("FileConnector", func() {
 			}
 			ctx = ctxpkg.ContextSetUser(ctx, u)
 
+			gatewayClient.On("CheckPermission", mock.Anything, mock.Anything).Return(
+				&permissions.CheckPermissionResponse{
+					Status: status.NewOK(ctx),
+				},
+				nil,
+			)
+
 			gatewayClient.On("Stat", mock.Anything, mock.Anything).Times(1).Return(&providerv1beta1.StatResponse{
 				Status: status.NewOK(ctx),
 				Info: &providerv1beta1.ResourceInfo{
diff --git a/services/collaboration/pkg/connector/fileinfo/collabora.go b/services/collaboration/pkg/connector/fileinfo/collabora.go
index 82b1573616..fc761395bd 100644
--- a/services/collaboration/pkg/connector/fileinfo/collabora.go
+++ b/services/collaboration/pkg/connector/fileinfo/collabora.go
@@ -56,6 +56,8 @@ type Collabora struct {
 	SaveAsPostmessage bool `json:"SaveAsPostmessage,omitempty"`
 	// If set to true, it allows the document owner (the one with OwnerId =UserId) to send a closedocument message (see protocol.txt)
 	EnableOwnerTermination bool `json:"EnableOwnerTermination,omitempty"`
+	// If set to true, the user has administrator rights in the integration. Some functionality of Collabora Online, such as update check and server audit are supposed to be shown to administrators only.
+	IsAdminUser bool `json:"IsAdminUser"`
 
 	// JSON object that contains additional info about the user, namely the avatar image.
 	//UserExtraInfo -> requires definition, currently not used
@@ -131,6 +133,8 @@ func (cinfo *Collabora) SetProperties(props map[string]interface{}) {
 		//UserPrivateInfo -> requires definition, currently not used
 		case KeyWatermarkText:
 			cinfo.WatermarkText = value.(string)
+		case KeyIsAdminUser:
+			cinfo.IsAdminUser = value.(bool)
 
 		case KeyEnableShare:
 			cinfo.EnableShare = value.(bool)
diff --git a/services/collaboration/pkg/connector/fileinfo/fileinfo.go b/services/collaboration/pkg/connector/fileinfo/fileinfo.go
index 72f8ae74d8..8791449d36 100644
--- a/services/collaboration/pkg/connector/fileinfo/fileinfo.go
+++ b/services/collaboration/pkg/connector/fileinfo/fileinfo.go
@@ -50,6 +50,7 @@ const (
 
 	KeyIsAnonymousUser              = "IsAnonymousUser"
 	KeyIsEduUser                    = "IsEduUser"
+	KeyIsAdminUser                  = "IsAdminUser"
 	KeyLicenseCheckForEditIsEnabled = "LicenseCheckForEditIsEnabled"
 	KeyUserFriendlyName             = "UserFriendlyName"
 	KeyUserInfo                     = "UserInfo"
diff --git a/services/settings/pkg/store/defaults/defaults.go b/services/settings/pkg/store/defaults/defaults.go
index 998a457661..809757d59a 100644
--- a/services/settings/pkg/store/defaults/defaults.go
+++ b/services/settings/pkg/store/defaults/defaults.go
@@ -140,6 +140,7 @@ func generateBundleAdminRole() *settingsmsg.Bundle {
 			SetProjectSpaceQuotaPermission(All),
 			SettingsManagementPermission(All),
 			SpaceAbilityPermission(All),
+			WebOfficManagementPermssion(All),
 			WriteFavoritesPermission(Own),
 		},
 	}
@@ -659,9 +660,9 @@ func DefaultRoleAssignments(cfg *config.Config) []*settingsmsg.UserRoleAssignmen
 				RoleId:      BundleUUIDRoleUser,
 			},
 			{
-                                AccountUuid: "60708dda-e897-11ef-919f-bbb7437d6ec2",
-                                RoleId:      BundleUUIDRoleUser,
-                        },
+				AccountUuid: "60708dda-e897-11ef-919f-bbb7437d6ec2",
+				RoleId:      BundleUUIDRoleUser,
+			},
 			{
 				// additional admin user
 				AccountUuid: "cd88bf9a-dd7f-11ef-a609-7f78deb2345f", // demo user "dennis"
diff --git a/services/settings/pkg/store/defaults/permissions.go b/services/settings/pkg/store/defaults/permissions.go
index 526a92d71f..e73d07eb49 100644
--- a/services/settings/pkg/store/defaults/permissions.go
+++ b/services/settings/pkg/store/defaults/permissions.go
@@ -621,3 +621,22 @@ func WriteFavoritesPermission(c settingsmsg.Permission_Constraint) *settingsmsg.
 		},
 	}
 }
+
+// WebOfficManagementPermssion is the permission to mark/unmark files as favorites
+func WebOfficManagementPermssion(c settingsmsg.Permission_Constraint) *settingsmsg.Setting {
+	return &settingsmsg.Setting{
+		Id:          "27a29046-a816-424f-bd71-2ffb9029162f",
+		Name:        "WebOffice.Manage",
+		DisplayName: "Manage WebOffice",
+		Description: "This permission gives access to the admin featuer in the WebOffice suite.",
+		Resource: &settingsmsg.Resource{
+			Type: settingsmsg.Resource_TYPE_SYSTEM,
+		},
+		Value: &settingsmsg.Setting_PermissionValue{
+			PermissionValue: &settingsmsg.Permission{
+				Operation:  settingsmsg.Permission_OPERATION_READWRITE,
+				Constraint: c,
+			},
+		},
+	}
+}