add new permissions

Signed-off-by: jkoberg <jkoberg@owncloud.com>
2026-01-06 05:01:10 -05:00 · 2023-11-09 13:53:29 +01:00
parent 73f87a003c
commit 66ff22835d
3 changed files with 108 additions and 34 deletions
--- a/changelog/unreleased/new-permissions.md
+++ b/changelog/unreleased/new-permissions.md
@@ -0,0 +1,8 @@
+Enhancement: Add new permissions
+
+Adds new permissions to admin/spaceadmin/user roles
+  -  Favorites.List allows / denies the Favorites Listing Request
+  -  Favorites.Write is implemented to be enforced on marking/unmark files as favouritesShare
+  -  Shares.Write permission denies / allows sharing completely for a user on all share CUD requests. (User, Group)
+
+https://github.com/owncloud/ocis/pull/7700
--- a/services/settings/pkg/store/defaults/defaults.go
+++ b/services/settings/pkg/store/defaults/defaults.go
@@ -46,24 +46,27 @@ func generateBundleAdminRole() *settingsmsg.Bundle {
 			Type: settingsmsg.Resource_TYPE_SYSTEM,
 		},
 		Settings: []*settingsmsg.Setting{
-			RoleManagementPermission(All),
-			SettingsManagementPermission(All),
-			LanguageManagementPermission(All),
-			DisableEmailNotificationsPermission(Own),
-			AutoAcceptSharesPermission(Own),
 			AccountManagementPermission(All),
-			GroupManagementPermission(All),
-			SetPersonalSpaceQuotaPermission(All),
-			SetProjectSpaceQuotaPermission(All),
+			AutoAcceptSharesPermission(Own),
+			ChangeLogoPermission(All),
+			CreatePublicLinkPermission(All),
+			CreateSharePermission(All),
 			CreateSpacesPermission(All),
-			ListSpacesPermission(All),
 			DeletePersonalSpacesPermission(All),
 			DeleteProjectSpacesPermission(All),
-			ChangeLogoPermission(All),
-			WritePublicLinkPermission(All),
 			DeleteReadOnlyPublicLinkPasswordPermission(All),
+			DisableEmailNotificationsPermission(Own),
+			GroupManagementPermission(All),
+			LanguageManagementPermission(All),
+			ListFavoritesPermission(Own),
+			ListSpacesPermission(All),
 			ManageSpacePropertiesPermission(All),
+			RoleManagementPermission(All),
+			SetPersonalSpaceQuotaPermission(All),
+			SetProjectSpaceQuotaPermission(All),
+			SettingsManagementPermission(All),
 			SpaceAbilityPermission(All),
+			WriteFavoritesPermission(Own),
 		},
 	}
 }
@@ -79,19 +82,22 @@ func generateBundleSpaceAdminRole() *settingsmsg.Bundle {
 			Type: settingsmsg.Resource_TYPE_SYSTEM,
 		},
 		Settings: []*settingsmsg.Setting{
-			ManageSpacePropertiesPermission(All),
-			SpaceAbilityPermission(All),
-			DeleteProjectSpacesPermission(All),
-			SetProjectSpaceQuotaPermission(All),
-			CreateSpacesPermission(All),
-			ListSpacesPermission(All),
-			LanguageManagementPermission(Own),
-			DisableEmailNotificationsPermission(Own),
 			AutoAcceptSharesPermission(Own),
-			SelfManagementPermission(Own),
+			CreatePublicLinkPermission(All),
+			CreateSharePermission(All),
+			CreateSpacesPermission(All),
 			CreateSpacesPermission(Own),
-			WritePublicLinkPermission(All),
+			DeleteProjectSpacesPermission(All),
 			DeleteReadOnlyPublicLinkPasswordPermission(All),
+			DisableEmailNotificationsPermission(Own),
+			LanguageManagementPermission(Own),
+			ListFavoritesPermission(Own),
+			ListSpacesPermission(All),
+			ManageSpacePropertiesPermission(All),
+			SelfManagementPermission(Own),
+			SetProjectSpaceQuotaPermission(All),
+			SpaceAbilityPermission(All),
+			WriteFavoritesPermission(Own),
 		},
 	}
 }
@@ -107,12 +113,15 @@ func generateBundleUserRole() *settingsmsg.Bundle {
 			Type: settingsmsg.Resource_TYPE_SYSTEM,
 		},
 		Settings: []*settingsmsg.Setting{
-			LanguageManagementPermission(Own),
-			DisableEmailNotificationsPermission(Own),
 			AutoAcceptSharesPermission(Own),
-			SelfManagementPermission(Own),
+			CreatePublicLinkPermission(All),
+			CreateSharePermission(All),
 			CreateSpacesPermission(Own),
-			WritePublicLinkPermission(All),
+			DisableEmailNotificationsPermission(Own),
+			LanguageManagementPermission(Own),
+			ListFavoritesPermission(Own),
+			SelfManagementPermission(Own),
+			WriteFavoritesPermission(Own),
 		},
 	}
 }
@@ -128,9 +137,9 @@ func generateBundleUserLightRole() *settingsmsg.Bundle {
 			Type: settingsmsg.Resource_TYPE_SYSTEM,
 		},
 		Settings: []*settingsmsg.Setting{
-			LanguageManagementPermission(Own),
-			DisableEmailNotificationsPermission(Own),
 			AutoAcceptSharesPermission(Own),
+			DisableEmailNotificationsPermission(Own),
+			LanguageManagementPermission(Own),
 		},
 	}
 }
--- a/services/settings/pkg/store/defaults/permissions.go
+++ b/services/settings/pkg/store/defaults/permissions.go
@@ -67,6 +67,44 @@ func ChangeLogoPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Sett
 	}
 }

+// CreatePublicLinkPermission is the permission to create public links
+func CreatePublicLinkPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting {
+	return &settingsmsg.Setting{
+		Id:          "11516bbd-7157-49e1-b6ac-d00c820f980b",
+		Name:        "PublicLink.Write",
+		DisplayName: "Write publiclink",
+		Description: "This permission allows creating public links.",
+		Resource: &settingsmsg.Resource{
+			Type: settingsmsg.Resource_TYPE_SHARE,
+		},
+		Value: &settingsmsg.Setting_PermissionValue{
+			PermissionValue: &settingsmsg.Permission{
+				Operation:  settingsmsg.Permission_OPERATION_WRITE,
+				Constraint: c,
+			},
+		},
+	}
+}
+
+// CreateSharePermission is the permission to create shares
+func CreateSharePermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting {
+	return &settingsmsg.Setting{
+		Id:          "069c08b1-e31f-4799-9ed6-194b310e7244",
+		Name:        "Shares.Write",
+		DisplayName: "Write share",
+		Description: "This permission allows creating shares.",
+		Resource: &settingsmsg.Resource{
+			Type: settingsmsg.Resource_TYPE_SHARE,
+		},
+		Value: &settingsmsg.Setting_PermissionValue{
+			PermissionValue: &settingsmsg.Permission{
+				Operation:  settingsmsg.Permission_OPERATION_WRITE,
+				Constraint: c,
+			},
+		},
+	}
+}
+
 // CreateSpacesPermission is the permission to create spaces
 func CreateSpacesPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting {
 	return &settingsmsg.Setting{
@@ -201,6 +239,25 @@ func LanguageManagementPermission(c settingsmsg.Permission_Constraint) *settings
 	}
 }

+// ListFavoritesPermission is the permission to list favorites
+func ListFavoritesPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting {
+	return &settingsmsg.Setting{
+		Id:          "4ebaa725-bfaa-43c5-9817-78bc9994bde4",
+		Name:        "Favorites.List",
+		DisplayName: "List Favorites",
+		Description: "This permission allows listing favorites.",
+		Resource: &settingsmsg.Resource{
+			Type: settingsmsg.Resource_TYPE_SYSTEM,
+		},
+		Value: &settingsmsg.Setting_PermissionValue{
+			PermissionValue: &settingsmsg.Permission{
+				Operation:  settingsmsg.Permission_OPERATION_READ,
+				Constraint: c,
+			},
+		},
+	}
+}
+
 // ListSpacesPermission is the permission to list spaces
 func ListSpacesPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting {
 	return &settingsmsg.Setting{
@@ -356,15 +413,15 @@ func SpaceAbilityPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Se
 	}
 }

-// WritePublicLinkPermission is the permission to write public links
-func WritePublicLinkPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting {
+// WriteFavoritesPermission is the permission to mark/unmark files as favorites
+func WriteFavoritesPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting {
 	return &settingsmsg.Setting{
-		Id:          "11516bbd-7157-49e1-b6ac-d00c820f980b",
-		Name:        "PublicLink.Write",
-		DisplayName: "Write publiclink",
-		Description: "This permission allows creating public links.",
+		Id:          "a54778fd-1c45-47f0-892d-655caf5236f2",
+		Name:        "Favorites.Write",
+		DisplayName: "Write Favorites",
+		Description: "This permission allows marking files as favorites.",
 		Resource: &settingsmsg.Resource{
-			Type: settingsmsg.Resource_TYPE_SHARE,
+			Type: settingsmsg.Resource_TYPE_FILE,
 		},
 		Value: &settingsmsg.Setting_PermissionValue{
 			PermissionValue: &settingsmsg.Permission{