From 74139f6c52793a8addb351df189330ca0efbec14 Mon Sep 17 00:00:00 2001 From: kobergj Date: Mon, 9 May 2022 11:35:52 +0200 Subject: [PATCH] Permissions for deleting spaces (#3716) * check permissions when deleting space Signed-off-by: jkoberg * changelog Signed-off-by: jkoberg * bump feature reva Signed-off-by: jkoberg --- .../unreleased/deleteSpacePermissions.md | 6 +++++ extensions/graph/pkg/service/v0/drives.go | 26 ++++++++++++++----- ...ected-failures-localAPI-on-OCIS-storage.md | 4 --- .../apiSpaces/removeSpaceObjects.feature | 2 +- 4 files changed, 26 insertions(+), 12 deletions(-) create mode 100644 changelog/unreleased/deleteSpacePermissions.md diff --git a/changelog/unreleased/deleteSpacePermissions.md b/changelog/unreleased/deleteSpacePermissions.md new file mode 100644 index 0000000000..2f6418d26d --- /dev/null +++ b/changelog/unreleased/deleteSpacePermissions.md @@ -0,0 +1,6 @@ +Bugfix: Check permissions when deleting Space + +Check for manager permissions when deleting spaces. +Do not allow deleting spaces via dav service + +https://github.com/owncloud/ocis/pull/3709 diff --git a/extensions/graph/pkg/service/v0/drives.go b/extensions/graph/pkg/service/v0/drives.go index 5482fea406..6fde3c5a00 100644 --- a/extensions/graph/pkg/service/v0/drives.go +++ b/extensions/graph/pkg/service/v0/drives.go @@ -793,18 +793,30 @@ func (g Graph) DeleteDrive(w http.ResponseWriter, r *http.Request) { OpaqueId: root.StorageId, }, }) - switch { - case dRes.Status.Code == cs3rpc.Code_CODE_INVALID_ARGUMENT: - errorcode.GeneralException.Render(w, r, http.StatusBadRequest, dRes.Status.Message) - w.WriteHeader(http.StatusBadRequest) - return - case err != nil || dRes.Status.Code != cs3rpc.Code_CODE_OK: + if err != nil { + g.logger.Error().Err(err).Msg("error deleting storage space") + w.WriteHeader(http.StatusInternalServerError) + return + } + + switch dRes.GetStatus().GetCode() { + case cs3rpc.Code_CODE_OK: + w.WriteHeader(http.StatusNoContent) + return + case cs3rpc.Code_CODE_INVALID_ARGUMENT: + errorcode.GeneralException.Render(w, r, http.StatusBadRequest, dRes.Status.Message) + w.WriteHeader(http.StatusBadRequest) + return + case cs3rpc.Code_CODE_PERMISSION_DENIED: + w.WriteHeader(http.StatusForbidden) + return + // don't expose internal error codes to the outside world + default: g.logger.Error().Err(err).Msg("error deleting storage space") w.WriteHeader(http.StatusInternalServerError) return } - w.WriteHeader(http.StatusNoContent) } func sortSpaces(req *godata.GoDataRequest, spaces []*libregraph.Drive) ([]*libregraph.Drive, error) { diff --git a/tests/acceptance/expected-failures-localAPI-on-OCIS-storage.md b/tests/acceptance/expected-failures-localAPI-on-OCIS-storage.md index ae26ed68e5..eae806c58a 100644 --- a/tests/acceptance/expected-failures-localAPI-on-OCIS-storage.md +++ b/tests/acceptance/expected-failures-localAPI-on-OCIS-storage.md @@ -22,7 +22,3 @@ The expected failures in this file are from features in the owncloud/ocis repo. #### [Overwriting a file in the space within the allowed quota does not work](https://github.com/owncloud/ocis/issues/2829) - [apiSpaces/quota.feature:56](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpaces/quota.feature#L56) -#### [Viewer and editor has the possibility to disable the space](https://github.com/owncloud/ocis/issues/3031) -- [apiSpaces/removeSpaceObjects.feature:74](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpaces/removeSpaceObjects.feature#L74) -- [apiSpaces/deleteSpaces.feature:73](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpaces/deleteSpaces.feature#L73) -- [apiSpaces/deleteSpaces.feature:84](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpaces/deleteSpaces.feature#L84) diff --git a/tests/acceptance/features/apiSpaces/removeSpaceObjects.feature b/tests/acceptance/features/apiSpaces/removeSpaceObjects.feature index 95112c0619..6e22ec10c0 100644 --- a/tests/acceptance/features/apiSpaces/removeSpaceObjects.feature +++ b/tests/acceptance/features/apiSpaces/removeSpaceObjects.feature @@ -74,7 +74,7 @@ Feature: Remove files, folder Scenario: An user is unable to delete a Space via the webDav API Given user "Alice" has created a space "user deletes a space" of type "project" with quota "20" When user "Alice" removes the folder "" from space "user deletes a space" - Then the HTTP status code should be "405" + Then the HTTP status code should be "400" When user "Alice" lists all available spaces via the GraphApi Then the json responded should contain a space "user deletes a space" with these key and value pairs: | key | value |