diff --git a/changelog/unreleased/bump-reva.md b/changelog/unreleased/bump-reva.md index eed0c160fe..b55e582943 100644 --- a/changelog/unreleased/bump-reva.md +++ b/changelog/unreleased/bump-reva.md @@ -3,3 +3,4 @@ Enhancement: Bump reva bumps reva version https://github.com/owncloud/ocis/pull/6899 +https://github.com/owncloud/ocis/pull/6919 diff --git a/go.mod b/go.mod index 63f45e551f..387ed5659e 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/coreos/go-oidc v2.2.1+incompatible github.com/coreos/go-oidc/v3 v3.6.0 github.com/cs3org/go-cs3apis v0.0.0-20230516150832-730ac860c71d - github.com/cs3org/reva/v2 v2.15.1-0.20230731061316-db79e9b61738 + github.com/cs3org/reva/v2 v2.15.1-0.20230731062052-2c2e370980e0 github.com/disintegration/imaging v1.6.2 github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e github.com/egirna/icap-client v0.1.1 diff --git a/go.sum b/go.sum index 7461298d0c..6d757249ac 100644 --- a/go.sum +++ b/go.sum @@ -625,8 +625,8 @@ github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4= github.com/crewjam/saml v0.4.13 h1:TYHggH/hwP7eArqiXSJUvtOPNzQDyQ7vwmwEqlFWhMc= github.com/crewjam/saml v0.4.13/go.mod h1:igEejV+fihTIlHXYP8zOec3V5A8y3lws5bQBFsTm4gA= -github.com/cs3org/reva/v2 v2.15.1-0.20230731061316-db79e9b61738 h1:EILZCEJMYRla6cktKLpi1c3KwISyoYMGTX0AKCuUTZA= -github.com/cs3org/reva/v2 v2.15.1-0.20230731061316-db79e9b61738/go.mod h1:4z5EQghS2LhSWZWocH51Dw9VAs16No1zSFvFgQtgS7w= +github.com/cs3org/reva/v2 v2.15.1-0.20230731062052-2c2e370980e0 h1:Vmghy5B5q/C22JR+fPtsKMra2ug2p3s0CeVmNnQIu4o= +github.com/cs3org/reva/v2 v2.15.1-0.20230731062052-2c2e370980e0/go.mod h1:4z5EQghS2LhSWZWocH51Dw9VAs16No1zSFvFgQtgS7w= github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8 h1:Z9lwXumT5ACSmJ7WGnFl+OMLLjpz5uR2fyz7dC255FI= github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8/go.mod h1:4abs/jPXcmJzYoYGF91JF9Uq9s/KL5n1jvFDix8KcqY= github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4= diff --git a/tests/acceptance/features/apiSpaces/resharing.feature b/tests/acceptance/features/apiSpaces/resharing.feature index 47dfc10ced..879960b993 100644 --- a/tests/acceptance/features/apiSpaces/resharing.feature +++ b/tests/acceptance/features/apiSpaces/resharing.feature @@ -54,10 +54,10 @@ Feature: Resharing And user "Carol" should be included in the response And user "Damian" should be included in the response - + @skipOnRevaMaster Scenario: user can't share with more permissions than they have When user "Damian" shares folder "Shares/folder" with user "Ember" with permissions "31" using the sharing API - Then the OCS status code should be "404" + Then the OCS status code should be "403" And the OCS status message should be "Cannot set the requested share permissions" @@ -88,7 +88,7 @@ Feature: Resharing | Brian | 998 | should exist | | Carol | 100 | should not exist | - + @skipOnRevaMaster Scenario Outline: resharing folder with different permissions When user "" shares folder "Shares/folder" with user "Ember" with permissions "" using the sharing API Then the OCS status code should be "" @@ -97,10 +97,10 @@ Feature: Resharing | Brian | 17 | 100 | | Carol | 31 | 100 | | Damian | 17 | 100 | - | Damian | 27 | 404 | - | Damian | 31 | 404 | - + | Damian | 27 | 403 | + | Damian | 31 | 403 | + @skipOnRevaMaster Scenario Outline: Resharing files with different permissions Given user "Alice" has uploaded file with content "Random data" to "/file.txt" And user "Alice" has shared file "/file.txt" with user "Brian" with permissions "" @@ -110,7 +110,7 @@ Feature: Resharing Examples: | shareepermissions | granteepermissions | code | | 17 | 17 | 100 | - | 17 | 19 | 404 | + | 17 | 19 | 403 | | 19 | 19 | 100 | diff --git a/tests/acceptance/features/apiSpacesShares/shareSpaces.feature b/tests/acceptance/features/apiSpacesShares/shareSpaces.feature index 386754003f..5db7e9ce27 100644 --- a/tests/acceptance/features/apiSpacesShares/shareSpaces.feature +++ b/tests/acceptance/features/apiSpacesShares/shareSpaces.feature @@ -131,7 +131,7 @@ Feature: Share spaces | editor | | viewer | - + @skipOnRevaMaster Scenario Outline: user with editor or viewer role cannot share a space to another user Given user "Alice" has shared a space "share space" with settings: | shareWith | Brian | @@ -139,8 +139,8 @@ Feature: Share spaces When user "Brian" shares a space "share space" with settings: | shareWith | Bob | | role | | - Then the HTTP status code should be "404" - And the OCS status code should be "404" + Then the HTTP status code should be "403" + And the OCS status code should be "403" And the OCS status message should be "No share permission" And the user "Bob" should not have a space called "share space" Examples: @@ -172,7 +172,7 @@ Feature: Share spaces | manager | editor | | manager | viewer | - + @skipOnRevaMaster Scenario Outline: user without manager role cannot change the role of space members Given user "Alice" has shared a space "share space" with settings: | shareWith | Brian | @@ -183,8 +183,8 @@ Feature: Share spaces When user "Brian" updates the space "share space" with settings: | shareWith | Bob | | role | | - Then the HTTP status code should be "404" - And the OCS status code should be "404" + Then the HTTP status code should be "403" + And the OCS status code should be "403" And the user "Alice" should have a space called "share space" granted to "Bob" with role "viewer" Examples: | role | new_role | diff --git a/tests/acceptance/features/apiSpacesShares/shareSpacesViaLink.feature b/tests/acceptance/features/apiSpacesShares/shareSpacesViaLink.feature index a8ca3f0651..42605ac171 100644 --- a/tests/acceptance/features/apiSpacesShares/shareSpacesViaLink.feature +++ b/tests/acceptance/features/apiSpacesShares/shareSpacesViaLink.feature @@ -70,15 +70,15 @@ Feature: Share spaces via link And for user "Alice" the space "share space" should contain these entries: | lorem.txt | - + @skipOnRevaMaster Scenario Outline: user without manager role cannot share a space to public via link Given user "Alice" has shared a space "share space" with settings: | shareWith | Brian | | role | | When user "Brian" creates a public link share of the space "share space" with settings: | permissions | 1 | - Then the HTTP status code should be "404" - And the OCS status code should be "404" + Then the HTTP status code should be "403" + And the OCS status code should be "403" And the OCS status message should be "No share permission" And for user "Alice" the space "share space" should not contain the last created public link Examples: diff --git a/tests/acceptance/features/apiSpacesShares/shareSubItemOfSpace.feature b/tests/acceptance/features/apiSpacesShares/shareSubItemOfSpace.feature index 6484ff5abb..5c697e13a9 100644 --- a/tests/acceptance/features/apiSpacesShares/shareSubItemOfSpace.feature +++ b/tests/acceptance/features/apiSpacesShares/shareSubItemOfSpace.feature @@ -65,7 +65,7 @@ Feature: Share a file or folder that is inside a space | file.txt | file | viewer | 2042-03-25T23:59:59+0100 | 2042-03-25 | | file.txt | file | editor | | | - + @skipOnRevaMaster Scenario Outline: user participant of the project space without space manager role cannot share an entity to another user Given user "Alice" has shared a space "share sub-item" with settings: | shareWith | Brian | @@ -74,8 +74,8 @@ Feature: Share a file or folder that is inside a space | path | | | shareWith | Bob | | role | editor | - Then the HTTP status code should be "404" - And the OCS status code should be "404" + Then the HTTP status code should be "403" + And the OCS status code should be "403" And the OCS status message should be "No share permission" Examples: | entity | spaceRole | diff --git a/tests/acceptance/features/apiSpacesShares/shareSubItemOfSpaceViaPublicLink.feature b/tests/acceptance/features/apiSpacesShares/shareSubItemOfSpaceViaPublicLink.feature index 82b8ca511b..eed669352b 100644 --- a/tests/acceptance/features/apiSpacesShares/shareSubItemOfSpaceViaPublicLink.feature +++ b/tests/acceptance/features/apiSpacesShares/shareSubItemOfSpaceViaPublicLink.feature @@ -96,7 +96,7 @@ Feature: Share a file or folder that is inside a space via public link | folder | /folder | folder | httpd/unix-directory | | folder/file.txt | /file.txt | file | text/plain | - + @skipOnRevaMaster Scenario Outline: user participant of the project space without space manager role cannot share an entity inside project space via public link Given user "Alice" has shared a space "share sub-item" with settings: | shareWith | Brian | @@ -108,8 +108,8 @@ Feature: Share a file or folder that is inside a space via public link | password | 123 | | name | public link | | expireDate | 2042-03-25T23:59:59+0100 | - Then the HTTP status code should be "404" - And the OCS status code should be "404" + Then the HTTP status code should be "403" + And the OCS status code should be "403" And the OCS status message should be "No share permission" Examples: | entity | spaceRole | diff --git a/tests/acceptance/features/coreApiSharePublicLink2/reShareAsPublicLinkToSharesNewDav.feature b/tests/acceptance/features/coreApiSharePublicLink2/reShareAsPublicLinkToSharesNewDav.feature index 9f61b69da0..e1eac3261c 100644 --- a/tests/acceptance/features/coreApiSharePublicLink2/reShareAsPublicLinkToSharesNewDav.feature +++ b/tests/acceptance/features/coreApiSharePublicLink2/reShareAsPublicLinkToSharesNewDav.feature @@ -10,7 +10,7 @@ Feature: reshare as public link | Alice | | Brian | - + @skipOnRevaMaster Scenario Outline: creating a public link from a share with read permission only is not allowed Given using OCS API version "" And user "Alice" has created folder "/test" @@ -19,12 +19,12 @@ Feature: reshare as public link When user "Brian" creates a public link share using the sharing API with settings | path | /Shares/test | | publicUpload | false | - Then the OCS status code should be "404" + Then the OCS status code should be "403" And the HTTP status code should be "" Examples: | ocs_api_version | http_status_code | | 1 | 200 | - | 2 | 404 | + | 2 | 403 | Scenario Outline: creating a public link from a share with share+read only permissions is allowed @@ -46,7 +46,7 @@ Feature: reshare as public link | 1 | 100 | | 2 | 200 | - + @skipOnRevaMaster Scenario Outline: creating an upload public link from a share with share+read only permissions is not allowed Given using OCS API version "" And user "Alice" has created folder "/test" @@ -56,14 +56,14 @@ Feature: reshare as public link | path | /Shares/test | | permissions | read,update,create,delete | | publicUpload | true | - Then the OCS status code should be "404" + Then the OCS status code should be "403" And the HTTP status code should be "" Examples: | ocs_api_version | http_status_code | | 1 | 200 | - | 2 | 404 | - + | 2 | 403 | + @skipOnRevaMaster Scenario Outline: creating a public link from a share with read+write permissions only is not allowed Given using OCS API version "" And user "Alice" has created folder "/test" @@ -72,12 +72,12 @@ Feature: reshare as public link When user "Brian" creates a public link share using the sharing API with settings | path | /Shares/test | | publicUpload | true | - Then the OCS status code should be "404" + Then the OCS status code should be "403" And the HTTP status code should be "" Examples: | ocs_api_version | http_status_code | | 1 | 200 | - | 2 | 404 | + | 2 | 403 | Scenario Outline: creating a public link from a share with share+read+write permissions is allowed @@ -120,7 +120,7 @@ Feature: reshare as public link | 1 | 100 | | 2 | 200 | - + @skipOnRevaMaster Scenario Outline: creating an upload public link from a sub-folder of a share with share+read only permissions is not allowed Given using OCS API version "" And user "Alice" has created folder "/test" @@ -131,14 +131,14 @@ Feature: reshare as public link | path | /Shares/test/sub | | permissions | read,update,create,delete | | publicUpload | true | - Then the OCS status code should be "404" + Then the OCS status code should be "403" And the HTTP status code should be "" Examples: | ocs_api_version | http_status_code | | 1 | 200 | - | 2 | 404 | - + | 2 | 403 | + @skipOnRevaMaster Scenario Outline: increasing permissions of a public link of a share with share+read only permissions is not allowed Given using OCS API version "" And user "Alice" has created folder "/test" @@ -151,15 +151,15 @@ Feature: reshare as public link | publicUpload | false | When user "Brian" updates the last public link share using the sharing API with | permissions | read,update,create,delete | - Then the OCS status code should be "404" or "403" - And the HTTP status code should be "" or "" + Then the OCS status code should be "403" + And the HTTP status code should be "" And uploading a file should not work using the new public WebDAV API Examples: - | ocs_api_version | http_status_code1 | http_status_code2 | - | 1 | 200 | 200 | - | 2 | 404 | 403 | - + | ocs_api_version | http_status_code | + | 1 | 200 | + | 2 | 403 | + @skipOnRevaMaster Scenario Outline: increasing permissions of a public link from a sub-folder of a share with share+read only permissions is not allowed Given using OCS API version "" And user "Alice" has created folder "/test" @@ -173,10 +173,10 @@ Feature: reshare as public link And uploading a file should not work using the new public WebDAV API When user "Brian" updates the last public link share using the sharing API with | permissions | read,update,create,delete | - Then the OCS status code should be "404" or "403" - And the HTTP status code should be "" or "" + Then the OCS status code should be "403" + And the HTTP status code should be "" And uploading a file should not work using the new public WebDAV API Examples: - | ocs_api_version | http_status_code1 | http_status_code2 | - | 1 | 200 | 200 | - | 2 | 404 | 403 | + | ocs_api_version | http_status_code | + | 1 | 200 | + | 2 | 403 | diff --git a/tests/acceptance/features/coreApiSharePublicLink3/updatePublicLinkShare.feature b/tests/acceptance/features/coreApiSharePublicLink3/updatePublicLinkShare.feature index 942c8d0679..961d3faeb9 100644 --- a/tests/acceptance/features/coreApiSharePublicLink3/updatePublicLinkShare.feature +++ b/tests/acceptance/features/coreApiSharePublicLink3/updatePublicLinkShare.feature @@ -246,7 +246,7 @@ Feature: update a public link share | 1 | 100 | | 2 | 200 | - + @skipOnRevaMaster Scenario Outline: adding public upload to a read only shared folder as recipient is not allowed using the public API Given using OCS API version "" And user "Brian" has been created with default attributes and without skeleton files @@ -258,14 +258,14 @@ Feature: update a public link share | publicUpload | false | When user "Brian" updates the last public link share using the sharing API with | publicUpload | true | - Then the OCS status code should be "404" + Then the OCS status code should be "403" And the HTTP status code should be "" And uploading a file should not work using the old public WebDAV API And uploading a file should not work using the new public WebDAV API Examples: | ocs_api_version | http_status_code | | 1 | 200 | - | 2 | 404 | + | 2 | 403 | Scenario Outline:adding public upload to a shared folder as recipient is allowed with permissions using the public API @@ -288,7 +288,7 @@ Feature: update a public link share | 1 | 100 | | 2 | 200 | - + @skipOnRevaMaster Scenario Outline: adding public link with all permissions to a read only shared folder as recipient is not allowed using the public API Given using OCS API version "" And user "Brian" has been created with default attributes and without skeleton files @@ -300,14 +300,14 @@ Feature: update a public link share | permissions | read | When user "Brian" updates the last public link share using the sharing API with | permissions | read,update,create,delete | - Then the OCS status code should be "404" + Then the OCS status code should be "403" And the HTTP status code should be "" And uploading a file should not work using the old public WebDAV API And uploading a file should not work using the new public WebDAV API Examples: | ocs_api_version | http_status_code | | 1 | 200 | - | 2 | 404 | + | 2 | 403 | Scenario Outline: adding public link with all permissions to a read only shared folder as recipient is allowed with permissions using the public API diff --git a/tests/acceptance/features/coreApiShareReshareToShares1/reShare.feature b/tests/acceptance/features/coreApiShareReshareToShares1/reShare.feature index df88a9264f..c84136819f 100644 --- a/tests/acceptance/features/coreApiShareReshareToShares1/reShare.feature +++ b/tests/acceptance/features/coreApiShareReshareToShares1/reShare.feature @@ -11,14 +11,14 @@ Feature: sharing | Brian | | Carol | - @smokeTest + @smokeTest @skipOnRevaMaster Scenario Outline: user is not allowed to reshare file when reshare permission is not given Given using OCS API version "" And user "Alice" has uploaded file "filesForUpload/textfile.txt" to "/textfile0.txt" And user "Alice" has shared file "/textfile0.txt" with user "Brian" with permissions "read,update" And user "Brian" has accepted share "/textfile0.txt" offered by user "Alice" When user "Brian" shares file "/Shares/textfile0.txt" with user "Carol" with permissions "read,update" using the sharing API - Then the OCS status code should be "404" + Then the OCS status code should be "403" And the HTTP status code should be "" And as "Carol" file "/Shares/textfile0.txt" should not exist And the sharing API should report to user "Carol" that no shares are in the pending state @@ -26,16 +26,16 @@ Feature: sharing Examples: | ocs_api_version | http_status_code | | 1 | 200 | - | 2 | 404 | - + | 2 | 403 | + @skipOnRevaMaster Scenario Outline: user is not allowed to reshare folder when reshare permission is not given Given using OCS API version "" And user "Alice" has created folder "/FOLDER" And user "Alice" has shared folder "/FOLDER" with user "Brian" with permissions "read,update" And user "Brian" has accepted share "/FOLDER" offered by user "Alice" When user "Brian" shares folder "/Shares/FOLDER" with user "Carol" with permissions "read,update" using the sharing API - Then the OCS status code should be "404" + Then the OCS status code should be "403" And the HTTP status code should be "" And as "Carol" folder "/Shares/FOLDER" should not exist And the sharing API should report to user "Carol" that no shares are in the pending state @@ -43,7 +43,7 @@ Feature: sharing Examples: | ocs_api_version | http_status_code | | 1 | 200 | - | 2 | 404 | + | 2 | 403 | @smokeTest Scenario Outline: user is allowed to reshare file with the same permissions @@ -109,14 +109,14 @@ Feature: sharing | 1 | 100 | | 2 | 200 | - + @skipOnRevaMaster Scenario Outline: user is not allowed to reshare file and set more permissions bits Given using OCS API version "" And user "Alice" has uploaded file "filesForUpload/textfile.txt" to "/textfile0.txt" And user "Alice" has shared file "/textfile0.txt" with user "Brian" with permissions 17 And user "Brian" has accepted share "/textfile0.txt" offered by user "Alice" When user "Brian" shares file "/Shares/textfile0.txt" with user "Carol" with permissions using the sharing API - Then the OCS status code should be "404" + Then the OCS status code should be "403" And the HTTP status code should be "" And as "Carol" file "/Shares/textfile0.txt" should not exist And the sharing API should report to user "Carol" that no shares are in the pending state @@ -125,18 +125,18 @@ Feature: sharing | ocs_api_version | http_status_code | reshare_permissions | # passing on more bits including reshare | 1 | 200 | 19 | - | 2 | 404 | 19 | + | 2 | 403 | 19 | | 1 | 200 | 23 | - | 2 | 404 | 23 | + | 2 | 403 | 23 | | 1 | 200 | 31 | - | 2 | 404 | 31 | + | 2 | 403 | 31 | # passing on more bits but not reshare | 1 | 200 | 3 | - | 2 | 404 | 3 | + | 2 | 403 | 3 | | 1 | 200 | 7 | - | 2 | 404 | 7 | + | 2 | 403 | 7 | | 1 | 200 | 15 | - | 2 | 404 | 15 | + | 2 | 403 | 15 | Scenario Outline: user is allowed to reshare file and set create (4) or delete (8) permissions bits, which get ignored @@ -179,14 +179,14 @@ Feature: sharing | 1 | 100 | 17 | 9 | 1 | | 2 | 200 | 17 | 9 | 1 | - + @skipOnRevaMaster Scenario Outline: user is not allowed to reshare folder and set more permissions bits Given using OCS API version "" And user "Alice" has created folder "/PARENT" And user "Alice" has shared folder "/PARENT" with user "Brian" with permissions And user "Brian" has accepted share "/PARENT" offered by user "Alice" When user "Brian" shares folder "/Shares/PARENT" with user "Carol" with permissions using the sharing API - Then the OCS status code should be "404" + Then the OCS status code should be "403" And the HTTP status code should be "" And as "Carol" folder "/Shares/PARENT" should not exist And the sharing API should report to user "Carol" that no shares are in the pending state @@ -195,39 +195,39 @@ Feature: sharing | ocs_api_version | http_status_code | received_permissions | reshare_permissions | # try to pass on more bits including reshare | 1 | 200 | 17 | 19 | - | 2 | 404 | 17 | 19 | + | 2 | 403 | 17 | 19 | | 1 | 200 | 17 | 21 | - | 2 | 404 | 17 | 21 | + | 2 | 403 | 17 | 21 | | 1 | 200 | 17 | 23 | - | 2 | 404 | 17 | 23 | + | 2 | 403 | 17 | 23 | | 1 | 200 | 17 | 31 | - | 2 | 404 | 17 | 31 | + | 2 | 403 | 17 | 31 | | 1 | 200 | 19 | 23 | - | 2 | 404 | 19 | 23 | + | 2 | 403 | 19 | 23 | | 1 | 200 | 19 | 31 | - | 2 | 404 | 19 | 31 | + | 2 | 403 | 19 | 31 | # try to pass on more bits but not reshare | 1 | 200 | 17 | 3 | - | 2 | 404 | 17 | 3 | + | 2 | 403 | 17 | 3 | | 1 | 200 | 17 | 5 | - | 2 | 404 | 17 | 5 | + | 2 | 403 | 17 | 5 | | 1 | 200 | 17 | 7 | - | 2 | 404 | 17 | 7 | + | 2 | 403 | 17 | 7 | | 1 | 200 | 17 | 15 | - | 2 | 404 | 17 | 15 | + | 2 | 403 | 17 | 15 | | 1 | 200 | 19 | 7 | - | 2 | 404 | 19 | 7 | + | 2 | 403 | 19 | 7 | | 1 | 200 | 19 | 15 | - | 2 | 404 | 19 | 15 | - + | 2 | 403 | 19 | 15 | + @skipOnRevaMaster Scenario Outline: user is not allowed to reshare folder and add delete permission bit (8) Given using OCS API version "" And user "Alice" has created folder "/PARENT" And user "Alice" has shared folder "/PARENT" with user "Brian" with permissions And user "Brian" has accepted share "/PARENT" offered by user "Alice" When user "Brian" shares folder "/Shares/PARENT" with user "Carol" with permissions using the sharing API - Then the OCS status code should be "404" + Then the OCS status code should be "403" And the HTTP status code should be "" And as "Carol" folder "/Shares/PARENT" should not exist And the sharing API should report to user "Carol" that no shares are in the pending state @@ -236,18 +236,18 @@ Feature: sharing | ocs_api_version | http_status_code | received_permissions | reshare_permissions | # try to pass on extra delete (including reshare) | 1 | 200 | 17 | 25 | - | 2 | 404 | 17 | 25 | + | 2 | 403 | 17 | 25 | | 1 | 200 | 19 | 27 | - | 2 | 404 | 19 | 27 | + | 2 | 403 | 19 | 27 | | 1 | 200 | 23 | 31 | - | 2 | 404 | 23 | 31 | + | 2 | 403 | 23 | 31 | # try to pass on extra delete (but not reshare) | 1 | 200 | 17 | 9 | - | 2 | 404 | 17 | 9 | + | 2 | 403 | 17 | 9 | | 1 | 200 | 19 | 11 | - | 2 | 404 | 19 | 11 | + | 2 | 403 | 19 | 11 | | 1 | 200 | 23 | 15 | - | 2 | 404 | 23 | 15 | + | 2 | 403 | 23 | 15 | Scenario Outline: reshare a file with same name as a deleted file diff --git a/tests/acceptance/features/coreApiShareReshareToShares2/reShareSubfolder.feature b/tests/acceptance/features/coreApiShareReshareToShares2/reShareSubfolder.feature index 6a6e8550dc..b2ee4c9a64 100644 --- a/tests/acceptance/features/coreApiShareReshareToShares2/reShareSubfolder.feature +++ b/tests/acceptance/features/coreApiShareReshareToShares2/reShareSubfolder.feature @@ -29,13 +29,13 @@ Feature: a subfolder of a received share can be reshared | 1 | 100 | | 2 | 200 | - + @skipOnRevaMaster Scenario Outline: user is not allowed to reshare a sub-folder with more permissions Given using OCS API version "" And user "Alice" has shared folder "/TMP" with user "Brian" with permissions And user "Brian" has accepted share "/TMP" offered by user "Alice" When user "Brian" shares folder "/Shares/TMP/SUB" with user "Carol" with permissions using the sharing API - Then the OCS status code should be "404" + Then the OCS status code should be "403" And the HTTP status code should be "" And as "Carol" folder "/Shares/SUB" should not exist And the sharing API should report to user "Carol" that no shares are in the pending state @@ -44,44 +44,44 @@ Feature: a subfolder of a received share can be reshared | ocs_api_version | http_status_code | received_permissions | reshare_permissions | # try to pass on more bits including reshare | 1 | 200 | 17 | 19 | - | 2 | 404 | 17 | 19 | + | 2 | 403 | 17 | 19 | | 1 | 200 | 17 | 21 | - | 2 | 404 | 17 | 21 | + | 2 | 403 | 17 | 21 | | 1 | 200 | 17 | 23 | - | 2 | 404 | 17 | 23 | + | 2 | 403 | 17 | 23 | | 1 | 200 | 17 | 31 | - | 2 | 404 | 17 | 31 | + | 2 | 403 | 17 | 31 | | 1 | 200 | 19 | 23 | - | 2 | 404 | 19 | 23 | + | 2 | 403 | 19 | 23 | | 1 | 200 | 19 | 31 | - | 2 | 404 | 19 | 31 | + | 2 | 403 | 19 | 31 | # try to pass on more bits but not reshare | 1 | 200 | 17 | 3 | - | 2 | 404 | 17 | 3 | + | 2 | 403 | 17 | 3 | | 1 | 200 | 17 | 5 | - | 2 | 404 | 17 | 5 | + | 2 | 403 | 17 | 5 | | 1 | 200 | 17 | 7 | - | 2 | 404 | 17 | 7 | + | 2 | 403 | 17 | 7 | | 1 | 200 | 17 | 15 | - | 2 | 404 | 17 | 15 | + | 2 | 403 | 17 | 15 | | 1 | 200 | 19 | 7 | - | 2 | 404 | 19 | 7 | + | 2 | 403 | 19 | 7 | | 1 | 200 | 19 | 15 | - | 2 | 404 | 19 | 15 | + | 2 | 403 | 19 | 15 | # try to pass on extra delete (including reshare) | 1 | 200 | 17 | 25 | - | 2 | 404 | 17 | 25 | + | 2 | 403 | 17 | 25 | | 1 | 200 | 19 | 27 | - | 2 | 404 | 19 | 27 | + | 2 | 403 | 19 | 27 | | 1 | 200 | 23 | 31 | - | 2 | 404 | 23 | 31 | + | 2 | 403 | 23 | 31 | # try to pass on extra delete (but not reshare) | 1 | 200 | 17 | 9 | - | 2 | 404 | 17 | 9 | + | 2 | 403 | 17 | 9 | | 1 | 200 | 19 | 11 | - | 2 | 404 | 19 | 11 | + | 2 | 403 | 19 | 11 | | 1 | 200 | 23 | 15 | - | 2 | 404 | 23 | 15 | + | 2 | 403 | 23 | 15 | @issue-2214 Scenario Outline: user is allowed to update reshare of a sub-folder with less permissions @@ -123,7 +123,7 @@ Feature: a subfolder of a received share can be reshared | 1 | 100 | | 2 | 200 | - @issue-2214 + @issue-2214 @skipOnRevaMaster Scenario Outline: user is not allowed to update reshare of a sub-folder with more permissions Given using OCS API version "" And user "Alice" has shared folder "/TMP" with user "Brian" with permissions "share,read" @@ -132,7 +132,7 @@ Feature: a subfolder of a received share can be reshared And user "Carol" has accepted share "/SUB" offered by user "Brian" When user "Brian" updates the last share using the sharing API with | permissions | all | - Then the OCS status code should be "404" + Then the OCS status code should be "403" And the HTTP status code should be "" And as "Carol" folder "/Shares/SUB" should exist But user "Carol" should not be able to upload file "filesForUpload/textfile.txt" to "/Shares/SUB/textfile.txt" @@ -141,4 +141,4 @@ Feature: a subfolder of a received share can be reshared Examples: | ocs_api_version | http_status_code | | 1 | 200 | - | 2 | 404 | + | 2 | 403 | diff --git a/tests/acceptance/features/coreApiShareReshareToShares3/reShareUpdate.feature b/tests/acceptance/features/coreApiShareReshareToShares3/reShareUpdate.feature index 088eada24e..867d12cba7 100644 --- a/tests/acceptance/features/coreApiShareReshareToShares3/reShareUpdate.feature +++ b/tests/acceptance/features/coreApiShareReshareToShares3/reShareUpdate.feature @@ -46,7 +46,7 @@ Feature: sharing | 1 | 100 | | 2 | 200 | - + @skipOnRevaMaster Scenario Outline: do not allow update of reshare to exceed permissions Given using OCS API version "" And user "Alice" has shared folder "/TMP" with user "Brian" with permissions "share,read" @@ -55,13 +55,13 @@ Feature: sharing And user "Carol" has accepted share "/TMP" offered by user "Brian" When user "Brian" updates the last share using the sharing API with | permissions | all | - Then the OCS status code should be "404" + Then the OCS status code should be "403" And the HTTP status code should be "" And user "Carol" should not be able to upload file "filesForUpload/textfile.txt" to "Shares/TMP/textfile.txt" Examples: | ocs_api_version | http_status_code | | 1 | 200 | - | 2 | 404 | + | 2 | 403 | Scenario Outline: update of user reshare by the original share owner can increase permissions up to the permissions of the top-level share diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go index 574cc6f66b..3e398ff50a 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go @@ -161,9 +161,9 @@ func (h *Handler) createPublicLinkShare(w http.ResponseWriter, r *http.Request, } if !sufficientPermissions(statInfo.PermissionSet, permissions, true) { - response.WriteOCSError(w, r, http.StatusNotFound, "no share permission", nil) + response.WriteOCSError(w, r, http.StatusForbidden, "no share permission", nil) return nil, &ocsError{ - Code: http.StatusNotFound, + Code: http.StatusForbidden, Message: "Cannot set the requested share permissions", Error: errors.New("cannot set the requested share permissions"), } @@ -417,7 +417,7 @@ func (h *Handler) updatePublicShare(w http.ResponseWriter, r *http.Request, shar // empty permissions mean internal link here - NOT denial. Hence we need an extra check if !sufficientPermissions(statRes.Info.PermissionSet, newPermissions, true) { - response.WriteOCSError(w, r, http.StatusNotFound, "no share permission", nil) + response.WriteOCSError(w, r, http.StatusForbidden, "no share permission", nil) return } diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go index b272c569c1..afe888047b 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go @@ -232,7 +232,7 @@ func (h *Handler) CreateShare(w http.ResponseWriter, r *http.Request) { case rpc.Code_CODE_NOT_FOUND: response.WriteOCSData(w, r, response.MetaPathNotFound, nil, nil) case rpc.Code_CODE_PERMISSION_DENIED: - response.WriteOCSError(w, r, http.StatusNotFound, "No share permission", nil) + response.WriteOCSError(w, r, http.StatusForbidden, "No share permission", nil) default: sublog.Error().Interface("status", statRes.Status).Msg("CreateShare: stat failed") w.WriteHeader(http.StatusInternalServerError) @@ -250,7 +250,7 @@ func (h *Handler) CreateShare(w http.ResponseWriter, r *http.Request) { // check user has share permissions if !conversions.RoleFromResourcePermissions(statRes.Info.PermissionSet, false).OCSPermissions().Contain(conversions.PermissionShare) { - response.WriteOCSError(w, r, http.StatusNotFound, "No share permission", nil) + response.WriteOCSError(w, r, http.StatusForbidden, "No share permission", nil) return } @@ -298,7 +298,7 @@ func (h *Handler) CreateShare(w http.ResponseWriter, r *http.Request) { // public links default to read only _, _, ocsErr := h.extractPermissions(reqRole, reqPermissions, statRes.Info, conversions.NewViewerRole(h.resharing)) if ocsErr != nil && ocsErr.Error != conversions.ErrZeroPermission { - response.WriteOCSError(w, r, http.StatusNotFound, "No share permission", nil) + response.WriteOCSError(w, r, http.StatusForbidden, "No share permission", nil) return } share, ocsErr := h.createPublicLinkShare(w, r, statRes.Info) @@ -459,7 +459,7 @@ func (h *Handler) extractPermissions(reqRole string, reqPermissions string, ri * if !sufficientPermissions(ri.PermissionSet, role.CS3ResourcePermissions(), false) && role.Name != conversions.RoleDenied { return nil, nil, &ocsError{ - Code: http.StatusNotFound, + Code: http.StatusForbidden, Message: "Cannot set the requested share permissions", Error: errors.New("cannot set the requested share permissions"), } diff --git a/vendor/modules.txt b/vendor/modules.txt index 78976024f7..0fba14b4c4 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -352,7 +352,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1 github.com/cs3org/go-cs3apis/cs3/types/v1beta1 -# github.com/cs3org/reva/v2 v2.15.1-0.20230731061316-db79e9b61738 +# github.com/cs3org/reva/v2 v2.15.1-0.20230731062052-2c2e370980e0 ## explicit; go 1.20 github.com/cs3org/reva/v2/cmd/revad/internal/grace github.com/cs3org/reva/v2/cmd/revad/runtime