From d69decdafe1d0a20013e4e70c4c8d5403835fb14 Mon Sep 17 00:00:00 2001 From: Roman Perekhod Date: Wed, 3 May 2023 16:38:36 +0200 Subject: [PATCH] fix Graph delete request leaks existence of space #5031 --- changelog/unreleased/fix-leaks-existence.md | 6 ++++++ go.mod | 3 +++ go.sum | 2 ++ services/graph/pkg/service/v0/drives.go | 12 ++++++++---- .../features/apiSpaces/changeSpaces.feature | 2 +- .../apiSpaces/disableAndDeleteSpaces.feature | 2 +- .../features/apiSpaces/spaceManagement.feature | 2 +- 7 files changed, 22 insertions(+), 7 deletions(-) create mode 100644 changelog/unreleased/fix-leaks-existence.md diff --git a/changelog/unreleased/fix-leaks-existence.md b/changelog/unreleased/fix-leaks-existence.md new file mode 100644 index 0000000000..71b0bf1bf7 --- /dev/null +++ b/changelog/unreleased/fix-leaks-existence.md @@ -0,0 +1,6 @@ +Bugfix: Hide the existence of space when deleting/updating + +The "code": "notAllowed" changed to "code": "itemNotFound" + +https://github.com/owncloud/ocis/issues/5031 +https://github.com/owncloud/ocis/pull/6220 diff --git a/go.mod b/go.mod index a6dea5ae8f..f469a22a28 100644 --- a/go.mod +++ b/go.mod @@ -321,3 +321,6 @@ require ( ) replace github.com/cs3org/go-cs3apis => github.com/c0rby/go-cs3apis v0.0.0-20230110100311-5b424f1baa35 + +// TODO The temporal replacement +replace github.com/cs3org/reva/v2 => github.com/2403905/reva/v2 v2.0.0-20230504205508-69238ad9d885 diff --git a/go.sum b/go.sum index 494b046e34..764143b000 100644 --- a/go.sum +++ b/go.sum @@ -388,6 +388,8 @@ contrib.go.opencensus.io/exporter/ocagent v0.4.12/go.mod h1:450APlNTSR6FrvC3CTRq contrib.go.opencensus.io/exporter/prometheus v0.4.2 h1:sqfsYl5GIY/L570iT+l93ehxaWJs2/OwXtiWwew3oAg= contrib.go.opencensus.io/exporter/prometheus v0.4.2/go.mod h1:dvEHbiKmgvbr5pjaF9fpw1KeYcjrnC1J8B+JKjsZyRQ= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/2403905/reva/v2 v2.0.0-20230504205508-69238ad9d885 h1:kXk+da30WxZIg87Uo86MLWUnCTgBDt0Qqj9/YFODvjk= +github.com/2403905/reva/v2 v2.0.0-20230504205508-69238ad9d885/go.mod h1:VxBmpOvIKlgKLPOsHun+fABopzX+3ZELPAp3N5bQMsM= github.com/Azure/azure-pipeline-go v0.2.3/go.mod h1:x841ezTBIMG6O3lAcl8ATHnsOPVl2bqk7S3ta6S6u4k= github.com/Azure/azure-sdk-for-go v32.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-storage-blob-go v0.14.0/go.mod h1:SMqIBi+SuiQH32bvyjngEewEeXoPfKMgWlBDaYf6fck= diff --git a/services/graph/pkg/service/v0/drives.go b/services/graph/pkg/service/v0/drives.go index f3df77b44c..bb77f93bcf 100644 --- a/services/graph/pkg/service/v0/drives.go +++ b/services/graph/pkg/service/v0/drives.go @@ -468,11 +468,11 @@ func (g Graph) UpdateDrive(w http.ResponseWriter, r *http.Request) { switch resp.Status.GetCode() { case cs3rpc.Code_CODE_NOT_FOUND: logger.Debug().Interface("id", rid).Msg("could not update drive: drive not found") - errorcode.ItemNotFound.Render(w, r, http.StatusNotFound, resp.GetStatus().GetMessage()) + errorcode.ItemNotFound.Render(w, r, http.StatusNotFound, "drive not found") return case cs3rpc.Code_CODE_PERMISSION_DENIED: logger.Debug().Interface("id", rid).Msg("could not update drive, permission denied") - errorcode.NotAllowed.Render(w, r, http.StatusForbidden, resp.GetStatus().GetMessage()) + errorcode.ItemNotFound.Render(w, r, http.StatusNotFound, "drive not found") return case cs3rpc.Code_CODE_INVALID_ARGUMENT: logger.Debug().Interface("id", rid).Msg("could not update drive, invalid argument") @@ -480,7 +480,7 @@ func (g Graph) UpdateDrive(w http.ResponseWriter, r *http.Request) { return default: logger.Debug().Interface("id", rid).Str("grpc", resp.GetStatus().GetMessage()).Msg("could not update drive: grpc error") - errorcode.GeneralException.Render(w, r, http.StatusInternalServerError, resp.GetStatus().GetMessage()) + errorcode.GeneralException.Render(w, r, http.StatusInternalServerError, "grpc error") return } } @@ -1054,7 +1054,11 @@ func (g Graph) DeleteDrive(w http.ResponseWriter, r *http.Request) { return case cs3rpc.Code_CODE_PERMISSION_DENIED: logger.Debug().Interface("id", rid).Msg("could not delete drive: permission denied") - errorcode.NotAllowed.Render(w, r, http.StatusForbidden, "permission denied to delete drive") + errorcode.ItemNotFound.Render(w, r, http.StatusNotFound, "drive not found") + return + case cs3rpc.Code_CODE_NOT_FOUND: + logger.Debug().Interface("id", rid).Msg("could not delete drive: drive not found") + errorcode.ItemNotFound.Render(w, r, http.StatusNotFound, "drive not found") return // don't expose internal error codes to the outside world default: diff --git a/tests/acceptance/features/apiSpaces/changeSpaces.feature b/tests/acceptance/features/apiSpaces/changeSpaces.feature index ec8b860c8d..1e0f1884dd 100644 --- a/tests/acceptance/features/apiSpaces/changeSpaces.feature +++ b/tests/acceptance/features/apiSpaces/changeSpaces.feature @@ -1,4 +1,4 @@ -@api +@api Feature: Change data of space As a user with space admin rights I want to be able to change the meta-data of a created space (increase the quota, change name, etc.) diff --git a/tests/acceptance/features/apiSpaces/disableAndDeleteSpaces.feature b/tests/acceptance/features/apiSpaces/disableAndDeleteSpaces.feature index e362da82a2..d5727ac82a 100644 --- a/tests/acceptance/features/apiSpaces/disableAndDeleteSpaces.feature +++ b/tests/acceptance/features/apiSpaces/disableAndDeleteSpaces.feature @@ -1,4 +1,4 @@ -@api +@api Feature: Disabling and deleting space As a manager of space I want to be able to disable the space first, then delete it. diff --git a/tests/acceptance/features/apiSpaces/spaceManagement.feature b/tests/acceptance/features/apiSpaces/spaceManagement.feature index 628efb8b92..e8f4048cf0 100644 --- a/tests/acceptance/features/apiSpaces/spaceManagement.feature +++ b/tests/acceptance/features/apiSpaces/spaceManagement.feature @@ -1,4 +1,4 @@ -@api +@api Feature: Space management As a user with space admin permission I want to be able to manage all existing project spaces