From 3afc378ba9be86f2ae50ac233fedfd2a7443761e Mon Sep 17 00:00:00 2001 From: Roman Perekhod Date: Fri, 11 Oct 2024 14:36:41 +0200 Subject: [PATCH] forbid adding the federated users as members of the space via items invite --- changelog/unreleased/fix-ocm-space-sharing.md | 6 ++++++ .../graph/pkg/service/v0/api_driveitem_permissions.go | 11 +++-------- 2 files changed, 9 insertions(+), 8 deletions(-) create mode 100644 changelog/unreleased/fix-ocm-space-sharing.md diff --git a/changelog/unreleased/fix-ocm-space-sharing.md b/changelog/unreleased/fix-ocm-space-sharing.md new file mode 100644 index 0000000000..9bbba171b2 --- /dev/null +++ b/changelog/unreleased/fix-ocm-space-sharing.md @@ -0,0 +1,6 @@ +Bugfix: Forbid the ocm space sharing + +We forbid adding the federated users as members of the space via items invite. + +https://github.com/owncloud/ocis/pull/10287 +https://github.com/owncloud/ocis/issues/10051 diff --git a/services/graph/pkg/service/v0/api_driveitem_permissions.go b/services/graph/pkg/service/v0/api_driveitem_permissions.go index c43e358fe6..a015ee6479 100644 --- a/services/graph/pkg/service/v0/api_driveitem_permissions.go +++ b/services/graph/pkg/service/v0/api_driveitem_permissions.go @@ -173,6 +173,9 @@ func (s DriveItemPermissionsService) Invite(ctx context.Context, resourceId *sto if errors.Is(err, identity.ErrNotFound) && s.config.IncludeOCMSharees { user, err = s.identityCache.GetAcceptedUser(ctx, objectID) federated = true + if err == nil && IsSpaceRoot(statResponse.GetInfo().GetId()) { + return libregraph.Permission{}, errorcode.New(errorcode.InvalidRequest, "federated user can not become a space member") + } } if err != nil { s.logger.Debug().Err(err).Interface("userId", objectID).Msg("failed user lookup") @@ -325,14 +328,6 @@ func (s DriveItemPermissionsService) SpaceRootInvite(ctx context.Context, driveI return libregraph.Permission{}, errorcode.New(errorcode.InvalidRequest, "unsupported space type") } - if s.config.IncludeOCMSharees && len(invite.GetRecipients()) > 0 { - objectID := invite.GetRecipients()[0].GetObjectId() - _, err := s.identityCache.GetAcceptedUser(ctx, objectID) - if err == nil { - return libregraph.Permission{}, errorcode.New(errorcode.InvalidRequest, "federated user can not become a space member") - } - } - rootResourceID := space.GetRoot() return s.Invite(ctx, rootResourceID, invite) }