From 40da95e1c08e36d406d86fa1f616a7b782253aa1 Mon Sep 17 00:00:00 2001 From: Roman Perekhod <2403905@gmail.com> Date: Fri, 8 Dec 2023 10:46:22 +0100 Subject: [PATCH] [full-ci] fix public link update (#7862) * the tests were modified * Update tests/acceptance/features/coreApiSharePublicLink1/changingPublicLinkShare.feature Co-authored-by: Sawjan Gurung * the expected failures removed * change log added, reva bumped. --------- Co-authored-by: Roman Perekhod Co-authored-by: Sawjan Gurung --- .../unreleased/fix-public-link-update.md | 6 ++++++ go.mod | 2 +- go.sum | 4 ++-- .../expected-failures-API-on-OCIS-storage.md | 5 ----- .../updatePublicLinkShare.feature | 19 ------------------- .../handlers/apps/sharing/shares/public.go | 12 +++++++++--- vendor/modules.txt | 2 +- 7 files changed, 19 insertions(+), 31 deletions(-) create mode 100644 changelog/unreleased/fix-public-link-update.md diff --git a/changelog/unreleased/fix-public-link-update.md b/changelog/unreleased/fix-public-link-update.md new file mode 100644 index 000000000..c001dca67 --- /dev/null +++ b/changelog/unreleased/fix-public-link-update.md @@ -0,0 +1,6 @@ +Bugfix: Fix the public link update + +We fixed a bug when normal users can update the public link to delete its password if permission is not sent in data. + +https://github.com/owncloud/ocis/pull/7862 +https://github.com/owncloud/ocis/issues/7821 diff --git a/go.mod b/go.mod index a7561e610..1f62ecb96 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/coreos/go-oidc v2.2.1+incompatible github.com/coreos/go-oidc/v3 v3.8.0 github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 - github.com/cs3org/reva/v2 v2.16.1-0.20231206142634-7b47abdafd55 + github.com/cs3org/reva/v2 v2.16.1-0.20231208083424-41aa50b4a2e8 github.com/dhowden/tag v0.0.0-20230630033851-978a0926ee25 github.com/disintegration/imaging v1.6.2 github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e diff --git a/go.sum b/go.sum index 9c3433416..d1e01c5d9 100644 --- a/go.sum +++ b/go.sum @@ -1017,8 +1017,8 @@ github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c= github.com/crewjam/saml v0.4.14/go.mod h1:UVSZCf18jJkk6GpWNVqcyQJMD5HsRugBPf4I1nl2mME= github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 h1:BUdwkIlf8IS2FasrrPg8gGPHQPOrQ18MS1Oew2tmGtY= github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY= -github.com/cs3org/reva/v2 v2.16.1-0.20231206142634-7b47abdafd55 h1:89YKeYd7nFa1AassJRvA8KOCpFN/4mfaiSxytUnG/AI= -github.com/cs3org/reva/v2 v2.16.1-0.20231206142634-7b47abdafd55/go.mod h1:zcrrYVsBv/DwhpyO2/W5hoSZ/k6az6Z2EYQok65uqZY= +github.com/cs3org/reva/v2 v2.16.1-0.20231208083424-41aa50b4a2e8 h1:Z1i5VmeHNc6n0jIl/Iljfs+gt7bhdcVT/5cNxn1XIs4= +github.com/cs3org/reva/v2 v2.16.1-0.20231208083424-41aa50b4a2e8/go.mod h1:zcrrYVsBv/DwhpyO2/W5hoSZ/k6az6Z2EYQok65uqZY= github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= diff --git a/tests/acceptance/expected-failures-API-on-OCIS-storage.md b/tests/acceptance/expected-failures-API-on-OCIS-storage.md index 28d000276..238c0ba1e 100644 --- a/tests/acceptance/expected-failures-API-on-OCIS-storage.md +++ b/tests/acceptance/expected-failures-API-on-OCIS-storage.md @@ -515,10 +515,5 @@ Not everything needs to be implemented for ocis. While the oc10 testsuite covers - [coreApiShareCreateSpecialToShares2/createShareDefaultFolderForReceivedShares.feature:22](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiShareCreateSpecialToShares2/createShareDefaultFolderForReceivedShares.feature#L22) - [coreApiShareCreateSpecialToShares2/createShareDefaultFolderForReceivedShares.feature:23](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiShareCreateSpecialToShares2/createShareDefaultFolderForReceivedShares.feature#L23) -#### [Normal users can update the public link to delete its password if permission is not sent in data](https://github.com/owncloud/ocis/issues/7821) - -- [coreApiSharePublicLink1/changingPublicLinkShare.feature:171](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiSharePublicLink1/changingPublicLinkShare.feature#L171) -- [coreApiSharePublicLink1/changingPublicLinkShare.feature:172](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiSharePublicLink1/changingPublicLinkShare.feature#L172) - Note: always have an empty line at the end of this file. The bash script that processes this file requires that the last line has a newline on the end. diff --git a/tests/acceptance/features/coreApiSharePublicLink3/updatePublicLinkShare.feature b/tests/acceptance/features/coreApiSharePublicLink3/updatePublicLinkShare.feature index c68f55000..07970716c 100644 --- a/tests/acceptance/features/coreApiSharePublicLink3/updatePublicLinkShare.feature +++ b/tests/acceptance/features/coreApiSharePublicLink3/updatePublicLinkShare.feature @@ -101,25 +101,6 @@ Feature: update a public link share | 2 | 200 | - Scenario Outline: creating a new public link share with password and removing (updating) it to make the resources accessible without password using public API - Given using OCS API version "" - And user "Alice" has uploaded file with content "Random data" to "/randomfile.txt" - And user "Alice" has created a public link share with settings - | path | randomfile.txt | - | password | %public% | - When user "Alice" updates the last public link share using the sharing API with - #removing password is basically making password empty - | password | %remove% | - Then the OCS status code should be "" - And the HTTP status code should be "200" - And the public should be able to download the last publicly shared file using the old public WebDAV API without a password and the content should be "Random data" - And the public should be able to download the last publicly shared file using the new public WebDAV API without a password and the content should be "Random data" - Examples: - | ocs_api_version | ocs_status_code | - | 1 | 100 | - | 2 | 200 | - - Scenario Outline: creating a new public link share, updating its password and getting its info Given using OCS API version "" And user "Alice" has created folder "FOLDER" diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go index 092d6c3b4..dd636f4b5 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go @@ -419,9 +419,15 @@ func (h *Handler) updatePublicShare(w http.ResponseWriter, r *http.Request, shar } // empty permissions mean internal link here - NOT denial. Hence we need an extra check - if !sufficientPermissions(statRes.GetInfo().GetPermissionSet(), newPermissions, true) { - response.WriteOCSError(w, r, http.StatusForbidden, "no share permission", nil) - return + if newPermissions != nil { + if !sufficientPermissions(statRes.GetInfo().GetPermissionSet(), newPermissions, true) { + response.WriteOCSError(w, r, http.StatusForbidden, "no share permission", nil) + return + } + } else { + statRes.GetInfo().GetPermissionSet() + p := decreasePermissionsIfNecessary(int(conversions.RoleFromResourcePermissions(statRes.GetInfo().GetPermissionSet(), false).OCSPermissions())) + permKey = &p } // ExpireDate diff --git a/vendor/modules.txt b/vendor/modules.txt index 7d8577238..6f3e8789b 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -359,7 +359,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1 github.com/cs3org/go-cs3apis/cs3/types/v1beta1 -# github.com/cs3org/reva/v2 v2.16.1-0.20231206142634-7b47abdafd55 +# github.com/cs3org/reva/v2 v2.16.1-0.20231208083424-41aa50b4a2e8 ## explicit; go 1.20 github.com/cs3org/reva/v2/cmd/revad/internal/grace github.com/cs3org/reva/v2/cmd/revad/runtime