bump reva to latest edge (#7727)

* bump reva to latest edge To get https://github.com/cs3org/reva/pull/4336 * graph: Import unified role related code from reva The UnifiedRole related types are pretty specific to the graph service. Maintaining them as part of reva makes things more complex that required. * chore: add failing cases to the expected failures --------- Co-authored-by: Florian Schade <f.schade@icloud.com>
2026-04-26 05:58:27 -05:00 · 2023-11-17 09:18:45 +01:00
parent 6bfbbc3877
commit 50f63bf436
20 changed files with 173 additions and 69 deletions
@@ -25,6 +25,7 @@ import (
 	rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1"
 	"github.com/cs3org/reva/v2/pkg/appctx"
+	"github.com/cs3org/reva/v2/pkg/conversions"
 	ctxpkg "github.com/cs3org/reva/v2/pkg/ctx"
 	"github.com/cs3org/reva/v2/pkg/errtypes"
 	"github.com/cs3org/reva/v2/pkg/publicshare"
@@ -44,6 +45,7 @@ type config struct {
 	Driver                         string                            `mapstructure:"driver"`
 	Drivers                        map[string]map[string]interface{} `mapstructure:"drivers"`
 	AllowedPathsForShares          []string                          `mapstructure:"allowed_paths_for_shares"`
+	EnableExpiredSharesCleanup     bool                              `mapstructure:"enable_expired_shares_cleanup"`
 	WriteableShareMustHavePassword bool                              `mapstructure:"writeable_share_must_have_password"`
 }

@@ -136,6 +138,12 @@ func (s *service) CreatePublicShare(ctx context.Context, req *link.CreatePublicS
 	log := appctx.GetLogger(ctx)
 	log.Info().Str("publicshareprovider", "create").Msg("create public share")

+	if !conversions.SufficientCS3Permissions(req.GetResourceInfo().GetPermissionSet(), req.GetGrant().GetPermissions().GetPermissions()) {
+		return &link.CreatePublicShareResponse{
+			Status: status.NewInvalid(ctx, "insufficient permissions to create that kind of share"),
+		}, nil
+	}
+
 	if !s.isPathAllowed(req.ResourceInfo.Path) {
 		return &link.CreatePublicShareResponse{
 			Status: status.NewInvalid(ctx, "share creation is not allowed for the specified path"),
@@ -25,7 +25,12 @@ import (
 	userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
 	collaboration "github.com/cs3org/go-cs3apis/cs3/sharing/collaboration/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
+	"github.com/mitchellh/mapstructure"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+
 	"github.com/cs3org/reva/v2/pkg/appctx"
+	"github.com/cs3org/reva/v2/pkg/conversions"
 	ctxpkg "github.com/cs3org/reva/v2/pkg/ctx"
 	"github.com/cs3org/reva/v2/pkg/errtypes"
 	"github.com/cs3org/reva/v2/pkg/rgrpc"
@@ -33,9 +38,6 @@ import (
 	"github.com/cs3org/reva/v2/pkg/share"
 	"github.com/cs3org/reva/v2/pkg/share/manager/registry"
 	"github.com/cs3org/reva/v2/pkg/utils"
-	"github.com/mitchellh/mapstructure"
-	"github.com/pkg/errors"
-	"google.golang.org/grpc"
 )

 func init() {
@@ -135,31 +137,45 @@ func (s *service) isPathAllowed(path string) bool {
 }

 func (s *service) CreateShare(ctx context.Context, req *collaboration.CreateShareRequest) (*collaboration.CreateShareResponse, error) {
-	u := ctxpkg.ContextMustGetUser(ctx)
-	if req.Grant.Grantee.Type == provider.GranteeType_GRANTEE_TYPE_USER && req.Grant.Grantee.GetUserId().Idp == "" {
+	user := ctxpkg.ContextMustGetUser(ctx)
+
+	if req.GetGrant().GetGrantee().GetType() == provider.GranteeType_GRANTEE_TYPE_USER && req.GetGrant().GetGrantee().GetUserId().GetIdp() == "" {
 		// use logged in user Idp as default.
-		g := &userpb.UserId{OpaqueId: req.Grant.Grantee.GetUserId().OpaqueId, Idp: u.Id.Idp, Type: userpb.UserType_USER_TYPE_PRIMARY}
-		req.Grant.Grantee.Id = &provider.Grantee_UserId{UserId: g}
+		req.GetGrant().GetGrantee().Id = &provider.Grantee_UserId{
+			UserId: &userpb.UserId{
+				OpaqueId: req.GetGrant().GetGrantee().GetUserId().GetOpaqueId(),
+				Idp:      user.GetId().GetIdp(),
+				Type:     userpb.UserType_USER_TYPE_PRIMARY},
+		}
 	}

-	if !s.isPathAllowed(req.ResourceInfo.Path) {
+	// check if the requested share creation has sufficient permissions to do so.
+	if shareCreationAllowed := conversions.SufficientCS3Permissions(
+		req.GetResourceInfo().GetPermissionSet(),
+		req.GetGrant().GetPermissions().GetPermissions(),
+	); !shareCreationAllowed {
+		return &collaboration.CreateShareResponse{
+			Status: status.NewInvalid(ctx, "insufficient permissions to create that kind of share"),
+		}, nil
+	}
+
+	if !s.isPathAllowed(req.GetResourceInfo().GetPath()) {
 		return &collaboration.CreateShareResponse{
 			Status: status.NewInvalid(ctx, "share creation is not allowed for the specified path"),
 		}, nil
 	}

-	share, err := s.sm.Share(ctx, req.ResourceInfo, req.Grant)
+	createdShare, err := s.sm.Share(ctx, req.GetResourceInfo(), req.GetGrant())
 	if err != nil {
 		return &collaboration.CreateShareResponse{
 			Status: status.NewStatusFromErrType(ctx, "error creating share", err),
 		}, nil
 	}

-	res := &collaboration.CreateShareResponse{
+	return &collaboration.CreateShareResponse{
 		Status: status.NewOK(ctx),
-		Share:  share,
-	}
-	return res, nil
+		Share:  createdShare,
+	}, nil
 }

 func (s *service) RemoveShare(ctx context.Context, req *collaboration.RemoveShareRequest) (*collaboration.RemoveShareResponse, error) {
@@ -614,6 +614,24 @@ func (s *svc) handleUnlock(w http.ResponseWriter, r *http.Request, ns string) (s
 		return http.StatusInternalServerError, errtypes.NewErrtypeFromStatus(cs3Status)
 	}

+	return s.unlockReference(ctx, w, r, ref)
+}
+
+func (s *svc) handleSpaceUnlock(w http.ResponseWriter, r *http.Request, spaceID string) (status int, err error) {
+	ctx, span := appctx.GetTracerProvider(r.Context()).Tracer(tracerName).Start(r.Context(), fmt.Sprintf("%s %v", r.Method, r.URL.Path))
+	defer span.End()
+
+	span.SetAttributes(attribute.String("component", "ocdav"))
+
+	ref, err := spacelookup.MakeStorageSpaceReference(spaceID, r.URL.Path)
+	if err != nil {
+		return http.StatusBadRequest, fmt.Errorf("invalid space id")
+	}
+
+	return s.unlockReference(ctx, w, r, &ref)
+}
+
+func (s *svc) unlockReference(ctx context.Context, _ http.ResponseWriter, r *http.Request, ref *provider.Reference) (retStatus int, retErr error) {
 	// http://www.webdav.org/specs/rfc4918.html#HEADER_Lock-Token says that the
 	// Lock-Token value should be a Coded-URL OR a token. We strip its angle brackets.
 	t := r.Header.Get(net.HeaderLockToken)
@@ -621,7 +639,7 @@ func (s *svc) handleUnlock(w http.ResponseWriter, r *http.Request, ns string) (s
 		t = t[1 : len(t)-1]
 	}

-	switch err = s.LockSystem.Unlock(r.Context(), time.Now(), ref, t); err {
+	switch err := s.LockSystem.Unlock(ctx, time.Now(), ref, t); err {
 	case nil:
 		return http.StatusNoContent, err
 	case errors.ErrForbidden:
@@ -158,7 +158,7 @@ func (h *MetaHandler) handlePathForUser(w http.ResponseWriter, r *http.Request,
 			prop.Escaped("oc:meta-path-for-user", pathRes.Path),
 			prop.Escaped("oc:id", id),
 			prop.Escaped("oc:fileid", id),
-			prop.Escaped("oc:spaceid", rid.GetStorageId()),
+			prop.Escaped("oc:spaceid", storagespace.FormatStorageID(rid.GetStorageId(), rid.GetSpaceId())),
 		},
 	}
 	baseURI := ctx.Value(net.CtxKeyBaseURI).(string)
@@ -86,7 +86,7 @@ func (h *SpacesHandler) Handler(s *svc, trashbinHandler *TrashbinHandler) http.H
 		case MethodLock:
 			status, err = s.handleSpacesLock(w, r, spaceID)
 		case MethodUnlock:
-			status, err = s.handleUnlock(w, r, spaceID)
+			status, err = s.handleSpaceUnlock(w, r, spaceID)
 		case MethodMkcol:
 			status, err = s.handleSpacesMkCol(w, r, spaceID)
 		case MethodMove:
@@ -160,7 +160,7 @@ func (h *Handler) createPublicLinkShare(w http.ResponseWriter, r *http.Request,
 		p := role.OCSPermissions()
 		p &^= conversions.PermissionCreate
 		p &^= conversions.PermissionDelete
-		permissions = conversions.RoleFromOCSPermissions(p).CS3ResourcePermissions()
+		permissions = conversions.RoleFromOCSPermissions(p, statInfo).CS3ResourcePermissions()
 	}

 	if !sufficientPermissions(statInfo.PermissionSet, permissions, true) {
@@ -636,7 +636,7 @@ func ocPublicPermToCs3(pk *int) (*provider.ResourcePermissions, error) {
 		return nil, err
 	}

-	return conversions.RoleFromOCSPermissions(perm).CS3ResourcePermissions(), nil
+	return conversions.RoleFromOCSPermissions(perm, nil).CS3ResourcePermissions(), nil
 }

 // pointer will be nil if no permission is set
@@ -465,7 +465,7 @@ func (h *Handler) extractPermissions(reqRole string, reqPermissions string, ri *
 					Error:   err,
 				}
 			}
-			role = conversions.RoleFromOCSPermissions(perm)
+			role = conversions.RoleFromOCSPermissions(perm, ri)
 		}
 	}

@@ -481,7 +481,7 @@ func (h *Handler) extractPermissions(reqRole string, reqPermissions string, ri *
 				Error:   errors.New("cannot set the requested share permissions"),
 			}
 		}
-		role = conversions.RoleFromOCSPermissions(permissions)
+		role = conversions.RoleFromOCSPermissions(permissions, ri)
 	}

 	if !sufficientPermissions(ri.PermissionSet, role.CS3ResourcePermissions(), false) && role.Name != conversions.RoleDenied {
@@ -150,7 +150,7 @@ func IntTosharePerm(p int, itemType string) *provider.ResourcePermissions {
 		if itemType == "folder" {
 			return conversions.NewEditorRole(false).CS3ResourcePermissions()
 		}
-		return conversions.NewFileEditorRole().CS3ResourcePermissions()
+		return conversions.NewFileEditorRole(false).CS3ResourcePermissions()
 	case 4:
 		return conversions.NewUploaderRole().CS3ResourcePermissions()
 	default:
@@ -21,6 +21,7 @@ package conversions

 import (
 	"fmt"
+	"reflect"
 	"strings"

 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
@@ -153,7 +154,7 @@ func RoleFromName(name string, sharing bool) *Role {
 	case RoleSpaceEditor:
 		return NewSpaceEditorRole()
 	case RoleFileEditor:
-		return NewFileEditorRole()
+		return NewFileEditorRole(sharing)
 	case RoleUploader:
 		return NewUploaderRole()
 	case RoleManager:
@@ -270,10 +271,15 @@ func NewSpaceEditorRole() *Role {
 }

 // NewFileEditorRole creates a file-editor role
-func NewFileEditorRole() *Role {
+func NewFileEditorRole(sharing bool) *Role {
+	p := PermissionRead | PermissionWrite
+	if sharing {
+		p |= PermissionShare
+	}
 	return &Role{
 		Name: RoleEditor,
 		cS3ResourcePermissions: &provider.ResourcePermissions{
+			AddGrant:             sharing,
 			GetPath:              true,
 			GetQuota:             true,
 			InitiateFileDownload: true,
@@ -284,7 +290,7 @@ func NewFileEditorRole() *Role {
 			InitiateFileUpload:   true,
 			RestoreRecycleItem:   true,
 		},
-		ocsPermissions: PermissionRead | PermissionWrite,
+		ocsPermissions: p,
 	}
 }

@@ -372,8 +378,7 @@ func NewManagerRole() *Role {

 // RoleFromOCSPermissions tries to map ocs permissions to a role
 // TODO: rethink using this. ocs permissions cannot be assigned 1:1 to roles
-// NOTE: If resharing=false in the system this function will return SpaceViewerRole instead ViewerRole
-func RoleFromOCSPermissions(p Permissions) *Role {
+func RoleFromOCSPermissions(p Permissions, ri *provider.ResourceInfo) *Role {
 	if p == PermissionInvalid {
 		return NewNoneRole()
 	}
@@ -384,14 +389,18 @@ func RoleFromOCSPermissions(p Permissions) *Role {
 				return NewEditorRole(true)
 			}

-			return NewSpaceEditorRole()
+			if isSpaceRoot(ri) {
+				return NewSpaceEditorRole()
+			}
 		}
-		if p == PermissionRead|PermissionShare {
-			return NewViewerRole(true)
-		}
-		if p == PermissionRead {
+
+		if p == PermissionRead && isSpaceRoot(ri) {
 			return NewSpaceViewerRole()
 		}
+
+		if p == PermissionRead|PermissionShare && !isSpaceRoot(ri) {
+			return NewViewerRole(true)
+		}
 	}
 	if p == PermissionCreate {
 		return NewUploaderRole()
@@ -400,6 +409,22 @@ func RoleFromOCSPermissions(p Permissions) *Role {
 	return NewLegacyRoleFromOCSPermissions(p)
 }

+func isSpaceRoot(ri *provider.ResourceInfo) bool {
+	if ri == nil {
+		return false
+	}
+	if ri.Type != provider.ResourceType_RESOURCE_TYPE_CONTAINER {
+		return false
+	}
+
+	if ri.GetId().GetOpaqueId() != ri.GetSpace().GetRoot().GetOpaqueId() ||
+		ri.GetId().GetSpaceId() != ri.GetSpace().GetRoot().GetSpaceId() ||
+		ri.GetId().GetStorageId() != ri.GetSpace().GetRoot().GetStorageId() {
+		return false
+	}
+	return true
+}
+
 // NewLegacyRoleFromOCSPermissions tries to map a legacy combination of ocs permissions to cs3 resource permissions as a legacy role
 func NewLegacyRoleFromOCSPermissions(p Permissions) *Role {
 	r := &Role{
@@ -508,3 +533,33 @@ func RoleFromResourcePermissions(rp *provider.ResourcePermissions, islink bool)
 	// TODO what about even more granular cs3 permissions?, eg. only stat
 	return r
 }
+
+// SufficientCS3Permissions returns true if the `existing` permissions contain the `requested` permissions
+func SufficientCS3Permissions(existing, requested *provider.ResourcePermissions) bool {
+	if existing == nil || requested == nil {
+		return false
+	}
+	// empty permissions represent a denial
+	if grants.PermissionsEqual(requested, &provider.ResourcePermissions{}) {
+		return existing.DenyGrant
+	}
+	requestedPermissionsType := reflect.TypeOf(provider.ResourcePermissions{})
+	numFields := requestedPermissionsType.NumField()
+	requestedPermissionsValues := reflect.ValueOf(requested)
+	existingPermissionsValues := reflect.ValueOf(existing)
+
+	for i := 0; i < numFields; i++ {
+		permissionName := requestedPermissionsType.Field(i).Name
+		// filter out irrelevant fields
+		if strings.Contains(permissionName, "XXX") {
+			continue
+		}
+		existingPermission := reflect.Indirect(existingPermissionsValues).FieldByName(permissionName).Bool()
+		requestedPermission := requestedPermissionsValues.Elem().Field(i).Bool()
+		// every requested permission needs to exist for the creator
+		if requestedPermission && !existingPermission {
+			return false
+		}
+	}
+	return true
+}
@@ -1,262 +0,0 @@
-package conversions
-
-import (
-	libregraph "github.com/owncloud/libre-graph-api-go"
-	"google.golang.org/protobuf/proto"
-)
-
-const (
-	// UnifiedRoleViewerID Unified role viewer id.
-	UnifiedRoleViewerID = "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5"
-	// UnifiedRoleSpaceViewerID Unified role space viewer id.
-	UnifiedRoleSpaceViewerID = "a8d5fe5e-96e3-418d-825b-534dbdf22b99"
-	// UnifiedRoleEditorID Unified role editor id.
-	UnifiedRoleEditorID = "fb6c3e19-e378-47e5-b277-9732f9de6e21"
-	// UnifiedRoleSpaceEditorID Unified role space editor id.
-	UnifiedRoleSpaceEditorID = "58c63c02-1d89-4572-916a-870abc5a1b7d"
-	// UnifiedRoleFileEditorID Unified role file editor id.
-	UnifiedRoleFileEditorID = "2d00ce52-1fc2-4dbc-8b95-a73b73395f5a"
-	// UnifiedRoleCoownerID Unified role coowner id.
-	UnifiedRoleCoownerID = "3a4ba8e9-6a0d-4235-9140-0e7a34007abe"
-	// UnifiedRoleUploaderID Unified role uploader id.
-	UnifiedRoleUploaderID = "1c996275-f1c9-4e71-abdf-a42f6495e960"
-	// UnifiedRoleManagerID Unified role manager id.
-	UnifiedRoleManagerID = "312c0871-5ef7-4b3a-85b6-0e4074c64049"
-
-	// UnifiedRoleConditionSelf TODO defines constraints
-	UnifiedRoleConditionSelf = "Self: @Subject.objectId == @Resource.objectId"
-	// UnifiedRoleConditionOwner defines constraints when the principal is the owner of the target resource
-	UnifiedRoleConditionOwner = "Owner: @Subject.objectId Any_of @Resource.owners"
-	// UnifiedRoleConditionGrantee does not exist in MS Graph, but we use it to express permissions on shared resources
-	UnifiedRoleConditionGrantee = "Grantee: @Subject.objectId Any_of @Resource.grantee"
-)
-
-// NewViewerUnifiedRole creates a viewer role. `sharing` indicates if sharing permission should be added
-func NewViewerUnifiedRole(sharing bool) *libregraph.UnifiedRoleDefinition {
-	r := NewViewerRole(sharing)
-	return &libregraph.UnifiedRoleDefinition{
-		Id:          proto.String(UnifiedRoleViewerID),
-		Description: proto.String("Allows reading the shared file or folder"),
-		DisplayName: displayName(r),
-		RolePermissions: []libregraph.UnifiedRolePermission{
-			{
-				AllowedResourceActions: convert(r),
-				Condition:              proto.String(UnifiedRoleConditionGrantee),
-			},
-		},
-		LibreGraphWeight: proto.Int32(0),
-	}
-}
-
-// NewSpaceViewerUnifiedRole creates a spaceviewer role
-func NewSpaceViewerUnifiedRole() *libregraph.UnifiedRoleDefinition {
-	r := NewSpaceViewerRole()
-	return &libregraph.UnifiedRoleDefinition{
-		Id:          proto.String(UnifiedRoleSpaceViewerID),
-		Description: proto.String("Allows reading the shared space"),
-		DisplayName: displayName(r),
-		RolePermissions: []libregraph.UnifiedRolePermission{
-			{
-				AllowedResourceActions: convert(r),
-				Condition:              proto.String(UnifiedRoleConditionOwner),
-			},
-		},
-		LibreGraphWeight: proto.Int32(0),
-	}
-}
-
-// NewEditorUnifiedRole creates an editor role. `sharing` indicates if sharing permission should be added
-func NewEditorUnifiedRole(sharing bool) *libregraph.UnifiedRoleDefinition {
-	r := NewEditorRole(sharing)
-	return &libregraph.UnifiedRoleDefinition{
-		Id:          proto.String(UnifiedRoleEditorID),
-		Description: proto.String("Allows creating, reading, updating and deleting the shared file or folder"),
-		DisplayName: displayName(r),
-		RolePermissions: []libregraph.UnifiedRolePermission{
-			{
-				AllowedResourceActions: convert(r),
-				Condition:              proto.String(UnifiedRoleConditionGrantee),
-			},
-		},
-		LibreGraphWeight: proto.Int32(0),
-	}
-}
-
-// NewSpaceEditorUnifiedRole creates an editor role
-func NewSpaceEditorUnifiedRole() *libregraph.UnifiedRoleDefinition {
-	r := NewSpaceEditorRole()
-	return &libregraph.UnifiedRoleDefinition{
-		Id:          proto.String(UnifiedRoleSpaceEditorID),
-		Description: proto.String("Allows creating, reading, updating and deleting file or folder in the shared space"),
-		DisplayName: displayName(r),
-		RolePermissions: []libregraph.UnifiedRolePermission{
-			{
-				AllowedResourceActions: convert(r),
-				Condition:              proto.String(UnifiedRoleConditionOwner),
-			},
-		},
-		LibreGraphWeight: proto.Int32(0),
-	}
-}
-
-// NewFileEditorUnifiedRole creates a file-editor role
-func NewFileEditorUnifiedRole() *libregraph.UnifiedRoleDefinition {
-	r := NewFileEditorRole()
-	return &libregraph.UnifiedRoleDefinition{
-		Id:          proto.String(UnifiedRoleFileEditorID),
-		Description: proto.String("Allows reading and updating file"),
-		DisplayName: displayName(r),
-		RolePermissions: []libregraph.UnifiedRolePermission{
-			{
-				AllowedResourceActions: convert(r),
-				Condition:              proto.String(UnifiedRoleConditionGrantee),
-			},
-		},
-		LibreGraphWeight: proto.Int32(0),
-	}
-}
-
-// NewCoownerUnifiedRole creates a coowner role.
-func NewCoownerUnifiedRole() *libregraph.UnifiedRoleDefinition {
-	r := NewCoownerRole()
-	return &libregraph.UnifiedRoleDefinition{
-		Id:          proto.String(UnifiedRoleCoownerID),
-		Description: proto.String("Grants co-owner permissions on a resource"),
-		DisplayName: displayName(r),
-		RolePermissions: []libregraph.UnifiedRolePermission{
-			{
-				AllowedResourceActions: convert(r),
-				Condition:              proto.String(UnifiedRoleConditionGrantee),
-			},
-		},
-		LibreGraphWeight: proto.Int32(0),
-	}
-}
-
-// NewUploaderUnifiedRole creates an uploader role
-func NewUploaderUnifiedRole() *libregraph.UnifiedRoleDefinition {
-	r := NewUploaderRole()
-	return &libregraph.UnifiedRoleDefinition{
-		Id:          proto.String(UnifiedRoleUploaderID),
-		Description: proto.String("Allows upload file or folder"),
-		DisplayName: displayName(r),
-		RolePermissions: []libregraph.UnifiedRolePermission{
-			{
-				AllowedResourceActions: convert(r),
-				Condition:              proto.String(UnifiedRoleConditionGrantee),
-			},
-		},
-		LibreGraphWeight: proto.Int32(0),
-	}
-}
-
-// NewManagerUnifiedRole creates a manager role
-func NewManagerUnifiedRole() *libregraph.UnifiedRoleDefinition {
-	r := NewManagerRole()
-	return &libregraph.UnifiedRoleDefinition{
-		Id:          proto.String(UnifiedRoleManagerID),
-		Description: proto.String("Grants manager permissions on a resource. Semantically equivalent to co-owner"),
-		DisplayName: displayName(r),
-		RolePermissions: []libregraph.UnifiedRolePermission{
-			{
-				AllowedResourceActions: convert(r),
-				Condition:              proto.String(UnifiedRoleConditionGrantee),
-			},
-		},
-		LibreGraphWeight: proto.Int32(0),
-	}
-}
-
-func displayName(role *Role) *string {
-	if role == nil {
-		return nil
-	}
-	var displayName string
-	switch role.Name {
-	case RoleViewer:
-		displayName = "Viewer"
-	case RoleSpaceViewer:
-		displayName = "Space Viewer"
-	case RoleEditor:
-		displayName = "Editor"
-	case RoleSpaceEditor:
-		displayName = "Space Editor"
-	case RoleFileEditor:
-		displayName = "File Editor"
-	case RoleCoowner:
-		displayName = "Co Owner"
-	case RoleUploader:
-		displayName = "Uploader"
-	case RoleManager:
-		displayName = "Manager"
-	default:
-		return nil
-	}
-	return proto.String(displayName)
-}
-
-func convert(role *Role) []string {
-	actions := make([]string, 0, 8)
-	if role == nil && role.cS3ResourcePermissions == nil {
-		return actions
-	}
-	p := role.CS3ResourcePermissions()
-	if p.AddGrant {
-		actions = append(actions, "libre.graph/driveItem/permissions/create")
-	}
-	if p.CreateContainer {
-		actions = append(actions, "libre.graph/driveItem/children/create")
-	}
-	if p.Delete {
-		actions = append(actions, "libre.graph/driveItem/standard/delete")
-	}
-	if p.GetPath {
-		actions = append(actions, "libre.graph/driveItem/path/read")
-	}
-	if p.GetQuota {
-		actions = append(actions, "libre.graph/driveItem/quota/read")
-	}
-	if p.InitiateFileDownload {
-		actions = append(actions, "libre.graph/driveItem/content/read")
-	}
-	if p.InitiateFileUpload {
-		actions = append(actions, "libre.graph/driveItem/upload/create")
-	}
-	if p.ListGrants {
-		actions = append(actions, "libre.graph/driveItem/permissions/read")
-	}
-	if p.ListContainer {
-		actions = append(actions, "libre.graph/driveItem/children/read")
-	}
-	if p.ListFileVersions {
-		actions = append(actions, "libre.graph/driveItem/versions/read")
-	}
-	if p.ListRecycle {
-		actions = append(actions, "libre.graph/driveItem/deleted/read")
-	}
-	if p.Move {
-		actions = append(actions, "libre.graph/driveItem/path/update")
-	}
-	if p.RemoveGrant {
-		actions = append(actions, "libre.graph/driveItem/permissions/delete")
-	}
-	if p.PurgeRecycle {
-		actions = append(actions, "libre.graph/driveItem/deleted/delete")
-	}
-	if p.RestoreFileVersion {
-		actions = append(actions, "libre.graph/driveItem/versions/update")
-	}
-	if p.RestoreRecycleItem {
-		actions = append(actions, "libre.graph/driveItem/deleted/update")
-	}
-	if p.Stat {
-		actions = append(actions, "libre.graph/driveItem/basic/read")
-	}
-	if p.UpdateGrant {
-		actions = append(actions, "libre.graph/driveItem/permissions/update")
-	}
-	if p.DenyGrant {
-		actions = append(actions, "libre.graph/driveItem/permissions/deny")
-	}
-	return actions
-}
@@ -162,7 +162,7 @@ func intTosharePerm(p int) (*provider.ResourcePermissions, error) {
 		return nil, err
 	}

-	return conversions.RoleFromOCSPermissions(perms).CS3ResourcePermissions(), nil
+	return conversions.RoleFromOCSPermissions(perms, nil).CS3ResourcePermissions(), nil
 }

 func formatUserID(u *userpb.UserId) string {
@@ -214,7 +214,7 @@ func intTosharePerm(p int) (*provider.ResourcePermissions, error) {
 		return nil, err
 	}

-	return conversions.RoleFromOCSPermissions(perms).CS3ResourcePermissions(), nil
+	return conversions.RoleFromOCSPermissions(perms, nil).CS3ResourcePermissions(), nil
 }

 func intToShareState(g int) collaboration.ShareState {
@@ -362,7 +362,7 @@ func (c *Cache) Permissions(ctx context.Context, storage interface{}, p string)
 		return nil, err
 	}

-	return conversions.RoleFromOCSPermissions(perms).CS3ResourcePermissions(), nil
+	return conversions.RoleFromOCSPermissions(perms, nil).CS3ResourcePermissions(), nil
 }

 // InsertOrUpdate creates or updates a cache entry
@@ -650,7 +650,7 @@ func (fs *owncloudsqlfs) readPermissions(ctx context.Context, ip string) (p *pro
 	if err != nil {
 		return nil, err
 	}
-	return conversions.RoleFromOCSPermissions(perms).CS3ResourcePermissions(), nil
+	return conversions.RoleFromOCSPermissions(perms, nil).CS3ResourcePermissions(), nil
 }

 // The os not exists error is buried inside the xattr error,