enforce set space quota permission

changelog/unreleased/update-enforce-permission.md

@@ -0,0 +1,5 @@
+Enhancement: Enforce permission on update space quota
+
+Added a check that only users with the `set-space-quota` permission can update the space quota.
+
+https://github.com/owncloud/ocis/pull/2650

changelog/unreleased/update-reva.md

@@ -1,6 +1,6 @@
-Enhancement: Update reva to v1.14.1-0.20211021070229-852282ce34f5
+Enhancement: Update reva to v1.14.1-0.20211022092730-84a5191f1c5a
 
-Updated reva to v1.14.1-0.20211021070229-852282ce34f5
+Updated reva to v1.14.1-0.20211022092730-84a5191f1c5a
 This update includes:
  * Fix [cs3org/reva#2168](https://github.com/cs3org/reva/pull/2168): Override provider if was previously registered
  * Fix [cs3org/reva#2173](https://github.com/cs3org/reva/pull/2173): Fix archiver max size reached error
@@ -15,6 +15,9 @@ This update includes:
  * Enh [cs3org/reva#2180](https://github.com/cs3org/reva/pull/2180): Remove OCDAV options namespace parameter
  * Enh [cs3org/reva#2170](https://github.com/cs3org/reva/pull/2170): Handle propfind requests for existing files
  * Enh [cs3org/reva#2165](https://github.com/cs3org/reva/pull/2165): Allow access to recycle bin for arbitrary paths outside homes
+ * Enh [cs3org/reva#2189](https://github.com/cs3org/reva/pull/2189): Add user settings capability
+ * Enh [cs3org/reva#2162](https://github.com/cs3org/reva/pull/2162): Implement the UpdateStorageSpace method
 
 https://github.com/owncloud/ocis/pull/2658
 https://github.com/owncloud/ocis/pull/2536
+https://github.com/owncloud/ocis/pull/2650

go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/blevesearch/bleve/v2 v2.2.1
 	github.com/coreos/go-oidc/v3 v3.1.0
 	github.com/cs3org/go-cs3apis v0.0.0-20211018122138-391b29bd7803
-	github.com/cs3org/reva v1.14.1-0.20211021110426-87c920ffc25f
+	github.com/cs3org/reva v1.14.1-0.20211022131909-582ce36aadcc
 	github.com/disintegration/imaging v1.6.2
 	github.com/glauth/glauth/v2 v2.0.0-20211021011345-ef3151c28733
 	github.com/go-chi/chi/v5 v5.0.4

go.sum

@@ -305,8 +305,8 @@ github.com/crewjam/saml v0.4.5/go.mod h1:qCJQpUtZte9R1ZjUBcW8qtCNlinbO363ooNl02S
 github.com/cs3org/cato v0.0.0-20200828125504-e418fc54dd5e/go.mod h1:XJEZ3/EQuI3BXTp/6DUzFr850vlxq11I6satRtz0YQ4=
 github.com/cs3org/go-cs3apis v0.0.0-20211018122138-391b29bd7803 h1:R/6llgTNKxQQ7GaSTgFn6Fp8N50wIlagmdR7WY5LntM=
 github.com/cs3org/go-cs3apis v0.0.0-20211018122138-391b29bd7803/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY=
-github.com/cs3org/reva v1.14.1-0.20211021110426-87c920ffc25f h1:eTNBGvvU6r6OhnL/3M8QxdCp3yHgklhfMHktOa111BY=
-github.com/cs3org/reva v1.14.1-0.20211021110426-87c920ffc25f/go.mod h1:wkZXgaxq5nO6Dvl9qRpHpbGUQrWyTfwqWtBqOiCWy+k=
+github.com/cs3org/reva v1.14.1-0.20211022131909-582ce36aadcc h1:vl86n8Y9ucM1zBXjUJdA9UdkxXQawMNVUwLy5K8H2Rk=
+github.com/cs3org/reva v1.14.1-0.20211022131909-582ce36aadcc/go.mod h1:wkZXgaxq5nO6Dvl9qRpHpbGUQrWyTfwqWtBqOiCWy+k=
 github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8 h1:Z9lwXumT5ACSmJ7WGnFl+OMLLjpz5uR2fyz7dC255FI=
 github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8/go.mod h1:4abs/jPXcmJzYoYGF91JF9Uq9s/KL5n1jvFDix8KcqY=
 github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4=

graph/pkg/service/v0/drives.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/CiscoM31/godata"
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
+	userv1beta1 "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
 	cs3rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	v1beta11 "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
@@ -26,6 +27,8 @@ import (
 	sproto "github.com/owncloud/ocis/settings/pkg/proto/v0"
 	settingsSvc "github.com/owncloud/ocis/settings/pkg/service/v0"
 	msgraph "github.com/owncloud/open-graph-api-go"
+
+	merrors "go-micro.dev/v4/errors"
 )
 
 // GetDrives implements the Service interface.
@@ -268,15 +271,31 @@ func (g Graph) UpdateDrive(w http.ResponseWriter, r *http.Request) {
 		// Prepare the object to apply the diff from. The properties on StorageSpace will overwrite
 		// the original storage space.
 		StorageSpace: &provider.StorageSpace{
+			Id: &storageprovider.StorageSpaceId{
+				OpaqueId: req.FirstSegment.Identifier.Get(),
+			},
 			Root: &provider.ResourceId{
 				StorageId: storageID,
 				OpaqueId:  opaqueID,
 			},
-			Name: *drive.Name,
 		},
 	}
 
+	if drive.Name != nil {
+		updateSpaceRequest.StorageSpace.Name = *drive.Name
+	}
+
 	if drive.Quota.HasTotal() {
+		user := ctxpkg.ContextMustGetUser(r.Context())
+		canSetSpaceQuota, err := canSetSpaceQuota(r.Context(), user)
+		if err != nil {
+			errorcode.GeneralException.Render(w, r, http.StatusInternalServerError, err.Error())
+			return
+		}
+		if !canSetSpaceQuota {
+			errorcode.GeneralException.Render(w, r, http.StatusUnauthorized, "user is not allowed to set the space quota")
+			return
+		}
 		updateSpaceRequest.StorageSpace.Quota = &storageprovider.Quota{
 			QuotaMaxBytes: uint64(*drive.Quota.Total),
 		}
@@ -489,3 +508,16 @@ func getQuota(quota *msgraph.Quota, defaultQuota string) *provider.Quota {
 		return nil
 	}
 }
+
+func canSetSpaceQuota(ctx context.Context, user *userv1beta1.User) (bool, error) {
+	settingsService := sproto.NewPermissionService("com.owncloud.api.settings", grpc.DefaultClient)
+	_, err := settingsService.GetPermissionByID(ctx, &sproto.GetPermissionByIDRequest{PermissionId: settingsSvc.SetSpaceQuotaPermissionID})
+	if err != nil {
+		merror := merrors.FromError(err)
+		if merror.Status == http.StatusText(http.StatusNotFound) {
+			return false, nil
+		}
+		return false, err
+	}
+	return true, nil
+}