From 73f87a003ce845c9154eb30aa033ee0f4bef7230 Mon Sep 17 00:00:00 2001 From: jkoberg Date: Thu, 9 Nov 2023 13:27:21 +0100 Subject: [PATCH 1/3] refactor settings/pkg/store/defaults Signed-off-by: jkoberg --- services/graph/pkg/service/v0/drives.go | 12 +- .../settings/pkg/store/defaults/defaults.go | 748 +----------------- .../pkg/store/defaults/permissions.go | 376 +++++++++ 3 files changed, 422 insertions(+), 714 deletions(-) create mode 100644 services/settings/pkg/store/defaults/permissions.go diff --git a/services/graph/pkg/service/v0/drives.go b/services/graph/pkg/service/v0/drives.go index fe4c42b923..9901b2c2fd 100644 --- a/services/graph/pkg/service/v0/drives.go +++ b/services/graph/pkg/service/v0/drives.go @@ -220,7 +220,7 @@ func (g Graph) GetSingleDrive(w http.ResponseWriter, r *http.Request) { func (g Graph) canCreateSpace(ctx context.Context, ownPersonalHome bool) bool { pr, err := g.permissionsService.GetPermissionByID(ctx, &settingssvc.GetPermissionByIDRequest{ - PermissionId: settingsServiceExt.CreateSpacePermissionID, + PermissionId: settingsServiceExt.CreateSpacesPermission(0).Id, }) if err != nil || pr.Permission == nil { return false @@ -586,13 +586,13 @@ func (g Graph) ListStorageSpacesWithFilters(ctx context.Context, filters []*stor s := settingssvc.NewPermissionService("com.owncloud.api.settings", grpcClient) _, err = s.GetPermissionByID(ctx, &settingssvc.GetPermissionByIDRequest{ - PermissionId: settingsServiceExt.ListAllSpacesPermissionID, + PermissionId: settingsServiceExt.ListSpacesPermission(0).Id, }) permissions := make(map[string]struct{}, 1) // No error means the user has the permission if err == nil { - permissions[settingsServiceExt.ListAllSpacesPermissionName] = struct{}{} + permissions[settingsServiceExt.ListSpacesPermission(0).Id] = struct{}{} } value, err := json.Marshal(permissions) if err != nil { @@ -930,10 +930,10 @@ func getQuota(quota *libregraph.Quota, defaultQuota string) *storageprovider.Quo } } -func (g Graph) canSetSpaceQuota(ctx context.Context, user *userv1beta1.User, typ string) (bool, error) { - permID := settingsServiceExt.SetPersonalSpaceQuotaPermissionID +func (g Graph) canSetSpaceQuota(ctx context.Context, _ *userv1beta1.User, typ string) (bool, error) { + permID := settingsServiceExt.SetPersonalSpaceQuotaPermission(0).Id if typ == _spaceTypeProject { - permID = settingsServiceExt.SetProjectSpaceQuotaPermissionID + permID = settingsServiceExt.SetProjectSpaceQuotaPermission(0).Id } _, err := g.permissionsService.GetPermissionByID(ctx, &settingssvc.GetPermissionByIDRequest{PermissionId: permID}) if err != nil { diff --git a/services/settings/pkg/store/defaults/defaults.go b/services/settings/pkg/store/defaults/defaults.go index 5e9eb20e70..98d8e846b2 100644 --- a/services/settings/pkg/store/defaults/defaults.go +++ b/services/settings/pkg/store/defaults/defaults.go @@ -8,122 +8,20 @@ import ( const ( // BundleUUIDRoleAdmin represents the admin role BundleUUIDRoleAdmin = "71881883-1768-46bd-a24d-a356a2afdf7f" - // BundleUUIDRoleSpaceAdmin represents the space admin role BundleUUIDRoleSpaceAdmin = "2aadd357-682c-406b-8874-293091995fdd" - // BundleUUIDRoleUser represents the user role. BundleUUIDRoleUser = "d7beeea8-8ff4-406b-8fb6-ab2dd81e6b11" - // BundleUUIDRoleUserLight represents the user light role. BundleUUIDRoleUserLight = "38071a68-456a-4553-846a-fa67bf5596cc" - // BundleUUIDProfile represents the user profile BundleUUIDProfile = "2a506de7-99bd-4f0d-994e-c38e72c28fd9" - - // RoleManagementPermissionID is the hardcoded setting UUID for the role management permission - RoleManagementPermissionID string = "a53e601e-571f-4f86-8fec-d4576ef49c62" - // RoleManagementPermissionName is the hardcoded setting name for the role management permission - RoleManagementPermissionName string = "Roles.ReadWrite" - - // SettingsManagementPermissionID is the hardcoded setting UUID for the settings management permission - SettingsManagementPermissionID string = "3d58f441-4a05-42f8-9411-ef5874528ae1" - // SettingsManagementPermissionName is the hardcoded setting name for the settings management permission - SettingsManagementPermissionName string = "Settings.ReadWrite" - - // LanguageReadWriteID is the hardcoded setting UUID for the language read write all permission - LanguageReadWriteID string = "7d81f103-0488-4853-bce5-98dcce36d649" - // LanguageReadWriteName is the hardcoded setting name for the language read write all permission - LanguageReadWriteName string = "Language.ReadWrite" - - // DisableEmailNotificationsPermissionID is the hardcoded setting UUID for the disable email notifications permission - DisableEmailNotificationsPermissionID string = "ad5bb5e5-dc13-4cd3-9304-09a424564ea8" - // DisableEmailNotificationsPermissionName is the hardcoded setting name for the disable email notifications permission - DisableEmailNotificationsPermissionName string = "EmailNotifications.ReadWriteDisabled" - // DisableEmailNotificationsPermissionDisplayName is the hardcoded setting name for the disable email notifications permission - DisableEmailNotificationsPermissionDisplayName string = "Disable Email Notifications" - - // AutoAcceptSharesPermissionID is the hardcoded setting UUID for the disable email notifications permission - AutoAcceptSharesPermissionID string = "4e41363c-a058-40a5-aec8-958897511209" - // AutoAcceptSharesPermissionName is the hardcoded setting name for the disable email notifications permission - AutoAcceptSharesPermissionName string = "AutoAcceptShares.ReadWriteDisabled" - // AutoAcceptSharesPermissionDisplayName is the hardcoded setting name for the disable email notifications permission - AutoAcceptSharesPermissionDisplayName string = "enable/disable auto accept shares" - - // SetPersonalSpaceQuotaPermissionID is the hardcoded setting UUID for the set personal space quota permission - SetPersonalSpaceQuotaPermissionID string = "4e6f9709-f9e7-44f1-95d4-b762d27b7896" - // SetPersonalSpaceQuotaPermissionName is the hardcoded setting name for the set personal space quota permission - SetPersonalSpaceQuotaPermissionName string = "Drives.ReadWritePersonalQuota" - - // SetProjectSpaceQuotaPermissionID is the hardcoded setting UUID for the set project space quota permission - SetProjectSpaceQuotaPermissionID string = "977f0ae6-0da2-4856-93f3-22e0a8482489" - // SetProjectSpaceQuotaPermissionName is the hardcoded setting name for the set project space quota permission - SetProjectSpaceQuotaPermissionName string = "Drives.ReadWriteProjectQuota" - - // ListAllSpacesPermissionID is the hardcoded setting UUID for the list all spaces permission - ListAllSpacesPermissionID string = "016f6ddd-9501-4a0a-8ebe-64a20ee8ec82" - // ListAllSpacesPermissionName is the hardcoded setting name for the list all spaces permission - ListAllSpacesPermissionName string = "Drives.List" - - // CreateSpacePermissionID is the hardcoded setting UUID for the create space permission - CreateSpacePermissionID string = "79e13b30-3e22-11eb-bc51-0b9f0bad9a58" - // CreateSpacePermissionName is the hardcoded setting name for the create space permission - CreateSpacePermissionName string = "Drives.Create" - - // DeleteHomeSpacesPermissionID is the hardcoded setting UUID for the delete home space permission - DeleteHomeSpacesPermissionID string = "5de9fe0a-4bc5-4a47-b758-28f370caf169" - // DeleteHomeSpacesPermissionName is the hardcoded setting name for the delete home space permission - DeleteHomeSpacesPermissionName string = "Drives.DeletePersonal" - - // DeleteAllSpacesPermissionID is the hardcoded setting UUID for the delete all spaces permission - DeleteAllSpacesPermissionID string = "fb60b004-c1fa-4f09-bf87-55ce7d46ac61" - // DeleteAllSpacesPermissionName is the hardcoded setting name for the delete all space permission - DeleteAllSpacesPermissionName string = "Drives.DeleteProject" - - // ManageSpacePropertiesPermissionID is the hardcoded setting UUID for the manage space properties permission - ManageSpacePropertiesPermissionID string = "b44b4054-31a2-42b8-bb71-968b15cfbd4f" - // ManageSpacePropertiesPermissionName is the hardcoded setting name for the manage space properties permission - ManageSpacePropertiesPermissionName string = "Drives.ReadWrite" - - // SpaceAbilityPermissionID is the hardcoded setting UUID for the space ability permission - SpaceAbilityPermissionID string = "cf3faa8c-50d9-4f84-9650-ff9faf21aa9d" - // SpaceAbilityPermissionName is the hardcoded setting name for the space ability permission - SpaceAbilityPermissionName string = "Drives.ReadWriteEnabled" - // SettingUUIDProfileLanguage is the hardcoded setting UUID for the user profile language SettingUUIDProfileLanguage = "aa8cfbe5-95d4-4f7e-a032-c3c01f5f062f" // SettingUUIDProfileDisableNotifications is the hardcoded setting UUID for the disable notifications setting SettingUUIDProfileDisableNotifications = "33ffb5d6-cd07-4dc0-afb0-84f7559ae438" // SettingUUIDProfileAutoAcceptShares is the hardcoded setting UUID for the disable notifications setting SettingUUIDProfileAutoAcceptShares = "ec3ed4a3-3946-4efc-8f9f-76d38b12d3a9" - - // AccountManagementPermissionID is the hardcoded setting UUID for the account management permission - AccountManagementPermissionID string = "8e587774-d929-4215-910b-a317b1e80f73" - // AccountManagementPermissionName is the hardcoded setting name for the account management permission - AccountManagementPermissionName string = "Accounts.ReadWrite" - // GroupManagementPermissionID is the hardcoded setting UUID for the group management permission - GroupManagementPermissionID string = "522adfbe-5908-45b4-b135-41979de73245" - // GroupManagementPermissionName is the hardcoded setting name for the group management permission - GroupManagementPermissionName string = "Groups.ReadWrite" - // SelfManagementPermissionID is the hardcoded setting UUID for the self management permission - SelfManagementPermissionID string = "e03070e9-4362-4cc6-a872-1c7cb2eb2b8e" - // SelfManagementPermissionName is the hardcoded setting name for the self management permission - SelfManagementPermissionName string = "Self.ReadWrite" - - // ChangeLogoPermissionID is the hardcoded setting UUID for the change-logo permission - ChangeLogoPermissionID string = "ed83fc10-1f54-4a9e-b5a7-fb517f5f3e01" - // ChangeLogoPermissionName is the hardcoded setting name for the change-logo permission - ChangeLogoPermissionName string = "Logo.Write" - - // WritePublicLinkPermissionID is the hardcoded setting UUID for the PublicLink.Write permission - WritePublicLinkPermissionID string = "11516bbd-7157-49e1-b6ac-d00c820f980b" - // WritePublicLinkPermissionName is the hardcoded setting name for the PublicLink.Write permission - WritePublicLinkPermissionName string = "PublicLink.Write" - - // DeleteReadOnlyPublicLinkPasswordID is the hardcoded setting UUID for the ReadOnlyPublicLinkPassword.Delete permission - DeleteReadOnlyPublicLinkPasswordID string = "e9a697c5-c67b-40fc-982b-bcf628e9916d" - // DeleteReadOnlyPublicLinkPasswordName is the hardcoded setting name for the ReadOnlyPublicLinkPassword.Delete permission - DeleteReadOnlyPublicLinkPasswordName string = "ReadOnlyPublicLinkPassword.Delete" ) // GenerateBundlesDefaultRoles bootstraps the default roles. @@ -148,280 +46,24 @@ func generateBundleAdminRole() *settingsmsg.Bundle { Type: settingsmsg.Resource_TYPE_SYSTEM, }, Settings: []*settingsmsg.Setting{ - { - Id: RoleManagementPermissionID, - Name: RoleManagementPermissionName, - DisplayName: "Role Management", - Description: "This permission gives full access to everything that is related to role management.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_USER, - Id: "all", - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: SettingsManagementPermissionID, - Name: SettingsManagementPermissionName, - DisplayName: "Settings Management", - Description: "This permission gives full access to everything that is related to settings management.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_USER, - Id: "all", - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: LanguageReadWriteID, - Name: LanguageReadWriteName, - DisplayName: "Permission to read and set the language (anyone)", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SETTING, - Id: SettingUUIDProfileLanguage, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: DisableEmailNotificationsPermissionID, - Name: DisableEmailNotificationsPermissionName, - DisplayName: DisableEmailNotificationsPermissionDisplayName, - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SETTING, - Id: SettingUUIDProfileDisableNotifications, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_OWN, - }, - }, - }, - { - Id: AutoAcceptSharesPermissionID, - Name: AutoAcceptSharesPermissionName, - DisplayName: AutoAcceptSharesPermissionDisplayName, - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SETTING, - Id: SettingUUIDProfileAutoAcceptShares, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_OWN, - }, - }, - }, - { - Id: AccountManagementPermissionID, - Name: AccountManagementPermissionName, - DisplayName: "Account Management", - Description: "This permission gives full access to everything that is related to account management.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_USER, - Id: "all", - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: GroupManagementPermissionID, - Name: GroupManagementPermissionName, - DisplayName: "Group Management", - Description: "This permission gives full access to everything that is related to group management.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_GROUP, - Id: "all", - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: SetPersonalSpaceQuotaPermissionID, - Name: SetPersonalSpaceQuotaPermissionName, - DisplayName: "Set Personal Space Quota", - Description: "This permission allows managing personal space quotas.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SYSTEM, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: SetProjectSpaceQuotaPermissionID, - Name: SetProjectSpaceQuotaPermissionName, - DisplayName: "Set Project Space Quota", - Description: "This permission allows managing project space quotas.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SYSTEM, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: CreateSpacePermissionID, - Name: CreateSpacePermissionName, - DisplayName: "Create Space", - Description: "This permission allows creating new spaces.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SYSTEM, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: ListAllSpacesPermissionID, - Name: ListAllSpacesPermissionName, - DisplayName: "List All Spaces", - Description: "This permission allows listing all spaces.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SYSTEM, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READ, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: DeleteHomeSpacesPermissionID, - Name: DeleteHomeSpacesPermissionName, - DisplayName: "Delete All Home Spaces", - Description: "This permission allows deleting home spaces.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SYSTEM, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_DELETE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: DeleteAllSpacesPermissionID, - Name: DeleteAllSpacesPermissionName, - DisplayName: "Delete AllSpaces", - Description: "This permission allows deleting all spaces.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SYSTEM, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_DELETE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: ChangeLogoPermissionID, - Name: ChangeLogoPermissionName, - DisplayName: "Change logo", - Description: "This permission permits to change the system logo.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SYSTEM, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: WritePublicLinkPermissionID, - Name: WritePublicLinkPermissionName, - DisplayName: "Write publiclink", - Description: "This permission allows creating public links.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SHARE, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_WRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: DeleteReadOnlyPublicLinkPasswordID, - Name: DeleteReadOnlyPublicLinkPasswordName, - DisplayName: "Delete Read-Only Public link password", - Description: "This permission permits to opt out of a public link password enforcement.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SHARE, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_WRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: ManageSpacePropertiesPermissionID, - Name: ManageSpacePropertiesPermissionName, - DisplayName: "Manage space properties", - Description: "This permission allows managing space properties such as name and description.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SYSTEM, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: SpaceAbilityPermissionID, - Name: SpaceAbilityPermissionName, - DisplayName: "Space ability", - Description: "This permission allows enabling and disabling spaces.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SYSTEM, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, + RoleManagementPermission(All), + SettingsManagementPermission(All), + LanguageManagementPermission(All), + DisableEmailNotificationsPermission(Own), + AutoAcceptSharesPermission(Own), + AccountManagementPermission(All), + GroupManagementPermission(All), + SetPersonalSpaceQuotaPermission(All), + SetProjectSpaceQuotaPermission(All), + CreateSpacesPermission(All), + ListSpacesPermission(All), + DeletePersonalSpacesPermission(All), + DeleteProjectSpacesPermission(All), + ChangeLogoPermission(All), + WritePublicLinkPermission(All), + DeleteReadOnlyPublicLinkPasswordPermission(All), + ManageSpacePropertiesPermission(All), + SpaceAbilityPermission(All), }, } } @@ -437,202 +79,19 @@ func generateBundleSpaceAdminRole() *settingsmsg.Bundle { Type: settingsmsg.Resource_TYPE_SYSTEM, }, Settings: []*settingsmsg.Setting{ - { - Id: ManageSpacePropertiesPermissionID, - Name: ManageSpacePropertiesPermissionName, - DisplayName: "Manage space properties", - Description: "This permission allows managing space properties such as name and description.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SYSTEM, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: SpaceAbilityPermissionID, - Name: SpaceAbilityPermissionName, - DisplayName: "Space ability", - Description: "This permission allows enabling and disabling spaces.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SYSTEM, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: DeleteAllSpacesPermissionID, - Name: DeleteAllSpacesPermissionName, - DisplayName: "Delete AllSpaces", - Description: "This permission allows to delete all spaces.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SYSTEM, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_DELETE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: SetProjectSpaceQuotaPermissionID, - Name: SetProjectSpaceQuotaPermissionName, - DisplayName: "Set Project Space Quota", - Description: "This permission allows managing project space quotas.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SYSTEM, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: CreateSpacePermissionID, - Name: CreateSpacePermissionName, - DisplayName: "Create Space", - Description: "This permission allows creating new spaces.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SYSTEM, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: ListAllSpacesPermissionID, - Name: ListAllSpacesPermissionName, - DisplayName: "List All Spaces", - Description: "This permission allows list all spaces.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SYSTEM, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READ, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: LanguageReadWriteID, - Name: LanguageReadWriteName, - DisplayName: "Permission to read and set the language (self)", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SETTING, - Id: SettingUUIDProfileLanguage, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_OWN, - }, - }, - }, - { - Id: DisableEmailNotificationsPermissionID, - Name: DisableEmailNotificationsPermissionName, - DisplayName: DisableEmailNotificationsPermissionDisplayName, - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SETTING, - Id: SettingUUIDProfileDisableNotifications, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_OWN, - }, - }, - }, - { - Id: AutoAcceptSharesPermissionID, - Name: AutoAcceptSharesPermissionName, - DisplayName: AutoAcceptSharesPermissionDisplayName, - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SETTING, - Id: SettingUUIDProfileAutoAcceptShares, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_OWN, - }, - }, - }, - { - Id: SelfManagementPermissionID, - Name: SelfManagementPermissionName, - DisplayName: "Self Management", - Description: "This permission gives access to self management.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_USER, - Id: "me", - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_OWN, - }, - }, - }, - { - Id: CreateSpacePermissionID, - Name: CreateSpacePermissionName, - DisplayName: "Create own Space", - Description: "This permission allows creating a space owned by the current user.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SYSTEM, // TODO resource type space? self? me? own? - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_CREATE, - Constraint: settingsmsg.Permission_CONSTRAINT_OWN, - }, - }, - }, - { - Id: WritePublicLinkPermissionID, - Name: WritePublicLinkPermissionName, - DisplayName: "Write publiclink", - Description: "This permission permits to write a public link.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SHARE, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_WRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, - { - Id: DeleteReadOnlyPublicLinkPasswordID, - Name: DeleteReadOnlyPublicLinkPasswordName, - DisplayName: "Delete Read-Only Public link password", - Description: "This permission permits to opt out of a public link password enforcement.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SHARE, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_WRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, + ManageSpacePropertiesPermission(All), + SpaceAbilityPermission(All), + DeleteProjectSpacesPermission(All), + SetProjectSpaceQuotaPermission(All), + CreateSpacesPermission(All), + ListSpacesPermission(All), + LanguageManagementPermission(Own), + DisableEmailNotificationsPermission(Own), + AutoAcceptSharesPermission(Own), + SelfManagementPermission(Own), + CreateSpacesPermission(Own), + WritePublicLinkPermission(All), + DeleteReadOnlyPublicLinkPasswordPermission(All), }, } } @@ -648,97 +107,12 @@ func generateBundleUserRole() *settingsmsg.Bundle { Type: settingsmsg.Resource_TYPE_SYSTEM, }, Settings: []*settingsmsg.Setting{ - { - Id: LanguageReadWriteID, - Name: LanguageReadWriteName, - DisplayName: "Permission to read and set the language (self)", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SETTING, - Id: SettingUUIDProfileLanguage, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_OWN, - }, - }, - }, - { - Id: DisableEmailNotificationsPermissionID, - Name: DisableEmailNotificationsPermissionName, - DisplayName: DisableEmailNotificationsPermissionDisplayName, - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SETTING, - Id: SettingUUIDProfileDisableNotifications, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_OWN, - }, - }, - }, - { - Id: AutoAcceptSharesPermissionID, - Name: AutoAcceptSharesPermissionName, - DisplayName: AutoAcceptSharesPermissionDisplayName, - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SETTING, - Id: SettingUUIDProfileAutoAcceptShares, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_OWN, - }, - }, - }, - { - Id: SelfManagementPermissionID, - Name: SelfManagementPermissionName, - DisplayName: "Self Management", - Description: "This permission gives access to self management.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_USER, - Id: "me", - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_OWN, - }, - }, - }, - { - Id: CreateSpacePermissionID, - Name: CreateSpacePermissionName, - DisplayName: "Create own Space", - Description: "This permission allows creating a space owned by the current user.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SYSTEM, // TODO resource type space? self? me? own? - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_CREATE, - Constraint: settingsmsg.Permission_CONSTRAINT_OWN, - }, - }, - }, - { - Id: WritePublicLinkPermissionID, - Name: WritePublicLinkPermissionName, - DisplayName: "Write publiclink", - Description: "This permission permits to write a public link.", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SHARE, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_WRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_ALL, - }, - }, - }, + LanguageManagementPermission(Own), + DisableEmailNotificationsPermission(Own), + AutoAcceptSharesPermission(Own), + SelfManagementPermission(Own), + CreateSpacesPermission(Own), + WritePublicLinkPermission(All), }, } } @@ -754,51 +128,9 @@ func generateBundleUserLightRole() *settingsmsg.Bundle { Type: settingsmsg.Resource_TYPE_SYSTEM, }, Settings: []*settingsmsg.Setting{ - { - Id: LanguageReadWriteID, - Name: LanguageReadWriteName, - DisplayName: "Permission to read and set the language (self)", - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SETTING, - Id: SettingUUIDProfileLanguage, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_OWN, - }, - }, - }, - { - Id: DisableEmailNotificationsPermissionID, - Name: DisableEmailNotificationsPermissionName, - DisplayName: DisableEmailNotificationsPermissionDisplayName, - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SETTING, - Id: SettingUUIDProfileDisableNotifications, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_OWN, - }, - }, - }, - { - Id: AutoAcceptSharesPermissionID, - Name: AutoAcceptSharesPermissionName, - DisplayName: AutoAcceptSharesPermissionDisplayName, - Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SETTING, - Id: SettingUUIDProfileAutoAcceptShares, - }, - Value: &settingsmsg.Setting_PermissionValue{ - PermissionValue: &settingsmsg.Permission{ - Operation: settingsmsg.Permission_OPERATION_READWRITE, - Constraint: settingsmsg.Permission_CONSTRAINT_OWN, - }, - }, - }, + LanguageManagementPermission(Own), + DisableEmailNotificationsPermission(Own), + AutoAcceptSharesPermission(Own), }, } } diff --git a/services/settings/pkg/store/defaults/permissions.go b/services/settings/pkg/store/defaults/permissions.go new file mode 100644 index 0000000000..aea38bce96 --- /dev/null +++ b/services/settings/pkg/store/defaults/permissions.go @@ -0,0 +1,376 @@ +package defaults + +import settingsmsg "github.com/owncloud/ocis/v2/protogen/gen/ocis/messages/settings/v0" + +var ( + // All is a convenience variable to set constraint to all + All = settingsmsg.Permission_CONSTRAINT_ALL + // Own is a convenience variable to set constraint to own + Own = settingsmsg.Permission_CONSTRAINT_OWN +) + +// AccountManagementPermission is the permission to manage accounts +func AccountManagementPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "8e587774-d929-4215-910b-a317b1e80f73", + Name: "Accounts.ReadWrite", + DisplayName: "Account Management", + Description: "This permission gives full access to everything that is related to account management.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_USER, + Id: "all", + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READWRITE, + Constraint: c, + }, + }, + } +} + +// AutoAcceptSharesPermission is the permission to enable share auto-accept +func AutoAcceptSharesPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "4e41363c-a058-40a5-aec8-958897511209", + Name: "AutoAcceptShares.ReadWriteDisabled", + DisplayName: "enable/disable auto accept shares", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SETTING, + Id: SettingUUIDProfileAutoAcceptShares, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READWRITE, + Constraint: c, + }, + }, + } +} + +// ChangeLogoPermission is the permission to change the logo +func ChangeLogoPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "ed83fc10-1f54-4a9e-b5a7-fb517f5f3e01", + Name: "Logo.Write", + DisplayName: "Change logo", + Description: "This permission permits to change the system logo.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SYSTEM, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READWRITE, + Constraint: c, + }, + }, + } +} + +// CreateSpacesPermission is the permission to create spaces +func CreateSpacesPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "79e13b30-3e22-11eb-bc51-0b9f0bad9a58", + Name: "Drives.Create", + DisplayName: "Create Space", + Description: "This permission allows creating new spaces.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SYSTEM, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READWRITE, + Constraint: c, + }, + }, + } +} + +// DeletePersonalSpacesPermission is the permission to delete personal spaces +func DeletePersonalSpacesPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "5de9fe0a-4bc5-4a47-b758-28f370caf169", + Name: "Drives.DeletePersonal", + DisplayName: "Delete All Home Spaces", + Description: "This permission allows deleting home spaces.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SYSTEM, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_DELETE, + Constraint: c, + }, + }, + } +} + +// DeleteProjectSpacesPermission is the permission to delete project spaces +func DeleteProjectSpacesPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "fb60b004-c1fa-4f09-bf87-55ce7d46ac61", + Name: "Drives.DeleteProject", + DisplayName: "Delete AllSpaces", + Description: "This permission allows deleting all spaces.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SYSTEM, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_DELETE, + Constraint: c, + }, + }, + } +} + +// DeleteReadOnlyPublicLinkPasswordPermission is the permission to delete read-only public link passwords +func DeleteReadOnlyPublicLinkPasswordPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "e9a697c5-c67b-40fc-982b-bcf628e9916d", + Name: "ReadOnlyPublicLinkPassword.Delete", + DisplayName: "Delete Read-Only Public link password", + Description: "This permission permits to opt out of a public link password enforcement.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SHARE, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_WRITE, + Constraint: c, + }, + }, + } +} + +// DisableEmailNotificationsPermission is the permission to disable email notifications +func DisableEmailNotificationsPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "ad5bb5e5-dc13-4cd3-9304-09a424564ea8", + Name: "EmailNotifications.ReadWriteDisabled", + DisplayName: "Disable Email Notifications", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SETTING, + Id: SettingUUIDProfileDisableNotifications, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READWRITE, + Constraint: c, + }, + }, + } +} + +// GroupManagementPermission is the permission to manage groups +func GroupManagementPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "522adfbe-5908-45b4-b135-41979de73245", + Name: "Groups.ReadWrite", + DisplayName: "Group Management", + Description: "This permission gives full access to everything that is related to group management.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_GROUP, + Id: "all", + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READWRITE, + Constraint: c, + }, + }, + } +} + +// LanguageManagementPermission is the permission to manage the language +func LanguageManagementPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "7d81f103-0488-4853-bce5-98dcce36d649", + Name: "Language.ReadWrite", + DisplayName: "Permission to read and set the language", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SETTING, + Id: SettingUUIDProfileLanguage, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READWRITE, + Constraint: c, + }, + }, + } +} + +// ListSpacesPermission is the permission to list spaces +func ListSpacesPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "016f6ddd-9501-4a0a-8ebe-64a20ee8ec82", + Name: "Drives.List", + DisplayName: "List All Spaces", + Description: "This permission allows listing all spaces.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SYSTEM, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READ, + Constraint: c, + }, + }, + } +} + +// ManageSpacePropertiesPermission is the permission to manage space properties +func ManageSpacePropertiesPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "b44b4054-31a2-42b8-bb71-968b15cfbd4f", + Name: "Drives.ReadWrite", + DisplayName: "Manage space properties", + Description: "This permission allows managing space properties such as name and description.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SYSTEM, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READWRITE, + Constraint: c, + }, + }, + } +} + +// RoleManagementPermission is the permission to manage roles +func RoleManagementPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "a53e601e-571f-4f86-8fec-d4576ef49c62", + Name: "Roles.ReadWrite", + DisplayName: "Role Management", + Description: "This permission gives full access to everything that is related to role management.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_USER, + Id: "all", + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READWRITE, + Constraint: c, + }, + }, + } +} + +// SelfManagementPermission is the permission to manage itself +func SelfManagementPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "e03070e9-4362-4cc6-a872-1c7cb2eb2b8e", + Name: "Self.ReadWrite", + DisplayName: "Self Management", + Description: "This permission gives access to self management.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_USER, + Id: "me", + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READWRITE, + Constraint: c, + }, + }, + } +} + +// SetPersonalSpaceQuotaPermission is the permission to set the quota for personal spaces +func SetPersonalSpaceQuotaPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "4e6f9709-f9e7-44f1-95d4-b762d27b7896", + Name: "Drives.ReadWritePersonalQuota", + DisplayName: "Set Personal Space Quota", + Description: "This permission allows managing personal space quotas.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SYSTEM, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READWRITE, + Constraint: c, + }, + }, + } +} + +// SetProjectSpaceQuotaPermission is the permission to set the quota for project spaces +func SetProjectSpaceQuotaPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "977f0ae6-0da2-4856-93f3-22e0a8482489", + Name: "Drives.ReadWriteProjectQuota", + DisplayName: "Set Project Space Quota", + Description: "This permission allows managing project space quotas.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SYSTEM, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READWRITE, + Constraint: c, + }, + }, + } +} + +// SettingsManagementPermission is the permission to manage settings +func SettingsManagementPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "3d58f441-4a05-42f8-9411-ef5874528ae1", + Name: "Settings.ReadWrite", + DisplayName: "Settings Management", + Description: "This permission gives full access to everything that is related to settings management.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_USER, + Id: "all", + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READWRITE, + Constraint: c, + }, + }, + } +} + +// SpaceAbilityPermission is the permission to enable or disable spaces +func SpaceAbilityPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "cf3faa8c-50d9-4f84-9650-ff9faf21aa9d", + Name: "Drives.ReadWriteEnabled", + DisplayName: "Space ability", + Description: "This permission allows enabling and disabling spaces.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SYSTEM, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READWRITE, + Constraint: c, + }, + }, + } +} + +// WritePublicLinkPermission is the permission to write public links +func WritePublicLinkPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "11516bbd-7157-49e1-b6ac-d00c820f980b", + Name: "PublicLink.Write", + DisplayName: "Write publiclink", + Description: "This permission allows creating public links.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SHARE, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_WRITE, + Constraint: c, + }, + }, + } +} From 66ff22835d21a7301ac260126181bae78c9dc336 Mon Sep 17 00:00:00 2001 From: jkoberg Date: Thu, 9 Nov 2023 13:53:29 +0100 Subject: [PATCH 2/3] add new permissions Signed-off-by: jkoberg --- changelog/unreleased/new-permissions.md | 8 +++ .../settings/pkg/store/defaults/defaults.go | 63 +++++++++------- .../pkg/store/defaults/permissions.go | 71 +++++++++++++++++-- 3 files changed, 108 insertions(+), 34 deletions(-) create mode 100644 changelog/unreleased/new-permissions.md diff --git a/changelog/unreleased/new-permissions.md b/changelog/unreleased/new-permissions.md new file mode 100644 index 0000000000..d8c5b4d6f4 --- /dev/null +++ b/changelog/unreleased/new-permissions.md @@ -0,0 +1,8 @@ +Enhancement: Add new permissions + +Adds new permissions to admin/spaceadmin/user roles + - Favorites.List allows / denies the Favorites Listing Request + - Favorites.Write is implemented to be enforced on marking/unmark files as favouritesShare + - Shares.Write permission denies / allows sharing completely for a user on all share CUD requests. (User, Group) + +https://github.com/owncloud/ocis/pull/7700 diff --git a/services/settings/pkg/store/defaults/defaults.go b/services/settings/pkg/store/defaults/defaults.go index 98d8e846b2..095a8df2fb 100644 --- a/services/settings/pkg/store/defaults/defaults.go +++ b/services/settings/pkg/store/defaults/defaults.go @@ -46,24 +46,27 @@ func generateBundleAdminRole() *settingsmsg.Bundle { Type: settingsmsg.Resource_TYPE_SYSTEM, }, Settings: []*settingsmsg.Setting{ - RoleManagementPermission(All), - SettingsManagementPermission(All), - LanguageManagementPermission(All), - DisableEmailNotificationsPermission(Own), - AutoAcceptSharesPermission(Own), AccountManagementPermission(All), - GroupManagementPermission(All), - SetPersonalSpaceQuotaPermission(All), - SetProjectSpaceQuotaPermission(All), + AutoAcceptSharesPermission(Own), + ChangeLogoPermission(All), + CreatePublicLinkPermission(All), + CreateSharePermission(All), CreateSpacesPermission(All), - ListSpacesPermission(All), DeletePersonalSpacesPermission(All), DeleteProjectSpacesPermission(All), - ChangeLogoPermission(All), - WritePublicLinkPermission(All), DeleteReadOnlyPublicLinkPasswordPermission(All), + DisableEmailNotificationsPermission(Own), + GroupManagementPermission(All), + LanguageManagementPermission(All), + ListFavoritesPermission(Own), + ListSpacesPermission(All), ManageSpacePropertiesPermission(All), + RoleManagementPermission(All), + SetPersonalSpaceQuotaPermission(All), + SetProjectSpaceQuotaPermission(All), + SettingsManagementPermission(All), SpaceAbilityPermission(All), + WriteFavoritesPermission(Own), }, } } @@ -79,19 +82,22 @@ func generateBundleSpaceAdminRole() *settingsmsg.Bundle { Type: settingsmsg.Resource_TYPE_SYSTEM, }, Settings: []*settingsmsg.Setting{ - ManageSpacePropertiesPermission(All), - SpaceAbilityPermission(All), - DeleteProjectSpacesPermission(All), - SetProjectSpaceQuotaPermission(All), - CreateSpacesPermission(All), - ListSpacesPermission(All), - LanguageManagementPermission(Own), - DisableEmailNotificationsPermission(Own), AutoAcceptSharesPermission(Own), - SelfManagementPermission(Own), + CreatePublicLinkPermission(All), + CreateSharePermission(All), + CreateSpacesPermission(All), CreateSpacesPermission(Own), - WritePublicLinkPermission(All), + DeleteProjectSpacesPermission(All), DeleteReadOnlyPublicLinkPasswordPermission(All), + DisableEmailNotificationsPermission(Own), + LanguageManagementPermission(Own), + ListFavoritesPermission(Own), + ListSpacesPermission(All), + ManageSpacePropertiesPermission(All), + SelfManagementPermission(Own), + SetProjectSpaceQuotaPermission(All), + SpaceAbilityPermission(All), + WriteFavoritesPermission(Own), }, } } @@ -107,12 +113,15 @@ func generateBundleUserRole() *settingsmsg.Bundle { Type: settingsmsg.Resource_TYPE_SYSTEM, }, Settings: []*settingsmsg.Setting{ - LanguageManagementPermission(Own), - DisableEmailNotificationsPermission(Own), AutoAcceptSharesPermission(Own), - SelfManagementPermission(Own), + CreatePublicLinkPermission(All), + CreateSharePermission(All), CreateSpacesPermission(Own), - WritePublicLinkPermission(All), + DisableEmailNotificationsPermission(Own), + LanguageManagementPermission(Own), + ListFavoritesPermission(Own), + SelfManagementPermission(Own), + WriteFavoritesPermission(Own), }, } } @@ -128,9 +137,9 @@ func generateBundleUserLightRole() *settingsmsg.Bundle { Type: settingsmsg.Resource_TYPE_SYSTEM, }, Settings: []*settingsmsg.Setting{ - LanguageManagementPermission(Own), - DisableEmailNotificationsPermission(Own), AutoAcceptSharesPermission(Own), + DisableEmailNotificationsPermission(Own), + LanguageManagementPermission(Own), }, } } diff --git a/services/settings/pkg/store/defaults/permissions.go b/services/settings/pkg/store/defaults/permissions.go index aea38bce96..432c6563e9 100644 --- a/services/settings/pkg/store/defaults/permissions.go +++ b/services/settings/pkg/store/defaults/permissions.go @@ -67,6 +67,44 @@ func ChangeLogoPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Sett } } +// CreatePublicLinkPermission is the permission to create public links +func CreatePublicLinkPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "11516bbd-7157-49e1-b6ac-d00c820f980b", + Name: "PublicLink.Write", + DisplayName: "Write publiclink", + Description: "This permission allows creating public links.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SHARE, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_WRITE, + Constraint: c, + }, + }, + } +} + +// CreateSharePermission is the permission to create shares +func CreateSharePermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "069c08b1-e31f-4799-9ed6-194b310e7244", + Name: "Shares.Write", + DisplayName: "Write share", + Description: "This permission allows creating shares.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SHARE, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_WRITE, + Constraint: c, + }, + }, + } +} + // CreateSpacesPermission is the permission to create spaces func CreateSpacesPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { return &settingsmsg.Setting{ @@ -201,6 +239,25 @@ func LanguageManagementPermission(c settingsmsg.Permission_Constraint) *settings } } +// ListFavoritesPermission is the permission to list favorites +func ListFavoritesPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { + return &settingsmsg.Setting{ + Id: "4ebaa725-bfaa-43c5-9817-78bc9994bde4", + Name: "Favorites.List", + DisplayName: "List Favorites", + Description: "This permission allows listing favorites.", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SYSTEM, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READ, + Constraint: c, + }, + }, + } +} + // ListSpacesPermission is the permission to list spaces func ListSpacesPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { return &settingsmsg.Setting{ @@ -356,15 +413,15 @@ func SpaceAbilityPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Se } } -// WritePublicLinkPermission is the permission to write public links -func WritePublicLinkPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { +// WriteFavoritesPermission is the permission to mark/unmark files as favorites +func WriteFavoritesPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting { return &settingsmsg.Setting{ - Id: "11516bbd-7157-49e1-b6ac-d00c820f980b", - Name: "PublicLink.Write", - DisplayName: "Write publiclink", - Description: "This permission allows creating public links.", + Id: "a54778fd-1c45-47f0-892d-655caf5236f2", + Name: "Favorites.Write", + DisplayName: "Write Favorites", + Description: "This permission allows marking files as favorites.", Resource: &settingsmsg.Resource{ - Type: settingsmsg.Resource_TYPE_SHARE, + Type: settingsmsg.Resource_TYPE_FILE, }, Value: &settingsmsg.Setting_PermissionValue{ PermissionValue: &settingsmsg.Permission{ From 3629babb7ed8e88463383eba30fe77ec3ab9f571 Mon Sep 17 00:00:00 2001 From: jkoberg Date: Mon, 13 Nov 2023 11:00:05 +0100 Subject: [PATCH 3/3] use name instead id for map Signed-off-by: jkoberg --- services/graph/pkg/service/v0/drives.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/graph/pkg/service/v0/drives.go b/services/graph/pkg/service/v0/drives.go index 9901b2c2fd..d22e48de1f 100644 --- a/services/graph/pkg/service/v0/drives.go +++ b/services/graph/pkg/service/v0/drives.go @@ -592,7 +592,7 @@ func (g Graph) ListStorageSpacesWithFilters(ctx context.Context, filters []*stor permissions := make(map[string]struct{}, 1) // No error means the user has the permission if err == nil { - permissions[settingsServiceExt.ListSpacesPermission(0).Id] = struct{}{} + permissions[settingsServiceExt.ListSpacesPermission(0).Name] = struct{}{} } value, err := json.Marshal(permissions) if err != nil {