[server][core] Improve permissions to be composable

2026-05-01 09:40:30 -05:00 · 2024-10-22 13:10:42 +05:30
parent 8cb912739b
commit af3285d256
10 changed files with 69 additions and 51 deletions
@@ -31,17 +31,9 @@ func setupChpermCommand() *cobra.Command {
 				os.Exit(1)
 			}

-			permission := fs.PermissionNone
-			switch args[2] {
-			case "none":
-			case "read":
-				permission = fs.PermissionReadOnly
-			case "write":
-				permission = fs.PermissionReadWrite
-			case "share":
-				permission = fs.PermissionReadWriteShare
-			default:
-				fmt.Println("cannot update permissions for '" + pathOrUUID + "': unrecognized permission: " + args[2])
+			permission, err := fs.ParsePermissionString(args[2])
+			if err != nil {
+				fmt.Println("cannot update permissions for '" + pathOrUUID + "': " + err.Error())
 				os.Exit(1)
 			}

@@ -25,8 +25,7 @@ func setupLsCommand() *cobra.Command {
 				os.Exit(1)
 			}

-			fmt.Println(r.Path)
-			fmt.Println(r.InheritedPermissions)
+			fmt.Println(r.Path + " (" + r.InheritedPermissions + ")")
 			fmt.Println(formatRow(r.ID.String(), formatSize(r.ContentSize), r.ContentSHA256, ".", r.Permissions))

 			if r.Dir {
@@ -110,7 +110,7 @@ func setupUserAddCommand() *cobra.Command {
 					if err != nil {
 						return err
 					}
-					if _, err := rootFS.UpdatePermissions(home, u.Username, fs.PermissionReadWriteShare); err != nil {
+					if _, err := rootFS.UpdatePermissions(home, u.Username, fs.PermissionRead|fs.PermissionWrite|fs.PermissionShare); err != nil {
 						return err
 					}
 					return userManager.UpdateUserHome(u, home.ID)
@@ -20,7 +20,7 @@ func (f filesystem) Move(r Resource, target string, overwrite bool) (Resource, b
 	if err != nil {
 		return Resource{}, false, err
 	}
-	if parent.UserPermissions < PermissionReadWrite {
+	if !parent.hasPermission(PermissionRead | PermissionWrite) {
 		return Resource{}, false, ErrInsufficientPermissions
 	}

@@ -32,7 +32,7 @@ func (f filesystem) Move(r Resource, target string, overwrite bool) (Resource, b
 		}
 		return Resource{}, false, err
 	}
-	if destParent.UserPermissions < PermissionReadWrite {
+	if destParent.hasPermission(PermissionWrite) {
 		return Resource{}, false, ErrInsufficientPermissions
 	}
 	if res, err := f.db.ResourceByID(f.ctx, db.ResourceByIDParams{Root: r.ID, ResourceID: destParent.ID, Username: f.username}); err != nil || res.Found {
@@ -73,9 +73,9 @@ func (f filesystem) Move(r Resource, target string, overwrite bool) (Resource, b
 				ContentSHA256: r.ContentSha256,
 				Permissions:   string(r.Permissions),
 				// Not Needed
-				// Path:                 "",
-				// UserPermissions:      0,
-				// InheritedPermissions: "",
+				// Path:                 ??,
+				// UserPermissions:      ??,
+				// InheritedPermissions: ??,
 			}
 			return nil
 		}
@@ -84,7 +84,7 @@ func (f filesystem) Move(r Resource, target string, overwrite bool) (Resource, b

 func (f filesystem) Copy(src Resource, target string, id uuid.UUID, recursive, overwrite bool) (Resource, bool, error) {
 	// Check source directory permissions
-	if src.UserPermissions < PermissionReadOnly {
+	if !src.hasPermission(PermissionRead) {
 		return Resource{}, false, ErrInsufficientPermissions
 	}

@@ -100,7 +100,7 @@ func (f filesystem) Copy(src Resource, target string, id uuid.UUID, recursive, o
 		return Resource{}, false, ErrResourceNotCollection

 	}
-	if destParent.UserPermissions < PermissionReadWrite {
+	if !destParent.hasPermission(PermissionWrite) {
 		return Resource{}, false, ErrInsufficientPermissions
 	}

@@ -194,9 +194,9 @@ func (f filesystem) Copy(src Resource, target string, id uuid.UUID, recursive, o
 		ContentSHA256: src.ContentSHA256,
 		Permissions:   "{}",
 		// Not Needed
-		// UserPermissions:      src.UserPermissions,
-		// InheritedPermissions: src.InheritedPermissions,
-		// Path:                 src.Path + "/" + destName,
+		// UserPermissions:      ??
+		// InheritedPermissions: ??
+		// Path:                 destParent.Path + "/" + destName,
 	}
 	return dest, deleted, err
 }
@@ -34,7 +34,7 @@ func (f filesystem) CreateMemberResource(r Resource, id uuid.UUID, name string,
 	if !r.Dir {
 		return Resource{}, ErrResourceNotCollection
 	}
-	if r.UserPermissions < PermissionReadWrite {
+	if !r.hasPermission(PermissionWrite) {
 		return Resource{}, ErrInsufficientPermissions
 	}
 	if name == "" || checkNameInvalid(name) {
@@ -37,7 +37,7 @@ func (f filesystem) DeleteChildRecursive(r Resource, name string, hardDelete boo
 }

 func (f filesystem) DeleteRecursive(r Resource, hardDelete bool) error {
-	if r.UserPermissions < PermissionReadWrite {
+	if !r.hasPermission(PermissionWrite) {
 		return ErrInsufficientPermissions
 	}
 	// TODO: versioning
@@ -30,7 +30,7 @@ func (f filesystem) ResourceByPath(path string) (Resource, error) {
 func (f filesystem) ResourceByID(id uuid.UUID) (Resource, error) {
 	r, err := f.db.ResourceByID(f.ctx, db.ResourceByIDParams{Root: f.rootID, ResourceID: id, Username: f.username})
 	// TODO: verify found
-	if err == pgx.ErrNoRows || !r.Found || r.UserPermission == 0 {
+	if err == pgx.ErrNoRows || !r.Found || (r.UserPermission&PermissionRead == 0) {
 		err = ErrResourceNotFound
 	}
 	if err != nil {
@@ -8,14 +8,14 @@ import (
 )

 func (f filesystem) OpenRead(r Resource, start, length int64) (io.ReadCloser, error) {
-	if r.UserPermissions < PermissionReadOnly {
+	if !r.hasPermission(PermissionRead) {
 		return nil, ErrInsufficientPermissions
 	}
 	return f.cs.OpenRead(r.ID, start, length)
 }

 func (f filesystem) OpenWrite(r Resource) (io.WriteCloser, error) {
-	if r.UserPermissions < PermissionReadWrite {
+	if !r.hasPermission(PermissionWrite) {
 		return nil, ErrInsufficientPermissions
 	}
 	return f.cs.OpenWrite(r.ID, sha256.New, func(len int, sum, mime string) error {
@@ -29,7 +29,7 @@ func (f filesystem) OpenWrite(r Resource) (io.WriteCloser, error) {
 }

 func (f filesystem) ReadDir(r Resource, recursive bool) ([]Resource, error) {
-	if r.UserPermissions < PermissionReadOnly {
+	if !r.hasPermission(PermissionRead) {
 		return nil, ErrInsufficientPermissions
 	}
 	if !r.Dir {
@@ -1,26 +1,54 @@
 package fs

-import "fmt"
+import (
+	"errors"
+	"fmt"
+)

 type Permission = int32

 const (
-	PermissionNone           = Permission(0)
-	PermissionReadOnly       = Permission(3)
-	PermissionReadWrite      = Permission(31)
-	PermissionReadWriteShare = Permission(127)
+	PermissionNone  = Permission(0)
+	PermissionRead  = Permission(4)
+	PermissionWrite = Permission(32)
+	PermissionShare = Permission(128)
+	PermissionSU    = Permission(-1)
 )

-func PermissionString(p Permission) string {
-	switch p {
-	case PermissionNone:
-		return "none"
-	case PermissionReadOnly:
-		return "read"
-	case PermissionReadWrite:
-		return "write"
-	case PermissionReadWriteShare:
-		return "share"
-	}
-	return fmt.Sprintf("Unknown Permission (%d)", p)
+func (r Resource) hasPermission(p Permission) bool {
+	return (r.UserPermissions & p) != 0
+}
+
+func PermissionString(p Permission) string {
+	if p == PermissionSU {
+		return "su"
+	}
+	str := ""
+	if p|PermissionRead != 0 {
+		str += "r"
+	}
+	if p|PermissionWrite != 0 {
+		str += "w"
+	}
+	if p|PermissionShare != 0 {
+		str += "s"
+	}
+	if p != 0 {
+		str += fmt.Sprintf("u%d", p)
+	}
+	return str
+}
+
+func ParsePermissionString(s string) (Permission, error) {
+	switch s {
+	case "none":
+		return PermissionNone, nil
+	case "read":
+		return PermissionRead, nil
+	case "write":
+		return PermissionRead | PermissionWrite, nil
+	case "share":
+		return PermissionRead | PermissionWrite | PermissionShare, nil
+	}
+	return PermissionNone, errors.New("unrecognized permission: " + s)
 }
@@ -35,12 +35,11 @@ func (f filesystem) UpdateName(r Resource, name string) (Resource, error) {
 }

 func (f filesystem) UpdatePermissions(r Resource, username string, permission Permission) (Resource, error) {
-	if r.UserPermissions < PermissionReadWriteShare {
+	if !r.hasPermission(PermissionShare) {
 		return Resource{}, ErrInsufficientPermissions
 	}
-	if permission > PermissionReadWriteShare {
-		permission = PermissionReadWriteShare
-	}
+	// Do not grant more than what you have
+	permission = permission & r.UserPermissions

 	var res db.Resource
 	var err error