Revert changes to "uploader" role and introduce "editor-lite"

The "uploader" role is really meant to be an upload-only role. It is use e.g. to assemble the permissions for a "secret-file-drop" public link. To reflect the needs for the Uploader user-sharing role, which is allowed to upload/download but not delete, we now introduce the "editor-lite" role.
butonic · May 21, 2024 · 57743c6 · 57743c6
1 parent c451d8e
commit 57743c6
Showing 1 changed file with 24 additions and 5 deletions.
diff --git a/pkg/conversions/role.go b/pkg/conversions/role.go
@@ -48,7 +48,9 @@ const (
 	RoleFileEditor = "file-editor"
 	// RoleCoowner grants co-owner permissions on a resource.
 	RoleCoowner = "coowner"
-	// RoleUploader grants uploader permission to upload onto a resource.
+	// RoleEditorLite grants permission to upload and download to a resource.
+	RoleEditorLite = "editor-lite"
+	// RoleUploader grants uploader permission to upload onto a resource (no download).
 	RoleUploader = "uploader"
 	// RoleManager grants manager permissions on a resource. Semantically equivalent to co-owner.
 	RoleManager = "manager"
@@ -313,10 +315,10 @@ func NewCoownerRole() *Role {
 	}
 }
 
-// NewUploaderRole creates an uploader role
-func NewUploaderRole() *Role {
+// NewEditorLiteRole creates an editor-lite role
+func NewEditorLiteRole() *Role {
 	return &Role{
-		Name: RoleUploader,
+		Name: RoleEditorLite,
 		cS3ResourcePermissions: &provider.ResourcePermissions{
 			Stat:                 true,
 			GetPath:              true,
@@ -330,6 +332,20 @@ func NewUploaderRole() *Role {
 	}
 }
 
+// NewUploaderRole creates an uploader role with no download permissions
+func NewUploaderRole() *Role {
+	return &Role{
+		Name: RoleUploader,
+		cS3ResourcePermissions: &provider.ResourcePermissions{
+			Stat:               true,
+			GetPath:            true,
+			CreateContainer:    true,
+			InitiateFileUpload: true,
+		},
+		ocsPermissions: PermissionCreate,
+	}
+}
+
 // NewNoneRole creates a role with no permissions
 func NewNoneRole() *Role {
 	return &Role{
@@ -389,7 +405,7 @@ func RoleFromOCSPermissions(p Permissions, ri *provider.ResourceInfo) *Role {
 	// Invalid
 	case p == PermissionInvalid:
 		return NewNoneRole()
-	// Uploader
+	// StrictUploader
 	case p == PermissionCreate:
 		return NewUploaderRole()
 	// Viewer/SpaceViewer
@@ -527,6 +543,9 @@ func RoleFromResourcePermissions(rp *provider.ResourcePermissions, islink bool)
 		}
 	}
 	if r.ocsPermissions == PermissionCreate {
+		if rp.GetPath && rp.InitiateFileDownload && rp.ListContainer && rp.Move {
+			r.Name = RoleEditorLite
+		}
 		r.Name = RoleUploader
 		return r
 	}