Skip to content

Commit

Permalink
introduce a new role "uploader-only" that has no download permissions
Browse files Browse the repository at this point in the history 
This is needed since the "uploader" role now also contains download and
list container permissions.
  • Loading branch information
@rhafer
rhafer committed May 16, 2024
1 parent c451d8e commit ed3e99d
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 4 deletions.
2 changes: 1 addition & 1 deletion pkg/cbox/utils/conversions.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ func IntTosharePerm(p int, itemType string) *provider.ResourcePermissions {
}
return conversions.NewFileEditorRole().CS3ResourcePermissions()
case 4:
return conversions.NewUploaderRole().CS3ResourcePermissions()
return conversions.NewUploaderOnlyRole().CS3ResourcePermissions()
default:
// TODO we may have other options, for now this is a denial
return &provider.ResourcePermissions{}
Expand Down
20 changes: 18 additions & 2 deletions pkg/conversions/role.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,10 @@ const (
RoleFileEditor = "file-editor"
// RoleCoowner grants co-owner permissions on a resource.
RoleCoowner = "coowner"
// RoleUploader grants uploader permission to upload onto a resource.
// RoleUploader grants uploader permission to upload/download onto a resource.
RoleUploader = "uploader"
// RoleUploader grants uploader permission to upload onto a resource (no download).
RoleUploaderOnly = "uploader-only"
// RoleManager grants manager permissions on a resource. Semantically equivalent to co-owner.
RoleManager = "manager"
// RoleSecureViewer grants secure view permissions on a resource or space.
Expand Down Expand Up @@ -330,6 +332,20 @@ func NewUploaderRole() *Role {
}
}

// NewUploaderOnlyRole creates an uploader role with no download permissions
func NewUploaderOnlyRole() *Role {
return &Role{
Name: RoleUploaderOnly,
cS3ResourcePermissions: &provider.ResourcePermissions{
Stat: true,
GetPath: true,
CreateContainer: true,
InitiateFileUpload: true,
},
ocsPermissions: PermissionCreate,
}
}

// NewNoneRole creates a role with no permissions
func NewNoneRole() *Role {
return &Role{
Expand Down Expand Up @@ -391,7 +407,7 @@ func RoleFromOCSPermissions(p Permissions, ri *provider.ResourceInfo) *Role {
return NewNoneRole()
// Uploader
case p == PermissionCreate:
return NewUploaderRole()
return NewUploaderOnlyRole()
// Viewer/SpaceViewer
case p == PermissionRead:
if isSpaceRoot(ri) {
Expand Down
2 changes: 1 addition & 1 deletion pkg/storage/utils/eosfs/eosfs.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2129,7 +2129,7 @@ func (fs *eosfs) permissionSet(ctx context.Context, eosFileInfo *eosclient.FileI
if string(publicShare.Value) == "editor" {
return conversions.NewEditorRole().CS3ResourcePermissions()
} else if string(publicShare.Value) == "uploader" {
return conversions.NewUploaderRole().CS3ResourcePermissions()
return conversions.NewUploaderOnlyRole().CS3ResourcePermissions()
}
// Default to viewer role
return conversions.NewViewerRole().CS3ResourcePermissions()
Expand Down

0 comments on commit ed3e99d

Please sign in to comment.