fix: always permit to create internal links

cs3org · Jun 3, 2024 · 4ec7ca5 · 4ec7ca5
1 parent b87392d
commit 4ec7ca5
Showing 1 changed file with 20 additions and 12 deletions.
diff --git a/internal/grpc/services/publicshareprovider/publicshareprovider.go b/internal/grpc/services/publicshareprovider/publicshareprovider.go
@@ -236,7 +236,7 @@ func (s *service) CreatePublicShare(ctx context.Context, req *link.CreatePublicS
 	}
 
 	// check that user has share permissions
-	if !sRes.GetInfo().GetPermissionSet().AddGrant {
+	if !isInternalLink && !sRes.GetInfo().GetPermissionSet().AddGrant {
 		return &link.CreatePublicShareResponse{
 			Status: status.NewInvalidArg(ctx, "no share permission"),
 		}, nil
@@ -480,14 +480,12 @@ func (s *service) UpdatePublicShare(ctx context.Context, req *link.UpdatePublicS
 
 	isInternalLink := isInternalLink(req, ps)
 
-	// users should always be able to downgrade links to internal links
-	// when they are the creator of the link
-	// all other users should have the WritePublicLink permission
-	if !isInternalLink && !publicshare.IsCreatedByUser(*ps, user) {
+	// check if the user has the permission in the user role
+	if !publicshare.IsCreatedByUser(*ps, user) {
 		canWriteLink, err := utils.CheckPermission(ctx, permission.WritePublicLink, gatewayClient)
 		if err != nil {
 			return &link.UpdatePublicShareResponse{
-				Status: status.NewInternal(ctx, "error loading public share"),
+				Status: status.NewInternal(ctx, "error checking permission to write public share"),
 			}, err
 		}
 		if !canWriteLink {
@@ -504,8 +502,14 @@ func (s *service) UpdatePublicShare(ctx context.Context, req *link.UpdatePublicS
 			Status: status.NewInternal(ctx, "failed to stat shared resource"),
 		}, err
 	}
+	if sRes.Status.Code != rpc.Code_CODE_OK {
+		return &link.UpdatePublicShareResponse{
+			Status: sRes.GetStatus(),
+		}, nil
 
-	if !publicshare.IsCreatedByUser(*ps, user) {
+	}
+
+	if !isInternalLink && !publicshare.IsCreatedByUser(*ps, user) {
 		if !sRes.GetInfo().GetPermissionSet().UpdateGrant {
 			return &link.UpdatePublicShareResponse{
 				Status: status.NewPermissionDenied(ctx, nil, "no permission to update public share"),
@@ -550,12 +554,16 @@ func (s *service) UpdatePublicShare(ctx context.Context, req *link.UpdatePublicS
 	}
 
 	// enforce password if needed
-	canOptOut, err := utils.CheckPermission(ctx, permission.DeleteReadOnlyPassword, gatewayClient)
-	if err != nil {
-		return &link.UpdatePublicShareResponse{
-			Status: status.NewInternal(ctx, err.Error()),
-		}, nil
+	var canOptOut bool
+	if !isInternalLink {
+		canOptOut, err = utils.CheckPermission(ctx, permission.DeleteReadOnlyPassword, gatewayClient)
+		if err != nil {
+			return &link.UpdatePublicShareResponse{
+				Status: status.NewInternal(ctx, err.Error()),
+			}, nil
+		}
 	}
+
 	updatePassword := req.GetUpdate().GetType() == link.UpdatePublicShareRequest_Update_TYPE_PASSWORD
 	setPassword := grant.GetPassword()