fix: permission check in public share update

changelog/unreleased/fix-public-share-update.md

@@ -0,0 +1,6 @@
+Bugfix: Fix public share update
+
+We fixed the permission check for updating public shares. When updating the permissions of a public share while not providing a password, the check must be against the new permissions to take into account that users can opt out only for view permissions.
+
+https://github.com/cs3org/reva/pull/4626
+https://github.com/cs3org/reva/pull/4622

internal/grpc/services/publicshareprovider/publicshareprovider.go

@@ -554,12 +554,24 @@ func (s *service) UpdatePublicShare(ctx context.Context, req *link.UpdatePublicS
 	}
 	updatePassword := req.GetUpdate().GetType() == link.UpdatePublicShareRequest_Update_TYPE_PASSWORD
 	setPassword := grant.GetPassword()
+
+	// we update permissions with an empty password and password is not set on the public share
+	emptyPasswordInPermissionUpdate := len(setPassword) == 0 && updatePermissions && !ps.PasswordProtected
+
+	// password is updated, we use the current permissions to check if the user can opt out
 	if updatePassword && !isInternalLink && enforcePassword(canOptOut, ps.GetPermissions().GetPermissions(), s.conf) && len(setPassword) == 0 {
 		return &link.UpdatePublicShareResponse{
 			Status: status.NewInvalidArg(ctx, "password protection is enforced"),
 		}, nil
 	}
 
+	// permissions are updated, we use the new permissions to check if the user can opt out
+	if emptyPasswordInPermissionUpdate && !isInternalLink && enforcePassword(canOptOut, grant.GetPermissions().GetPermissions(), s.conf) && len(setPassword) == 0 {
+		return &link.UpdatePublicShareResponse{
+			Status: status.NewInvalidArg(ctx, "password protection is enforced"),
+		}, nil
+	}
+
 	// validate password policy
 	if updatePassword && len(setPassword) > 0 {
 		if err := s.passwordValidator.Validate(setPassword); err != nil {