The recipient of internal share should not increase permission

[sharidas]

The recipient of internal share, should not be able
to increase the permission.

Signed-off-by: Sujith H sharidasan@owncloud.com

Description

When an internal/regular share is created by say user1 to user2, the user2 should not be allowed to increase the permissions granted by user1. The UI prevents it. But by using ocs api, its possible to increase the permision. This pr addresses the issue.

Related Issue

• Fixes

Motivation and Context

The user who is not the owner of the share shouldn't be allowed to increase the permission of the share.

How Has This Been Tested?

• Create 3 users user1, user2 and user3
• As user1 create folder testFolder/subFolder
• As user1 share testFolder to user2 with permission can share and uncheck can edit ( i.e, readonly )
• Now as user2 try to reshare testFolder/subFolder to user3
• Execute the command

 sujith@sujith-ownCloud  ~  curl -u user2:1 'http://localhost/testing/ocs/v2.php/apps/files_sharing/api/v1/shares/share_id' --request PUT --data 'permissions=21'                           
<?xml version="1.0"?>
<ocs>
 <meta>
  <status>failure</status>
  <statuscode>404</statuscode>
  <message>Cannot change permission of /subFolder</message>
  <totalitems></totalitems>
  <itemsperpage></itemsperpage>
 </meta>
 <data/>
</ocs>
 sujith@sujith-ownCloud  ~  curl -u user2:1 'http://localhost/testing/ocs/v2.php/apps/files_sharing/api/v1/shares/share_id' --request PUT --data 'permissions=31'                           
<?xml version="1.0"?>
<ocs>
 <meta>
  <status>failure</status>
  <statuscode>404</statuscode>
  <message>Cannot change permission of /subFolder</message>
  <totalitems></totalitems>
  <itemsperpage></itemsperpage>
 </meta>
 <data/>
</ocs>
 sujith@sujith-ownCloud  ~ 

• Similarly when a file is shared with can share and readonly permission by user1 to user2, and user2 reshares to user3, when the command is executed for the share of user2:

sujith@sujith-ownCloud  ~  curl -u user2:1 'http://localhost/testing/ocs/v2.php/apps/files_sharing/api/v1/shares/5' --request PUT --data 'permissions=21'
<?xml version="1.0"?>
<ocs>
 <meta>
  <status>failure</status>
  <statuscode>404</statuscode>
  <message>Cannot change permission of /a.txt</message>
  <totalitems></totalitems>
  <itemsperpage></itemsperpage>
 </meta>
 <data/>
</ocs>
 sujith@sujith-ownCloud  ~  curl -u user2:1 'http://localhost/testing/ocs/v2.php/apps/files_sharing/api/v1/shares/5' --request PUT --data 'permissions=31'                           
<?xml version="1.0"?>
<ocs>
 <meta>
  <status>failure</status>
  <statuscode>404</statuscode>
  <message>Cannot change permission of /a.txt</message>
  <totalitems></totalitems>
  <itemsperpage></itemsperpage>
 </meta>
 <data/>
</ocs>
 sujith@sujith-ownCloud  ~ 

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Database schema changes (next release will require increase of minor version instead of patch)
• Breaking change (fix or feature that would cause existing functionality to change)
• Technical debt
• Tests only (no source changes)

Checklist:

• Code changes
• Unit tests added
• Acceptance tests added
• Documentation ticket raised:

Open tasks:

• Backport (if applicable set "backport-request" label and remove when the backport was done)

[codecov]

Codecov Report

Merging #35447 into master will increase coverage by <.01%.
The diff coverage is 100%.

@@             Coverage Diff              @@
##             master   #35447      +/-   ##
============================================
+ Coverage     65.66%   65.66%   +<.01%     
- Complexity    18666    18670       +4     
============================================
  Files          1221     1221              
  Lines         70597    70602       +5     
  Branches       1288     1288              
============================================
+ Hits          46358    46363       +5     
  Misses        23862    23862              
  Partials        377      377

Flag	Coverage Δ	Complexity Δ
#javascript	53.69% <ø> (ø)	0 <ø> (ø)	⬇️
#phpunit	67.04% <100%> (ø)	18670 <0> (+4)	⬆️

Impacted Files	Coverage Δ	Complexity Δ
...es_sharing/lib/Controller/Share20OcsController.php	87.38% <100%> (+0.11%)	208 <0> (+4)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1b9285c...ea751b9. Read the comment docs.

[codecov]

Codecov Report

Merging #35447 into master will increase coverage by <.01%.
The diff coverage is 92.85%.

@@             Coverage Diff              @@
##             master   #35447      +/-   ##
============================================
+ Coverage     65.68%   65.68%   +<.01%     
- Complexity    18729    18735       +6     
============================================
  Files          1221     1221              
  Lines         70779    70793      +14     
  Branches       1288     1288              
============================================
+ Hits          46490    46503      +13     
- Misses        23912    23913       +1     
  Partials        377      377

Flag	Coverage Δ	Complexity Δ
#javascript	53.69% <ø> (ø)	0 <ø> (ø)	⬇️
#phpunit	67.06% <92.85%> (ø)	18735 <4> (+6)	⬆️

Impacted Files	Coverage Δ	Complexity Δ
...es_sharing/lib/Controller/Share20OcsController.php	87.36% <92.85%> (+0.13%)	208 <4> (+6)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6583ab3...663e99a. Read the comment docs.

[jvillafanez]

Shouldn't this be applied to groups as well? I think what you're trying to do here is to prevent the increase of permissions by anyone that isn't the owner of the share, but this should be applied to any kind of share I think.
Btw, the error message should be changed because anyone can reduce the permissions

[jvillafanez]

I think that noone other than the owner should be able to increase the permissions regardless of the share, so the additional condition should be removed (?)

[micbar]

@jvillafanez 👍

[jvillafanez]

maybe the canIncreasePermission might return null if we can't get the user from the session in order to distinguish cases, but since it's a private function it doesn't really matters.

[sharidas]

Backport PR: #35475