[Sharing NG] Resource in personal drive list extra permission #8331
Comments
|
cc @rhafer |
amrita-shrestha
changed the title
Uploader and Editor role
amrita-shrestha
changed the title
|
Hm, currently we can not do any better than that 😞. The two different editor rules are pretty ugly. Currently the condtitions on the roleDefinitions do not allow to distinguish between Folders and files. That's why we are always returning both roles. Also we always return the full list of of actions, ignoring whether they makes sense for the requested resource. We have to find at least some way to avoid the two different |
rhafer
changed the title
Hm, looking at the reva code, I think that would break stuff. The |
|
For the roles we might want to rethink our usage for the
We use The third one IMO this is all but intuitive. It's hard to understand. The syntax is not explained anywhere (at least AFAIK). And the two conditions we're actively using look just arbitrary. How about if we define a set of conditions that are somewhat more explicit. E.g. depending on the driveitem properties:
I must admit that I don't grasp the whole With the above condtions we could in theory just define a single But in order to keep the "Descriptions" more accurate we could also keep the current roles as they are and just filter them properly using the new conditions. |
|
I would agree with the observation that the current conditions are not clean enough. The suggestion is also ok, the naming is understandable. Let us please decide quickly how we can handle the idea of a Role that can expand into different Resource Actions. @butonic @kobergj @kulmann @JammingBen We need to really understand what model makes it "easier" to understand. (harhar) |
Regarding Edit vs Delete permissionsThis discussion is quite old:
So why even differentiate between the two permissions?
IMO we need to seperate them. Regarding the Condition SyntaxAFAICT it follows the Security Descriptor Definition Language (SDDL) for Conditional ACEs - Conditional expressions: AttributeName Operator Value I think rules like this will become relevant in the future: Policy SDDL That should clarify the syntax. But we should probably
Regarding other ConditionsI already deviated from MS graph because we needed permissions that only applied to shared resources, hence the Instead of AFAICT the Conditions do not need to be parsed by anyone, do they? So I'm ok with changing the way we write them, as long as they follow the SDDL Conditional Expressions. |
Yeah. Obviously. 🤯 I really have strong doubts going down that rabbithole. But that's a discussion to be had when it becomes relevant.
Fine with me. |
This switches our hardcode unfied role conditions to better reflect what we're actually using them before. The new conditions also allow to differentiate between roles elgitible for files, folders or drive roots. Which means that the `/permissions` endpoint is now able to populate the `roles.allowedValues` field with the correct roles for type of the resource it is called for. Fixes: owncloud#8331
This switches our hardcode unfied role conditions to better reflect what we're actually using them before. The new conditions also allow to differentiate between roles elgitible for files, folders or drive roots. Which means that the `/permissions` endpoint is now able to populate the `roles.allowedValues` field with the correct roles for type of the resource it is called for. Fixes: owncloud#8331
This switches our hardcode unfied role conditions to better reflect what we're actually using them before. The new conditions also allow to differentiate between roles elgitible for files, folders or drive roots. Which means that the `/permissions` endpoint is now able to populate the `roles.allowedValues` field with the correct roles for type of the resource it is called for. Fixes: owncloud#8331
This switches our hardcode unfied role conditions to better reflect what we're actually using them before. The new conditions also allow to differentiate between roles elgitible for files, folders or drive roots. Which means that the `/permissions` endpoint is now able to populate the `roles.allowedValues` field with the correct roles for type of the resource it is called for. Fixes: owncloud#8331
This switches our hardcode unfied role conditions to better reflect what we're actually using them before. The new conditions also allow to differentiate between roles elgitible for files, folders or drive roots. Which means that the `/permissions` endpoint is now able to populate the `roles.allowedValues` field with the correct roles for type of the resource it is called for. Fixes: owncloud#8331
github-project-automation
bot
moved this from In progress
to Done
in Infinite Scale Team Board
This switches our hardcode unfied role conditions to better reflect what we're actually using them before. The new conditions also allow to differentiate between roles elgitible for files, folders or drive roots. Which means that the `/permissions` endpoint is now able to populate the `roles.allowedValues` field with the correct roles for type of the resource it is called for. Fixes: #8331
Describe the bug
File resource list extra permission like
Editor(file or folder) and Uploader. Folder resource list extra permission likeEditor(Allows reading and updating file)Related issue #8131
Steps to reproduce
parent.txtand folder resourcetestFolderparent.txtitem,curl -vk 'https://host.docker.internal:9200/graph/v1beta1/drives/{drives-id}/items/{items-id}/permissions'Editor(file or folder)andUploaderrole API request returns400 status codetestFolderitem,Expected behavior
Editor(file or folder) and Uploaderpermission shouldn't listed for file resources and EDitor(Allows reading and updating file) should not be listed on folder resourceActual behavior
four permission listed for both file and folder resource
Setup
Please describe how you started the server and provide a list of relevant environment variables or configuration files.
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: