fix public share view mode during app open (#3278)

cs3org · Sep 27, 2022 · da0a9b8 · da0a9b8
1 parent 64f5792
commit da0a9b8
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 17 deletions.
diff --git a/changelog/unreleased/fix-publicshare-app-view-mode.md b/changelog/unreleased/fix-publicshare-app-view-mode.md
@@ -0,0 +1,5 @@
+Bugfix: Fix public share view mode during app open
+
+We now set the correct view mode during an app open action when the user is accessing a public share.
+
+https://github.com/cs3org/reva/pull/3278
diff --git a/internal/http/services/appprovider/appprovider.go b/internal/http/services/appprovider/appprovider.go
@@ -19,17 +19,21 @@
 package appprovider
 
 import (
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/url"
 	"path"
+	"strings"
 
 	appregistry "github.com/cs3org/go-cs3apis/cs3/app/registry/v1beta1"
+	providerv1beta1 "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
 	rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	typespb "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
 	"github.com/cs3org/reva/v2/internal/http/services/datagateway"
+	ctxpkg "github.com/cs3org/reva/v2/pkg/ctx"
 	"github.com/cs3org/reva/v2/pkg/rgrpc/status"
 	"github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool"
 	"github.com/cs3org/reva/v2/pkg/rhttp"
@@ -380,29 +384,40 @@ func (s *svc) handleOpen(openMode int) http.HandlerFunc {
 			Path:       ".",
 		}
 
-		statRes, err := client.Stat(ctx, &provider.StatRequest{Ref: fileRef})
+		viewMode, err := getViewModeFromPublicScope(ctx)
 		if err != nil {
-			writeError(w, r, appErrorServerError, "Internal error accessing the file, please try again later", err)
+			writeError(w, r, appErrorPermissionDenied, "permission denied to open the application", err)
 			return
 		}
 
-		if statRes.Status.Code == rpc.Code_CODE_NOT_FOUND {
-			writeError(w, r, appErrorNotFound, "file does not exist", nil)
-			return
-		} else if statRes.Status.Code != rpc.Code_CODE_OK {
-			writeError(w, r, appErrorServerError, "failed to stat the file", nil)
-			return
-		}
+		if viewMode == gateway.OpenInAppRequest_VIEW_MODE_INVALID {
+			// we have no publicshare Role in the token scope
+			// do a stat request to assemble the permissions for this user
+			statRes, err := client.Stat(ctx, &provider.StatRequest{Ref: fileRef})
+			if err != nil {
+				writeError(w, r, appErrorServerError, "Internal error accessing the file, please try again later", err)
+				return
+			}
 
-		if statRes.Info.Type != provider.ResourceType_RESOURCE_TYPE_FILE {
-			writeError(w, r, appErrorInvalidParameter, "the given file id does not point to a file", nil)
-			return
-		}
+			if statRes.Status.Code == rpc.Code_CODE_NOT_FOUND {
+				writeError(w, r, appErrorNotFound, "file does not exist", nil)
+				return
+			} else if statRes.Status.Code != rpc.Code_CODE_OK {
+				writeError(w, r, appErrorServerError, "failed to stat the file", nil)
+				return
+			}
 
-		viewMode := getViewMode(statRes.Info, r.Form.Get("view_mode"))
-		if viewMode == gateway.OpenInAppRequest_VIEW_MODE_INVALID {
-			writeError(w, r, appErrorInvalidParameter, "invalid view mode", err)
-			return
+			if statRes.Info.Type != provider.ResourceType_RESOURCE_TYPE_FILE {
+				writeError(w, r, appErrorInvalidParameter, "the given file id does not point to a file", nil)
+				return
+			}
+
+			// Calculate the view mode from the resource permissions
+			viewMode = getViewMode(statRes.Info, r.Form.Get("view_mode"))
+			if viewMode == gateway.OpenInAppRequest_VIEW_MODE_INVALID {
+				writeError(w, r, appErrorInvalidParameter, "invalid view mode", err)
+				return
+			}
 		}
 
 		openReq := gateway.OpenInAppRequest{
@@ -547,3 +562,23 @@ func getViewMode(res *provider.ResourceInfo, vm string) gateway.OpenInAppRequest
 	}
 	return viewMode
 }
+
+// try to get the view mode from a publicshare scope
+func getViewModeFromPublicScope(ctx context.Context) (gateway.OpenInAppRequest_ViewMode, error) {
+	scopes, ok := ctxpkg.ContextGetScopes(ctx)
+	if ok {
+		for key, scope := range scopes {
+			if strings.HasPrefix(key, "publicshare:") {
+				switch scope.GetRole() {
+				case providerv1beta1.Role_ROLE_VIEWER:
+					return gateway.OpenInAppRequest_VIEW_MODE_VIEW_ONLY, nil
+				case providerv1beta1.Role_ROLE_EDITOR:
+					return gateway.OpenInAppRequest_VIEW_MODE_READ_WRITE, nil
+				default:
+					return gateway.OpenInAppRequest_VIEW_MODE_INVALID, errors.New("invalid view mode in publicshare scope")
+				}
+			}
+		}
+	}
+	return gateway.OpenInAppRequest_VIEW_MODE_INVALID, nil
+}
diff --git a/internal/http/services/appprovider/errors.go b/internal/http/services/appprovider/errors.go
@@ -32,6 +32,7 @@ const (
 	appErrorNotFound         appErrorCode = "RESOURCE_NOT_FOUND"
 	appErrorAlreadyExists    appErrorCode = "RESOURCE_ALREADY_EXISTS"
 	appErrorUnauthenticated  appErrorCode = "UNAUTHENTICATED"
+	appErrorPermissionDenied appErrorCode = "PERMISSION_DENIED"
 	appErrorUnimplemented    appErrorCode = "NOT_IMPLEMENTED"
 	appErrorInvalidParameter appErrorCode = "INVALID_PARAMETER"
 	appErrorServerError      appErrorCode = "SERVER_ERROR"
@@ -45,6 +46,7 @@ var appErrorCodeMapping = map[appErrorCode]int{
 	appErrorUnimplemented:    http.StatusNotImplemented,
 	appErrorInvalidParameter: http.StatusBadRequest,
 	appErrorServerError:      http.StatusInternalServerError,
+	appErrorPermissionDenied: http.StatusForbidden,
 }
 
 // APIError encompasses the error type and message