feat: add secure view share role

Adds a new share role "Secure View". This role is applicable for files, folders and spaces and only allows viewing them (and their content).
owncloud · Apr 25, 2024 · 667463d · 667463d
1 parent 0b4fa58
commit 667463d
Show file tree

Hide file tree

Showing 5 changed files with 257 additions and 33 deletions.
diff --git a/changelog/unreleased/sharing-secure-view-role.md b/changelog/unreleased/sharing-secure-view-role.md
@@ -0,0 +1,5 @@
+Enhancement: Secure viewer share role
+
+A new share role "Secure viewer" has been added. This role is applicable for files, folders and spaces and only allows viewing them (and their content).
+
+https://github.com/owncloud/ocis/pull/8907
diff --git a/services/graph/pkg/unifiedrole/unifiedrole.go b/services/graph/pkg/unifiedrole/unifiedrole.go
@@ -27,6 +27,8 @@ const (
 	UnifiedRoleUploaderID = "1c996275-f1c9-4e71-abdf-a42f6495e960"
 	// UnifiedRoleManagerID Unified role manager id.
 	UnifiedRoleManagerID = "312c0871-5ef7-4b3a-85b6-0e4074c64049"
+	// UnifiedRoleSecureViewerID Unified role secure viewer id.
+	UnifiedRoleSecureViewerID = "aa97fe03-7980-45ac-9e50-b325749fd7e6"
 
 	// UnifiedRoleConditionDrive defines constraint that matches a Driveroot/Spaceroot
 	UnifiedRoleConditionDrive = "exists @Resource.Root"
@@ -60,12 +62,13 @@ var legacyNames map[string]string = map[string]string{
 	UnifiedRoleViewerID: conversions.RoleViewer,
 	// one V1 api the "spaceviewer" role was call "viewer" and the "spaceeditor" was "editor",
 	// we need to stay compatible with that
-	UnifiedRoleSpaceViewerID: "viewer",
-	UnifiedRoleSpaceEditorID: "editor",
-	UnifiedRoleEditorID:      conversions.RoleEditor,
-	UnifiedRoleFileEditorID:  conversions.RoleFileEditor,
-	UnifiedRoleUploaderID:    conversions.RoleUploader,
-	UnifiedRoleManagerID:     conversions.RoleManager,
+	UnifiedRoleSpaceViewerID:  "viewer",
+	UnifiedRoleSpaceEditorID:  "editor",
+	UnifiedRoleEditorID:       conversions.RoleEditor,
+	UnifiedRoleFileEditorID:   conversions.RoleFileEditor,
+	UnifiedRoleUploaderID:     conversions.RoleUploader,
+	UnifiedRoleManagerID:      conversions.RoleManager,
+	UnifiedRoleSecureViewerID: conversions.RoleSecureViewer,
 }
 
 // NewViewerUnifiedRole creates a viewer role.
@@ -191,6 +194,31 @@ func NewManagerUnifiedRole() *libregraph.UnifiedRoleDefinition {
 	}
 }
 
+// NewSecureViewerUnifiedRole creates a secure viewer role
+func NewSecureViewerUnifiedRole() *libregraph.UnifiedRoleDefinition {
+	r := conversions.NewSecureViewerRole()
+	return &libregraph.UnifiedRoleDefinition{
+		Id:          proto.String(UnifiedRoleSecureViewerID),
+		Description: proto.String("View only documents, images and PDFs. Watermarks will be applied."),
+		DisplayName: displayName(r),
+		RolePermissions: []libregraph.UnifiedRolePermission{
+			{
+				AllowedResourceActions: convert(r),
+				Condition:              proto.String(UnifiedRoleConditionFile),
+			},
+			{
+				AllowedResourceActions: convert(r),
+				Condition:              proto.String(UnifiedRoleConditionFolder),
+			},
+			{
+				AllowedResourceActions: convert(r),
+				Condition:              proto.String(UnifiedRoleConditionDrive),
+			},
+		},
+		LibreGraphWeight: proto.Int32(0),
+	}
+}
+
 // NewUnifiedRoleFromID returns a unified role definition from the provided id
 func NewUnifiedRoleFromID(id string) (*libregraph.UnifiedRoleDefinition, error) {
 	for _, definition := range GetBuiltinRoleDefinitionList() {
@@ -213,6 +241,7 @@ func GetBuiltinRoleDefinitionList() []*libregraph.UnifiedRoleDefinition {
 		NewFileEditorUnifiedRole(),
 		NewUploaderUnifiedRole(),
 		NewManagerUnifiedRole(),
+		NewSecureViewerUnifiedRole(),
 	}
 }
 
@@ -476,6 +505,8 @@ func displayName(role *conversions.Role) *string {
 		displayName = "Can upload"
 	case conversions.RoleManager:
 		displayName = "Can manage"
+	case conversions.RoleSecureViewer:
+		displayName = "Can view (secure)"
 	default:
 		return nil
 	}

diff --git a/services/graph/pkg/unifiedrole/unifiedrole_test.go b/services/graph/pkg/unifiedrole/unifiedrole_test.go
@@ -31,6 +31,9 @@ var _ = Describe("unifiedroles", func() {
 		Entry(rConversions.RoleManager, rConversions.NewManagerRole(), unifiedrole.NewManagerUnifiedRole(), unifiedrole.UnifiedRoleConditionDrive),
 		Entry(rConversions.RoleSpaceViewer, rConversions.NewSpaceViewerRole(), unifiedrole.NewSpaceViewerUnifiedRole(), unifiedrole.UnifiedRoleConditionDrive),
 		Entry(rConversions.RoleSpaceEditor, rConversions.NewSpaceEditorRole(), unifiedrole.NewSpaceEditorUnifiedRole(), unifiedrole.UnifiedRoleConditionDrive),
+		Entry(rConversions.RoleSecureViewer, rConversions.NewSecureViewerRole(), unifiedrole.NewSecureViewerUnifiedRole(), unifiedrole.UnifiedRoleConditionFile),
+		Entry(rConversions.RoleSecureViewer, rConversions.NewSecureViewerRole(), unifiedrole.NewSecureViewerUnifiedRole(), unifiedrole.UnifiedRoleConditionFolder),
+		Entry(rConversions.RoleSecureViewer, rConversions.NewSecureViewerRole(), unifiedrole.NewSecureViewerUnifiedRole(), unifiedrole.UnifiedRoleConditionDrive),
 	)
 
 	DescribeTable("UnifiedRolePermissionsToCS3ResourcePermissions",
@@ -54,6 +57,7 @@ var _ = Describe("unifiedroles", func() {
 		Entry(rConversions.RoleEditor, rConversions.NewEditorRole(), unifiedrole.NewEditorUnifiedRole(), true),
 		Entry(rConversions.RoleFileEditor, rConversions.NewFileEditorRole(), unifiedrole.NewFileEditorUnifiedRole(), true),
 		Entry(rConversions.RoleManager, rConversions.NewManagerRole(), unifiedrole.NewManagerUnifiedRole(), true),
+		Entry(rConversions.RoleSecureViewer, rConversions.NewSecureViewerRole(), unifiedrole.NewSecureViewerUnifiedRole(), true),
 		Entry("no match", rConversions.NewFileEditorRole(), unifiedrole.NewManagerUnifiedRole(), false),
 	)
 
@@ -135,6 +139,7 @@ var _ = Describe("unifiedroles", func() {
 				rolesToAction(unifiedrole.NewViewerUnifiedRole()),
 				unifiedrole.UnifiedRoleConditionFolder,
 				[]*libregraph.UnifiedRoleDefinition{
+					unifiedrole.NewSecureViewerUnifiedRole(),
 					unifiedrole.NewViewerUnifiedRole(),
 				},
 			),
@@ -144,6 +149,7 @@ var _ = Describe("unifiedroles", func() {
 				rolesToAction(unifiedrole.NewViewerUnifiedRole()),
 				unifiedrole.UnifiedRoleConditionFile,
 				[]*libregraph.UnifiedRoleDefinition{
+					unifiedrole.NewSecureViewerUnifiedRole(),
 					unifiedrole.NewViewerUnifiedRole(),
 				},
 			),
@@ -153,6 +159,7 @@ var _ = Describe("unifiedroles", func() {
 				rolesToAction(unifiedrole.NewFileEditorUnifiedRole()),
 				unifiedrole.UnifiedRoleConditionFile,
 				[]*libregraph.UnifiedRoleDefinition{
+					unifiedrole.NewSecureViewerUnifiedRole(),
 					unifiedrole.NewViewerUnifiedRole(),
 					unifiedrole.NewFileEditorUnifiedRole(),
 				},
@@ -163,6 +170,7 @@ var _ = Describe("unifiedroles", func() {
 				rolesToAction(unifiedrole.NewEditorUnifiedRole()),
 				unifiedrole.UnifiedRoleConditionFolder,
 				[]*libregraph.UnifiedRoleDefinition{
+					unifiedrole.NewSecureViewerUnifiedRole(),
 					unifiedrole.NewUploaderUnifiedRole(),
 					unifiedrole.NewViewerUnifiedRole(),
 					unifiedrole.NewEditorUnifiedRole(),
@@ -174,6 +182,7 @@ var _ = Describe("unifiedroles", func() {
 				rolesToAction(unifiedrole.GetBuiltinRoleDefinitionList()...),
 				unifiedrole.UnifiedRoleConditionFile,
 				[]*libregraph.UnifiedRoleDefinition{
+					unifiedrole.NewSecureViewerUnifiedRole(),
 					unifiedrole.NewViewerUnifiedRole(),
 					unifiedrole.NewFileEditorUnifiedRole(),
 				},
@@ -184,6 +193,7 @@ var _ = Describe("unifiedroles", func() {
 				rolesToAction(unifiedrole.GetBuiltinRoleDefinitionList()...),
 				unifiedrole.UnifiedRoleConditionFolder,
 				[]*libregraph.UnifiedRoleDefinition{
+					unifiedrole.NewSecureViewerUnifiedRole(),
 					unifiedrole.NewUploaderUnifiedRole(),
 					unifiedrole.NewViewerUnifiedRole(),
 					unifiedrole.NewEditorUnifiedRole(),
@@ -195,6 +205,7 @@ var _ = Describe("unifiedroles", func() {
 				rolesToAction(unifiedrole.GetBuiltinRoleDefinitionList()...),
 				unifiedrole.UnifiedRoleConditionDrive,
 				[]*libregraph.UnifiedRoleDefinition{
+					unifiedrole.NewSecureViewerUnifiedRole(),
 					unifiedrole.NewSpaceViewerUnifiedRole(),
 					unifiedrole.NewSpaceEditorUnifiedRole(),
 					unifiedrole.NewManagerUnifiedRole(),

diff --git a/tests/TestHelpers/GraphHelper.php b/tests/TestHelpers/GraphHelper.php
@@ -1642,6 +1642,8 @@ public static function getPermissionsRoleIdByName(
 				return '1c996275-f1c9-4e71-abdf-a42f6495e960';
 			case 'Manager':
 				return '312c0871-5ef7-4b3a-85b6-0e4074c64049';
+			case 'Secure viewer':
+				return 'aa97fe03-7980-45ac-9e50-b325749fd7e6';
 			default:
 				throw new \Exception('Role ' . $permissionsRole . ' not found');
 		}
@@ -1668,6 +1670,8 @@ public static function getPermissionNameByPermissionRoleId(
 				return 'File Editor';
 			case '1c996275-f1c9-4e71-abdf-a42f6495e960':
 				return 'Uploader';
+			case 'aa97fe03-7980-45ac-9e50-b325749fd7e6':
+				return 'Secure viewer';
 			default:
 				throw new \Exception('Role ' . $permissionsRoleId . ' not found');
 		}