Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: implement 'per user inherit' logic for folder delete permissions check #3404

Merged
merged 1 commit into from
Nov 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 13 additions & 10 deletions lib/ACL/ACLManager.php
Original file line number Diff line number Diff line change
Expand Up @@ -211,16 +211,19 @@ public function getPermissionsForTree(string $path): int {
$path = ltrim($path, '/');
$rules = $this->ruleManager->getRulesForPrefix($this->user, $this->getRootStorageId(), $path);

return array_reduce($rules, function (int $permissions, array $rules): int {
$mergedRule = Rule::mergeRules($rules);

$invertedMask = ~$mergedRule->getMask();
// create a bitmask that has all inherit and allow bits set to 1 and all deny bits to 0
$denyMask = $invertedMask | $mergedRule->getPermissions();

// since we only care about the lower permissions, we ignore the allow values
return $permissions & $denyMask;
}, Constants::PERMISSION_ALL);
if ($this->inheritMergePerUser) {
$pathsWithRules = array_keys($rules);
$permissions = Constants::PERMISSION_ALL;
foreach ($pathsWithRules as $path) {
$permissions &= $this->getACLPermissionsForPath($path);
}
return $permissions;
} else {
return array_reduce($rules, function (int $permissions, array $rules): int {
$mergedRule = Rule::mergeRules($rules);
return $mergedRule->applyDenyPermissions($permissions);
}, Constants::PERMISSION_ALL);
}
}

public function preloadRulesForFolder(string $path): void {
Expand Down
19 changes: 19 additions & 0 deletions lib/ACL/Rule.php
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,25 @@ public function applyPermissions(int $permissions): int {
return $permissions | $allowMask;
}

/**
* Apply the deny permissions this rule to an existing permission set, returning the resulting permissions
*
* Only the deny permissions included in the current mask will overwrite the existing permissions
*
* @param int $permissions
* @return int
*/
public function applyDenyPermissions(int $permissions): int {
$invertedMask = ~$this->mask;
// create a bitmask that has all inherit and allow bits set to 1 and all deny bits to 0
$denyMask = $invertedMask | $this->permissions;

return $permissions & $denyMask;
}

/**
* @return void
*/
public function xmlSerialize(Writer $writer): void {
$data = [
self::ACL => [
Expand Down
2 changes: 2 additions & 0 deletions lib/ACL/RuleManager.php
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,8 @@ private function rulesByPath(array $rows, array $result = []): array {
}
}

ksort($result);

return $result;
}

Expand Down
70 changes: 70 additions & 0 deletions tests/ACL/ACLManagerTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,13 @@ protected function setUp(): void {

return array_merge($rules, $actualRules);
});

$this->ruleManager->method('getRulesForPrefix')
->willReturnCallback(function (IUser $user, int $storageId, string $prefix) {
return array_filter($this->rules, function (string $path) use ($prefix) {
return $prefix === $path || str_starts_with($path, $prefix . '/');
}, ARRAY_FILTER_USE_KEY);
});
}

private function createMapping(string $id): IUserMapping&MockObject {
Expand Down Expand Up @@ -158,4 +165,67 @@ public function testGetACLPermissionsForPathPerUserMerge(): void {
$this->assertEquals(Constants::PERMISSION_ALL - Constants::PERMISSION_SHARE - Constants::PERMISSION_UPDATE, $aclManager->getACLPermissionsForPath('foo/blocked'));
$this->assertEquals(Constants::PERMISSION_ALL - Constants::PERMISSION_SHARE - Constants::PERMISSION_UPDATE - Constants::PERMISSION_READ, $aclManager->getACLPermissionsForPath('foo/blocked2'));
}

public function testGetPermissionsForTree(): void {
$perUserAclManager = $this->getAclManager(true);

$this->rules = [
'foo' => [
new Rule($this->createMapping('1'), 10, Constants::PERMISSION_ALL, Constants::PERMISSION_ALL),
],
'foo/bar' => [
new Rule($this->createMapping('2'), 10, Constants::PERMISSION_DELETE, 0) // remove delete
],
'foo/bar/asd' => [
new Rule($this->createMapping('2'), 10, Constants::PERMISSION_DELETE, Constants::PERMISSION_DELETE) // re-add delete
],
];
$this->assertEquals(Constants::PERMISSION_ALL - Constants::PERMISSION_DELETE, $this->aclManager->getPermissionsForTree('foo'));
$this->assertEquals(Constants::PERMISSION_ALL - Constants::PERMISSION_DELETE, $this->aclManager->getPermissionsForTree('foo/bar'));

$this->assertEquals(Constants::PERMISSION_ALL, $perUserAclManager->getACLPermissionsForPath('foo'));
$this->assertEquals(Constants::PERMISSION_ALL, $perUserAclManager->getACLPermissionsForPath('foo/bar'));
$this->assertEquals(Constants::PERMISSION_ALL, $perUserAclManager->getACLPermissionsForPath('foo/bar/asd'));

$this->assertEquals(Constants::PERMISSION_ALL, $perUserAclManager->getPermissionsForTree('foo'));
$this->assertEquals(Constants::PERMISSION_ALL, $perUserAclManager->getPermissionsForTree('foo/bar'));

$this->rules = [
'foo2' => [
new Rule($this->createMapping('1'), 10, Constants::PERMISSION_ALL, Constants::PERMISSION_ALL),
],
'foo2/bar' => [
new Rule($this->createMapping('1'), 10, Constants::PERMISSION_DELETE, 0) // remove delete
],
'foo2/bar/asd' => [
new Rule($this->createMapping('2'), 10, Constants::PERMISSION_DELETE, Constants::PERMISSION_DELETE) // re-add delete
],
];

$this->assertEquals(Constants::PERMISSION_ALL, $perUserAclManager->getACLPermissionsForPath('foo2'));
$this->assertEquals(Constants::PERMISSION_ALL - Constants::PERMISSION_DELETE, $perUserAclManager->getACLPermissionsForPath('foo2/bar'));
$this->assertEquals(Constants::PERMISSION_ALL, $perUserAclManager->getACLPermissionsForPath('foo2/bar/asd'));

$this->assertEquals(Constants::PERMISSION_ALL - Constants::PERMISSION_DELETE, $perUserAclManager->getPermissionsForTree('foo2'));
$this->assertEquals(Constants::PERMISSION_ALL - Constants::PERMISSION_DELETE, $perUserAclManager->getPermissionsForTree('foo2/bar'));

$this->rules = [
'foo3' => [
new Rule($this->createMapping('1'), 10, Constants::PERMISSION_ALL, Constants::PERMISSION_ALL),
],
'foo3/bar' => [
new Rule($this->createMapping('1'), 10, Constants::PERMISSION_DELETE, 0) // remove delete
],
'foo3/bar/asd' => [
new Rule($this->createMapping('1'), 10, Constants::PERMISSION_DELETE, Constants::PERMISSION_DELETE) // re-add delete
],
];

$this->assertEquals(Constants::PERMISSION_ALL, $perUserAclManager->getACLPermissionsForPath('foo3'));
$this->assertEquals(Constants::PERMISSION_ALL - Constants::PERMISSION_DELETE, $perUserAclManager->getACLPermissionsForPath('foo3/bar'));
$this->assertEquals(Constants::PERMISSION_ALL, $perUserAclManager->getACLPermissionsForPath('foo3/bar/asd'));

$this->assertEquals(Constants::PERMISSION_ALL - Constants::PERMISSION_DELETE, $perUserAclManager->getPermissionsForTree('foo3'));
$this->assertEquals(Constants::PERMISSION_ALL - Constants::PERMISSION_DELETE, $perUserAclManager->getPermissionsForTree('foo3/bar'));
}
}
Loading