fix: Fixed read-only access check in file access by sharecode inside shared drives

Author: shepilov

model/sharing/sharing.go

@@ -140,6 +140,11 @@ func (s *Sharing) ReadOnlyFlag() bool {
 // ReadOnlyRules returns true if the rules forbid that a change on the
 // recipient's cozy instance can be propagated to the sharer's cozy.
 func (s *Sharing) ReadOnlyRules() bool {
+	// For Drive sharings, rules are "none" but that doesn't mean read-only.
+	// The member's ReadOnly flag determines access, not the rules.
+	if s.Drive {
+		return false
+	}
 	for _, rule := range s.Rules {
 		if rule.HasSync() {
 			return false

web/sharings/drives_test.go

@@ -1898,7 +1898,7 @@ func TestSharedDriveNotes(t *testing.T) {
 
 		noteID := noteObj.Value("data").Object().Value("id").String().Raw()
 
-		// Open the note as Betty
+		// Open the note as Betty (who has write access, ReadOnly: false)
 		obj := eB.GET("/sharings/drives/"+env.firstSharingID+"/notes/"+noteID+"/open").
 			WithHeader("Authorization", "Bearer "+env.bettyToken).
 			Expect().Status(200).
@@ -1911,7 +1911,22 @@ func TestSharedDriveNotes(t *testing.T) {
 
 		attrs := data.Value("attributes").Object()
 		attrs.HasValue("note_id", noteID)
-		attrs.Value("sharecode").String().NotEmpty()
+		sharecode := attrs.Value("sharecode").String().NotEmpty().Raw()
+
+		permObj := eA.GET("/permissions/self").
+			WithHeader("Authorization", "Bearer "+sharecode).
+			Expect().Status(200).
+			JSON(httpexpect.ContentOpts{MediaType: "application/vnd.api+json"}).
+			Object()
+
+		// The permissions should include write verbs (POST, PUT, PATCH, DELETE), not just GET
+		permAttrs := permObj.Value("data").Object().Value("attributes").Object()
+		perms := permAttrs.Value("permissions").Object()
+		for _, rule := range perms.Iter() {
+			verbs := rule.Object().Value("verbs").Array()
+			verbs.Length().Gt(1)
+			break
+		}
 	})
 
 	t.Run("CreateNoteWithoutAuth", func(t *testing.T) {

web/sharings/move_test.go

@@ -21,6 +21,7 @@ import (
 	"github.com/cozy/cozy-stack/web/files"
 	"github.com/cozy/cozy-stack/web/middlewares"
 	"github.com/cozy/cozy-stack/web/notes"
+	"github.com/cozy/cozy-stack/web/permissions"
 	"github.com/cozy/cozy-stack/web/sharings"
 	"github.com/cozy/cozy-stack/web/statik"
 	"github.com/gavv/httpexpect/v2"
@@ -87,9 +88,10 @@ func setupSharedDrivesEnv(t *testing.T) *sharedDrivesEnv {
 	acme := setupA.GetTestInstance(&lifecycle.Options{Email: "[email protected]", PublicName: "ACME"})
 	acmeToken := generateAppToken(acme, "drive", "io.cozy.files")
 	tsA := setupA.GetTestServerMultipleRoutes(map[string]func(*echo.Group){
-		"/files":    files.Routes,
-		"/notes":    notes.Routes,
-		"/sharings": sharings.Routes,
+		"/files":       files.Routes,
+		"/notes":       notes.Routes,
+		"/permissions": permissions.Routes,
+		"/sharings":    sharings.Routes,
 	})
 	tsA.Config.Handler.(*echo.Echo).Renderer = render
 	tsA.Config.Handler.(*echo.Echo).HTTPErrorHandler = errors.ErrorHandler