Skip to content

refactor permissions into a first-class citizen in Reva #5428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
glpatcern merged 2 commits into from
Jan 5, 2026
Merged

refactor permissions into a first-class citizen in Reva #5428

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
61ee04b
refactor permissions into a first-class citizen in Reva, with convers…
jessegeens Dec 9, 2025
abe6276
Fix following model type
glpatcern Jan 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions changelog/unreleased/refactor-permissions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Enhancement: refactor permissions

Permissions are now, at least partially, handled and exposed within a single package (which was important for cernboxcop), with conversions between the different types of permissions

https://github.com/cs3org/reva/pull/5428
6 changes: 3 additions & 3 deletions cmd/reva/ocm-share-create.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ import (
ocm "github.com/cs3org/go-cs3apis/cs3/sharing/ocm/v1beta1"
provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
"github.com/cs3org/reva/v3/internal/http/services/owncloud/ocs/conversions"
"github.com/cs3org/reva/v3/pkg/permissions"
ocmshare "github.com/cs3org/reva/v3/pkg/ocm/share"
"github.com/cs3org/reva/v3/pkg/utils"
"github.com/jedib0t/go-pretty/table"
Expand Down Expand Up @@ -215,9 +215,9 @@ func getAccessMethods(webdav, webapp, datatx bool, rol string) ([]*ocm.AccessMet
func getOCMSharePerm(p string) (*provider.ResourcePermissions, error) {
switch p {
case viewerPermission:
return conversions.NewViewerRole().CS3ResourcePermissions(), nil
return permissions.NewViewerRole().CS3ResourcePermissions(), nil
case editorPermission:
return conversions.NewEditorRole().CS3ResourcePermissions(), nil
return permissions.NewEditorRole().CS3ResourcePermissions(), nil
}
return nil, errors.New("invalid rol: " + p)
}
Expand Down
8 changes: 4 additions & 4 deletions cmd/reva/share-create.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ import (
rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
collaboration "github.com/cs3org/go-cs3apis/cs3/sharing/collaboration/v1beta1"
provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
"github.com/cs3org/reva/v3/internal/http/services/owncloud/ocs/conversions"
"github.com/cs3org/reva/v3/pkg/permissions"
"github.com/cs3org/reva/v3/pkg/utils"
"github.com/jedib0t/go-pretty/table"
"github.com/pkg/errors"
Expand Down Expand Up @@ -159,11 +159,11 @@ func getGrantType(t string) provider.GranteeType {
func getSharePerm(p string) (*provider.ResourcePermissions, error) {
switch p {
case viewerPermission:
return conversions.NewViewerRole().CS3ResourcePermissions(), nil
return permissions.NewViewerRole().CS3ResourcePermissions(), nil
case editorPermission:
return conversions.NewEditorRole().CS3ResourcePermissions(), nil
return permissions.NewEditorRole().CS3ResourcePermissions(), nil
case collabPermission:
return conversions.NewManagerRole().CS3ResourcePermissions(), nil
return permissions.NewManagerRole().CS3ResourcePermissions(), nil
case denyPermission:
return &provider.ResourcePermissions{}, nil
default:
Expand Down
6 changes: 3 additions & 3 deletions internal/grpc/services/spacesregistry/spacesregistry.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ import (
provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
cachereg "github.com/cs3org/reva/v3/pkg/share/cache/registry"

"github.com/cs3org/reva/v3/internal/http/services/owncloud/ocs/conversions"
"github.com/cs3org/reva/v3/pkg/permissions"
"github.com/cs3org/reva/v3/pkg/appctx"
"github.com/cs3org/reva/v3/pkg/errtypes"
"github.com/cs3org/reva/v3/pkg/plugin"
Expand Down Expand Up @@ -410,14 +410,14 @@ func (s *service) userSpace(ctx context.Context, user *userpb.User) (*provider.S
Name: user.Username,
SpaceType: spaces.SpaceTypeHome.AsString(),
RootInfo: &provider.ResourceInfo{
PermissionSet: conversions.NewManagerRole().CS3ResourcePermissions(),
PermissionSet: permissions.NewManagerRole().CS3ResourcePermissions(),
Path: home,
},
Quota: &provider.Quota{
QuotaMaxBytes: quota.TotalBytes,
RemainingBytes: quota.TotalBytes - quota.UsedBytes,
},
PermissionSet: conversions.NewManagerRole().CS3ResourcePermissions(),
PermissionSet: permissions.NewManagerRole().CS3ResourcePermissions(),
}, nil
}

Expand Down
10 changes: 6 additions & 4 deletions internal/http/services/owncloud/ocdav/propfind.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,12 @@ import (
provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
"github.com/cs3org/reva/v3/internal/grpc/services/storageprovider"
"github.com/cs3org/reva/v3/internal/http/services/owncloud/ocs/conversions"
"github.com/cs3org/reva/v3/pkg/appctx"
"github.com/cs3org/reva/v3/pkg/spaces"
"github.com/cs3org/reva/v3/pkg/permissions"

"github.com/pkg/errors"


"github.com/cs3org/reva/v3/pkg/publicshare"
"github.com/cs3org/reva/v3/pkg/share"
Expand Down Expand Up @@ -563,7 +565,7 @@ func (s *svc) mdToPropResponse(ctx context.Context, pf *propfindXML, md *provide
}
}

role := conversions.RoleFromResourcePermissions(md.PermissionSet)
role := permissions.RoleFromResourcePermissions(md.PermissionSet)

isShared := !isCurrentUserOwner(ctx, md.Owner)
var wdp string
Expand Down Expand Up @@ -1036,8 +1038,8 @@ func (s *svc) mdToPropResponse(ctx context.Context, pf *propfindXML, md *provide
perms := role.OCSPermissions()
// shared files cant have the create or delete permission set
if md.Type == provider.ResourceType_RESOURCE_TYPE_FILE {
perms &^= conversions.PermissionCreate
perms &^= conversions.PermissionDelete
perms &^= permissions.PermissionCreate
perms &^= permissions.PermissionDelete
}
propstatOK.Prop = append(propstatOK.Prop, s.newPropNS(pf.Prop[i].Space, pf.Prop[i].Local, strconv.FormatUint(uint64(perms), 10)))
}
Expand Down
4 changes: 2 additions & 2 deletions internal/http/services/owncloud/ocdav/tus.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ import (
link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1"
provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
typespb "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
"github.com/cs3org/reva/v3/internal/http/services/owncloud/ocs/conversions"
"github.com/cs3org/reva/v3/pkg/permissions"
"github.com/cs3org/reva/v3/pkg/appctx"
"github.com/cs3org/reva/v3/pkg/utils"
"github.com/cs3org/reva/v3/pkg/utils/resourceid"
Expand Down Expand Up @@ -297,7 +297,7 @@ func (s *svc) handleTusPost(ctx context.Context, w http.ResponseWriter, r *http.
}
}
isShared := !isCurrentUserOwner(ctx, info.Owner)
role := conversions.RoleFromResourcePermissions(info.PermissionSet)
role := permissions.RoleFromResourcePermissions(info.PermissionSet)
permissions := role.WebDAVPermissions(
info.Type == provider.ResourceType_RESOURCE_TYPE_CONTAINER,
isShared,
Expand Down
4 changes: 2 additions & 2 deletions internal/http/services/owncloud/ocgraph/conversions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ import (
ocm "github.com/cs3org/go-cs3apis/cs3/sharing/ocm/v1beta1"
provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
"github.com/cs3org/reva/v3/internal/http/services/owncloud/ocs/conversions"
"github.com/cs3org/reva/v3/pkg/permissions"
"github.com/cs3org/reva/v3/pkg/appctx"
"github.com/cs3org/reva/v3/pkg/spaces"
"github.com/cs3org/reva/v3/pkg/utils"
Expand Down Expand Up @@ -253,7 +253,7 @@ func LinkTypeToPermissions(lt libregraph.SharingLinkType, resourceType provider.
case libregraph.INTERNAL:
fallthrough
default:
return conversions.NewDeniedRole().CS3ResourcePermissions()
return permissions.NewDeniedRole().CS3ResourcePermissions()
}
}

Expand Down
4 changes: 2 additions & 2 deletions internal/http/services/owncloud/ocgraph/drive_permissions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ import (
ocm "github.com/cs3org/go-cs3apis/cs3/sharing/ocm/v1beta1"
provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
typesv1beta1 "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
"github.com/cs3org/reva/v3/internal/http/services/owncloud/ocs/conversions"
"github.com/cs3org/reva/v3/pkg/permissions"
"github.com/cs3org/reva/v3/pkg/appctx"
"github.com/cs3org/reva/v3/pkg/errtypes"
"github.com/cs3org/reva/v3/pkg/spaces"
Expand Down Expand Up @@ -808,7 +808,7 @@ func (s *svc) getLinkUpdates(ctx context.Context, link *linkv1beta1.PublicShare,
if permission.Link != nil && permission.Link.Type != nil {
isEditorLink = permission.Link.GetType() == libregraph.EDIT
} else if link.Permissions != nil {
isEditorLink = conversions.RoleFromResourcePermissions(link.Permissions.Permissions).Name == conversions.RoleEditor
isEditorLink = permissions.RoleFromResourcePermissions(link.Permissions.Permissions).Name == permissions.RoleEditor
}

// Check for update of expiration
Expand Down
10 changes: 5 additions & 5 deletions internal/http/services/owncloud/ocgraph/linktype.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ import (

linkv1beta1 "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1"
provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
"github.com/cs3org/reva/v3/internal/http/services/owncloud/ocs/conversions"
"github.com/cs3org/reva/v3/pkg/permissions"
"github.com/cs3org/reva/v3/pkg/storage/utils/grants"
libregraph "github.com/owncloud/libre-graph-api-go"
)
Expand Down Expand Up @@ -114,31 +114,31 @@ func NewInternalLinkPermissionSet() *LinkType {
// NewViewLinkPermissionSet creates cs3 permissions for the view link type
func NewViewLinkPermissionSet() *LinkType {
return &LinkType{
Permissions: conversions.NewViewerRole().CS3ResourcePermissions(),
Permissions: permissions.NewViewerRole().CS3ResourcePermissions(),
linkType: libregraph.VIEW,
}
}

// NewFileEditLinkPermissionSet creates cs3 permissions for the file edit link type
func NewFileEditLinkPermissionSet() *LinkType {
return &LinkType{
Permissions: conversions.NewFileEditorRole().CS3ResourcePermissions(),
Permissions: permissions.NewFileEditorRole().CS3ResourcePermissions(),
linkType: libregraph.EDIT,
}
}

// NewFolderEditLinkPermissionSet creates cs3 permissions for the folder edit link type
func NewFolderEditLinkPermissionSet() *LinkType {
return &LinkType{
Permissions: conversions.NewEditorRole().CS3ResourcePermissions(),
Permissions: permissions.NewEditorRole().CS3ResourcePermissions(),
linkType: libregraph.EDIT,
}
}

// NewFolderDropLinkPermissionSet creates cs3 permissions for the folder createOnly link type
func NewFolderDropLinkPermissionSet() *LinkType {
return &LinkType{
Permissions: conversions.NewUploaderRole().CS3ResourcePermissions(),
Permissions: permissions.NewUploaderRole().CS3ResourcePermissions(),
linkType: libregraph.CREATE_ONLY,
}
}
Expand Down
6 changes: 3 additions & 3 deletions internal/http/services/owncloud/ocgraph/shares.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ import (
link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1"
provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
"github.com/cs3org/reva/v3/internal/http/services/opencloudmesh/ocmd"
"github.com/cs3org/reva/v3/internal/http/services/owncloud/ocs/conversions"
"github.com/cs3org/reva/v3/pkg/permissions"
"github.com/cs3org/reva/v3/pkg/appctx"
"github.com/cs3org/reva/v3/pkg/ocm/share"
"github.com/cs3org/reva/v3/pkg/spaces"
Expand Down Expand Up @@ -272,7 +272,7 @@ func (s *svc) share(w http.ResponseWriter, r *http.Request) {
}

// Check that the user has share permissions
if !conversions.RoleFromResourcePermissions(statRes.Info.PermissionSet).OCSPermissions().Contain(conversions.PermissionShare) {
if !permissions.RoleFromResourcePermissions(statRes.Info.PermissionSet).OCSPermissions().Contain(permissions.PermissionShare) {
handleCustomError(ctx, errors.New("user does not have share permissions"), http.StatusUnauthorized, w)
return
}
Expand Down Expand Up @@ -411,7 +411,7 @@ func (s *svc) createLink(w http.ResponseWriter, r *http.Request) {
}

// Check that the user has share permissions
if !conversions.RoleFromResourcePermissions(statRes.Info.PermissionSet).OCSPermissions().Contain(conversions.PermissionShare) {
if !permissions.RoleFromResourcePermissions(statRes.Info.PermissionSet).OCSPermissions().Contain(permissions.PermissionShare) {
handleCustomError(ctx, errors.New("user does not have the necessary permissions"), http.StatusUnauthorized, w)
return
}
Expand Down
Loading