feat: Shared drive recipients can modify shared drive members

Author: shepilov

docs/shared-drives.md

@@ -676,10 +676,63 @@ drive.
 The following routes manage share-by-link permissions scoped to files inside a
 shared drive:
 
+- `GET /sharings/drives/:id/permissions?ids=...`
 - `POST /sharings/drives/:id/permissions`
 - `PATCH /sharings/drives/:id/permissions/:perm-id`
 - `DELETE /sharings/drives/:id/permissions/:perm-id`
 
+### GET /sharings/drives/:id/permissions?ids=...
+
+Lists the share-by-link permissions for the requested file or folder IDs inside
+the shared drive.
+
+Authorization rules:
+
+- The shared-drive owner can list all matching links.
+- A write-capable recipient can list writable and read-only links.
+- A read-only recipient only sees read-only links.
+
+Validation:
+
+- `ids` is required and must be a comma-separated list of file or folder IDs.
+- Every requested ID must belong to the shared drive.
+
+Status codes:
+
+- `200 OK` listed
+- `403 Forbidden` caller cannot access shared-drive permissions
+- `422 Unprocessable Entity` missing or invalid `ids`
+
+### POST /sharings/drives/:id/permissions
+
+Creates a share-by-link permission for one file or folder in the shared drive.
+The request body uses the same JSON:API shape as [`POST /permissions`](permissions.md#post-permissions).
+
+Authorization rules:
+
+- The shared-drive owner can create a link.
+- A write-capable recipient can create a link.
+- A read-only recipient cannot create a link.
+
+Validation:
+
+- The permission set must target exactly one file or folder.
+- The target type must be `io.cozy.files`.
+- Selectors are not supported.
+- The target must belong to the shared drive and must be readable by the
+  caller.
+- Only one share-by-link permission can exist per target. A second creation
+  attempt on the same target returns a conflict, regardless of which member
+  created the existing link.
+
+Status codes:
+
+- `200 OK` created
+- `400 Bad Request` invalid permission set or invalid target
+- `403 Forbidden` caller lacks access to the target or is read-only on the
+  shared drive
+- `409 Conflict` a share-by-link permission already exists for this target
+
 ### PATCH /sharings/drives/:id/permissions/:perm-id
 
 Updates an existing share-by-link permission.
@@ -696,12 +749,19 @@ Allowed updates:
 
 - `password`
 - `expires_at`
+- `permissions` (same target only)
 
 Validation:
 
 - `password` must be a string (empty string clears the password).
 - `expires_at` must be a string (empty string clears expiration, otherwise
   RFC3339 date-time).
+- `permissions`, when provided, must still target the same file or folder
+  inside the shared drive.
+- A write-capable creator or the owner can promote a read-only link to a
+  writable link if their current token grants those verbs.
+- A read-only shared-drive recipient cannot patch a permission set to add
+  writable verbs.
 
 Status codes:
 
@@ -721,6 +781,7 @@ Authorization rules:
 - The shared-drive owner can revoke any share-by-link permission.
 - The creator of a share-by-link permission can revoke the permission they
   created.
+- A read-only shared-drive recipient cannot revoke a permission.
 - Public share tokens (`share`, `share-preview`) cannot revoke permissions.
 
 Status codes:
@@ -731,6 +792,23 @@ Status codes:
   to this shared drive
 - `404 Not Found` permission ID does not exist
 
+## Delegated email sharing
+
+Members of a shared drive add new recipients through the sharing API, not
+through a drive-specific route:
+
+- `POST /sharings/:sharing-id/recipients`
+
+When that request is sent from a recipient Cozy, the stack delegates the
+operation to the owner Cozy internally.
+
+Authorization rules:
+
+- The shared-drive owner can add recipients as for any other sharing.
+- A write-capable recipient can invite read-write or read-only recipients.
+- A read-only recipient can invite only read-only recipients.
+- A read-only recipient receives `403 Forbidden` for a read-write invite.
+
 
 ## Versions
 

docs/sharing.md

@@ -1046,9 +1046,13 @@ Content-Type: application/vnd.api+json
 ### POST /sharings/:sharing-id/recipients/delegated
 
 This is an internal route for the stack. It is called by the recipient cozy on
-the owner cozy to add recipients and groups to the sharing (`open_sharing:
-true` only). Data for direct recipients should contain an email address but if
-it is not known, an instance URL can also be provided.
+the owner cozy to add recipients and groups to the sharing. It is used for
+delegated recipient additions from recipient Cozys, including shared-drive
+recipient invitations. Data for direct recipients should contain an email
+address but if it is not known, an instance URL can also be provided. For
+shared drives, each delegated recipient or group can also carry a `read_only`
+flag, and the owner applies the drive-specific reshare rules when processing
+the request.
 
 #### Request
 

model/sharing/member.go

@@ -374,10 +374,14 @@ func (s *Sharing) SendDelegated(inst *instance.Instance, api *APIDelegateAddCont
 		ParseError: ParseRequestError,
 	}
 	res, err := request.Req(opts)
+	originalRes, originalErr := res, err
 	if res != nil && res.StatusCode/100 == 4 {
 		res, err = RefreshToken(inst, res, err, s, &s.Members[0], c, opts, body)
 	}
 	if err != nil {
+		if originalRes != nil && originalRes.StatusCode == http.StatusForbidden {
+			return preserveDelegatedRequestError(originalRes.StatusCode, originalErr)
+		}
 		return err
 	}
 	defer res.Body.Close()
@@ -433,8 +437,33 @@ func (s *Sharing) SendDelegated(inst *instance.Instance, api *APIDelegateAddCont
 	return s.SendInvitationsToMembers(inst, api.members, states)
 }
 
-// AddDelegatedContact adds a contact on the owner cozy, but for a contact from
-// a recipient (open_sharing: true only)
+func preserveDelegatedRequestError(status int, err error) error {
+	reqErr, ok := err.(*request.Error)
+	if !ok {
+		return jsonapi.NewError(status, http.StatusText(status))
+	}
+
+	var payload struct {
+		Errors jsonapi.ErrorList `json:"errors"`
+	}
+	if parseErr := json.Unmarshal([]byte(reqErr.Detail), &payload); parseErr == nil && len(payload.Errors) > 0 {
+		if payload.Errors[0].Status == 0 {
+			payload.Errors[0].Status = status
+		}
+		if payload.Errors[0].Title == "" {
+			payload.Errors[0].Title = http.StatusText(status)
+		}
+		return payload.Errors[0]
+	}
+
+	if reqErr.Detail != "" {
+		return jsonapi.NewError(status, reqErr.Detail)
+	}
+	return jsonapi.NewError(status, http.StatusText(status))
+}
+
+// AddDelegatedContact adds a contact on the owner cozy for a contact proposed
+// by a recipient.
 func (s *Sharing) AddDelegatedContact(inst *instance.Instance, m Member) (string, error) {
 	m.Status = MemberStatusPendingInvitation
 	if m.Instance != "" || m.Email == "" {

web/sharings/drives_permissions_test.go

@@ -355,6 +355,17 @@ func TestSharedDriveShareByLinkCreate(t *testing.T) {
 		deleteSharedDrivePermissionExpectStatus(t, eBetty, f.sharingID, permID, bettyToken, http.StatusNoContent)
 	})
 
+	t.Run("ReadOnlyRecipientCannotCreateShareByLink", func(t *testing.T) {
+		eDave, daveToken := f.newDaveClient(t)
+		sharingID, productID := createReadOnlyDriveForDave(t, f)
+		fileID := createFile(t, f.eOwner, productID, "dave-create-link.txt", f.ownerAppToken)
+		payload := makeSharedDrivePermissionPayload(t, consts.Files, []string{fileID}, "", nil)
+
+		createSharedDrivePermissionExpectStatus(
+			t, eDave, sharingID, daveToken, "readonly-link", "", payload, http.StatusForbidden,
+		)
+	})
+
 	t.Run("FailOnFileOutsideSharedDrive", func(t *testing.T) {
 		payload := makeSharedDrivePermissionPayload(
 			t, consts.Files, []string{f.env.outsideOfShareID}, "", nil,
@@ -1029,6 +1040,24 @@ func TestSharedDriveShareByLinkRevoke(t *testing.T) {
 		deleteSharedDrivePermissionExpectStatus(t, f.eOwner, f.sharingID, permID, f.ownerAppToken, http.StatusNoContent)
 	})
 
+	t.Run("ReadOnlyRecipientCannotRevokePermission", func(t *testing.T) {
+		eDave, daveToken := f.newDaveClient(t)
+		sharingID, productID := createReadOnlyDriveForDave(t, f)
+		fileID := createFile(t, f.eOwner, productID, "dave-revoke-link.txt", f.ownerAppToken)
+		permID, _ := createSharedDrivePermission(
+			t,
+			f.eOwner,
+			sharingID,
+			f.ownerAppToken,
+			"readonly-link",
+			"",
+			makeSharedDrivePermissionPayload(t, consts.Files, []string{fileID}, "", nil),
+		)
+
+		deleteSharedDrivePermissionExpectStatus(t, eDave, sharingID, permID, daveToken, http.StatusForbidden)
+		deleteSharedDrivePermissionExpectStatus(t, f.eOwner, sharingID, permID, f.ownerAppToken, http.StatusNoContent)
+	})
+
 	t.Run("PublicShareTokenCannotRevokePermission", func(t *testing.T) {
 		payload := makeSharedDrivePermissionPayload(t, consts.Files, []string{f.fileID}, "", nil)
 		permID, attrs := createSharedDrivePermission(