cozy
diff --git a/‎docs/shared-drives.md‎
Lines changed: 78 additions & 0 deletions b/‎docs/shared-drives.md‎
Lines changed: 78 additions & 0 deletions
diff --git a/‎docs/sharing.md‎
Lines changed: 7 additions & 3 deletions b/‎docs/sharing.md‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎model/permission/permissions.go‎
Lines changed: 72 additions & 2 deletions b/‎model/permission/permissions.go‎
Lines changed: 72 additions & 2 deletions
diff --git a/‎model/permission/permissions_test.go‎
Lines changed: 9 additions & 9 deletions b/‎model/permission/permissions_test.go‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎model/sharing/member.go‎
Lines changed: 31 additions & 2 deletions b/‎model/sharing/member.go‎
Lines changed: 31 additions & 2 deletions
diff --git a/‎web/permissions/permissions.go‎
Lines changed: 12 additions & 3 deletions b/‎web/permissions/permissions.go‎
Lines changed: 12 additions & 3 deletions
@@ -676,10 +676,63 @@ drive.
 The following routes manage share-by-link permissions scoped to files inside a
 shared drive:
 
+- `GET /sharings/drives/:id/permissions?ids=...`
 - `POST /sharings/drives/:id/permissions`
 - `PATCH /sharings/drives/:id/permissions/:perm-id`
 - `DELETE /sharings/drives/:id/permissions/:perm-id`
 
+### GET /sharings/drives/:id/permissions?ids=...
+
+Lists the share-by-link permissions for the requested file or folder IDs inside
+the shared drive.
+
+Authorization rules:
+
+- The shared-drive owner can list all matching links.
+- A write-capable recipient can list writable and read-only links.
+- A read-only recipient only sees read-only links.
+
+Validation:
+
+- `ids` is required and must be a comma-separated list of file or folder IDs.
+- Every requested ID must belong to the shared drive.
+
+Status codes:
+
+- `200 OK` listed
+- `403 Forbidden` caller cannot access shared-drive permissions
+- `422 Unprocessable Entity` missing or invalid `ids`
+
+### POST /sharings/drives/:id/permissions
+
+Creates a share-by-link permission for one file or folder in the shared drive.
+The request body uses the same JSON:API shape as [`POST /permissions`](permissions.md#post-permissions).
+
+Authorization rules:
+
+- The shared-drive owner can create a link.
+- A write-capable recipient can create a link.
+- A read-only recipient cannot create a link.
+
+Validation:
+
+- The permission set must target exactly one file or folder.
+- The target type must be `io.cozy.files`.
+- Selectors are not supported.
+- The target must belong to the shared drive and must be readable by the
+  caller.
+- Only one share-by-link permission can exist per target. A second creation
+  attempt on the same target returns a conflict, regardless of which member
+  created the existing link.
+
+Status codes:
+
+- `200 OK` created
+- `400 Bad Request` invalid permission set or invalid target
+- `403 Forbidden` caller lacks access to the target or is read-only on the
+  shared drive
+- `409 Conflict` a share-by-link permission already exists for this target
+
 ### PATCH /sharings/drives/:id/permissions/:perm-id
 
 Updates an existing share-by-link permission.
@@ -696,12 +749,19 @@ Allowed updates:
 
 - `password`
 - `expires_at`
+- `permissions` (same target only)
 
 Validation:
 
 - `password` must be a string (empty string clears the password).
 - `expires_at` must be a string (empty string clears expiration, otherwise
   RFC3339 date-time).
+- `permissions`, when provided, must still target the same file or folder
+  inside the shared drive.
+- A write-capable creator or the owner can promote a read-only link to a
+  writable link if their current token grants those verbs.
+- A read-only shared-drive recipient cannot patch a permission set to add
+  writable verbs.
 
 Status codes:
 
@@ -721,6 +781,7 @@ Authorization rules:
 - The shared-drive owner can revoke any share-by-link permission.
 - The creator of a share-by-link permission can revoke the permission they
   created.
+- A read-only shared-drive recipient cannot revoke a permission.
 - Public share tokens (`share`, `share-preview`) cannot revoke permissions.
 
 Status codes:
@@ -731,6 +792,23 @@ Status codes:
   to this shared drive
 - `404 Not Found` permission ID does not exist
 
+## Delegated email sharing
+
+Members of a shared drive add new recipients through the sharing API, not
+through a drive-specific route:
+
+- `POST /sharings/:sharing-id/recipients`
+
+When that request is sent from a recipient Cozy, the stack delegates the
+operation to the owner Cozy internally.
+
+Authorization rules:
+
+- The shared-drive owner can add recipients as for any other sharing.
+- A write-capable recipient can invite read-write or read-only recipients.
+- A read-only recipient can invite only read-only recipients.
+- A read-only recipient receives `403 Forbidden` for a read-write invite.
+
 
 ## Versions
 
 
@@ -1046,9 +1046,13 @@ Content-Type: application/vnd.api+json
 ### POST /sharings/:sharing-id/recipients/delegated
 
 This is an internal route for the stack. It is called by the recipient cozy on
-the owner cozy to add recipients and groups to the sharing (`open_sharing:
-true` only). Data for direct recipients should contain an email address but if
-it is not known, an instance URL can also be provided.
+the owner cozy to add recipients and groups to the sharing. It is used for
+delegated recipient additions from recipient Cozys, including shared-drive
+recipient invitations. Data for direct recipients should contain an email
+address but if it is not known, an instance URL can also be provided. For
+shared drives, each delegated recipient or group can also carry a `read_only`
+flag, and the owner applies the drive-specific reshare rules when processing
+the request.
 
 #### Request
 
 
@@ -492,7 +492,7 @@ func updateAppSet(db prefixer.Prefixer, doc *Permission, typ, docType, slug stri
 	return doc, nil
 }
 
-func checkSetPermissions(set Set, parent *Permission) error {
+func CheckSetPermissions(set Set, parent *Permission) error {
 	if parent.Type != TypeWebapp &&
 		parent.Type != TypeKonnector &&
 		parent.Type != TypeOauth &&
@@ -557,7 +557,7 @@ func CreateShareSet(
 ) (*Permission, error) {
 	set := subdoc.Permissions
 	if !skipValidation {
-		if err := checkSetPermissions(set, parent); err != nil {
+		if err := CheckSetPermissions(set, parent); err != nil {
 			return nil, err
 		}
 	}
@@ -723,6 +723,76 @@ func GetPermissionsForIDs(db prefixer.Prefixer, doctype string, ids []string) (m
 	return result, nil
 }
 
+// GetShareByLinkPermissionsForTargets returns share-by-link permission docs for
+// the given target documents. Results are grouped by target ID. The underlying
+// view emits one row per rule/value, so permissions are deduplicated by
+// permission ID within each target.
+func GetShareByLinkPermissionsForTargets(
+	db prefixer.Prefixer,
+	doctype string,
+	ids []string,
+) (map[string][]*Permission, error) {
+	if len(ids) == 0 {
+		return map[string][]*Permission{}, nil
+	}
+
+	keys := make([]interface{}, len(ids))
+	for i, id := range ids {
+		keys[i] = []string{doctype, "_id", id}
+	}
+
+	var res struct {
+		Rows []struct {
+			ID  string          `json:"id"`
+			Key []string        `json:"key"`
+			Doc json.RawMessage `json:"doc"`
+		} `json:"rows"`
+	}
+	err := couchdb.ExecView(db, couchdb.PermissionsShareByDocView, &couchdb.ViewRequest{
+		Keys:        keys,
+		IncludeDocs: true,
+	}, &res)
+	if err != nil {
+		return nil, err
+	}
+
+	permsByTarget := make(map[string][]*Permission, len(keys))
+	seen := make(map[string]struct{}, len(res.Rows))
+	for _, row := range res.Rows {
+		if len(row.Key) < 3 || len(row.Doc) == 0 {
+			continue
+		}
+
+		targetID := row.Key[2]
+		seenKey := targetID + "\x00" + row.ID
+		if _, ok := seen[seenKey]; ok {
+			continue
+		}
+		seen[seenKey] = struct{}{}
+
+		perm := &Permission{}
+		if err := json.Unmarshal(row.Doc, perm); err != nil {
+			return nil, err
+		}
+		permsByTarget[targetID] = append(permsByTarget[targetID], perm)
+	}
+
+	return permsByTarget, nil
+}
+
+// GetShareByLinkPermissionsForTarget returns share-by-link permission docs for a single target document.
+func GetShareByLinkPermissionsForTarget(
+	db prefixer.Prefixer,
+	doctype string,
+	id string,
+) ([]*Permission, error) {
+	permsByTarget, err := GetShareByLinkPermissionsForTargets(db, doctype, []string{id})
+	if err != nil {
+		return nil, err
+	}
+	return permsByTarget[id], nil
+}
+
 // GetPermissionsByDoctype returns the list of all permissions of the given
 // type (shared-with-me by example) that have at least one rule for the given
 // doctype. The cursor will be modified in place.
 
@@ -369,27 +369,27 @@ func TestShareSetPermissions(t *testing.T) {
 	setEvents := Set{Rule{Type: "io.cozy.events"}}
 
 	parent := &Permission{Type: TypeCLI, Permissions: setEvents}
-	err := checkSetPermissions(setFiles, parent)
+	err := CheckSetPermissions(setFiles, parent)
 	assert.Error(t, err)
 
 	parent.Type = TypeWebapp
-	err = checkSetPermissions(setFiles, parent)
+	err = CheckSetPermissions(setFiles, parent)
 	assert.Error(t, err)
 
 	parent.Permissions = setFiles
-	err = checkSetPermissions(setFiles, parent)
+	err = CheckSetPermissions(setFiles, parent)
 	assert.NoError(t, err)
 
 	parent.Type = TypeShareInteract
-	err = checkSetPermissions(setFiles, parent)
+	err = CheckSetPermissions(setFiles, parent)
 	assert.NoError(t, err)
 
 	parent.Type = TypeWebapp
-	err = checkSetPermissions(setFilesWildCard, parent)
+	err = CheckSetPermissions(setFilesWildCard, parent)
 	assert.Error(t, err)
 
 	parent.Permissions = setFilesWildCard
-	err = checkSetPermissions(setFilesWildCard, parent)
+	err = CheckSetPermissions(setFilesWildCard, parent)
 	assert.NoError(t, err)
 
 	// share-interact subset ignores selector/values and only checks type+verbs,
@@ -408,18 +408,18 @@ func TestShareSetPermissions(t *testing.T) {
 			Values:   []string{"drive-root-id"},
 		}},
 	}
-	err = checkSetPermissions(childFileRule, parent)
+	err = CheckSetPermissions(childFileRule, parent)
 	assert.NoError(t, err)
 
 	// For non share-interact parents, values remain part of subset checks.
 	parent.Type = TypeWebapp
-	err = checkSetPermissions(childFileRule, parent)
+	err = CheckSetPermissions(childFileRule, parent)
 	assert.Error(t, err)
 
 	// share-interact still enforces verbs coverage.
 	parent.Type = TypeShareInteract
 	childFileRule[0].Verbs = Verbs(POST)
-	err = checkSetPermissions(childFileRule, parent)
+	err = CheckSetPermissions(childFileRule, parent)
 	assert.Error(t, err)
 }
 
 
@@ -374,10 +374,14 @@ func (s *Sharing) SendDelegated(inst *instance.Instance, api *APIDelegateAddCont
 		ParseError: ParseRequestError,
 	}
 	res, err := request.Req(opts)
+	originalRes, originalErr := res, err
 	if res != nil && res.StatusCode/100 == 4 {
 		res, err = RefreshToken(inst, res, err, s, &s.Members[0], c, opts, body)
 	}
 	if err != nil {
+		if originalRes != nil && originalRes.StatusCode == http.StatusForbidden {
+			return preserveDelegatedRequestError(originalRes.StatusCode, originalErr)
+		}
 		return err
 	}
 	defer res.Body.Close()
@@ -433,8 +437,33 @@ func (s *Sharing) SendDelegated(inst *instance.Instance, api *APIDelegateAddCont
 	return s.SendInvitationsToMembers(inst, api.members, states)
 }
 
-// AddDelegatedContact adds a contact on the owner cozy, but for a contact from
-// a recipient (open_sharing: true only)
+func preserveDelegatedRequestError(status int, err error) error {
+	reqErr, ok := err.(*request.Error)
+	if !ok {
+		return jsonapi.NewError(status, http.StatusText(status))
+	}
+
+	var payload struct {
+		Errors jsonapi.ErrorList `json:"errors"`
+	}
+	if parseErr := json.Unmarshal([]byte(reqErr.Detail), &payload); parseErr == nil && len(payload.Errors) > 0 {
+		if payload.Errors[0].Status == 0 {
+			payload.Errors[0].Status = status
+		}
+		if payload.Errors[0].Title == "" {
+			payload.Errors[0].Title = http.StatusText(status)
+		}
+		return payload.Errors[0]
+	}
+
+	if reqErr.Detail != "" {
+		return jsonapi.NewError(status, reqErr.Detail)
+	}
+	return jsonapi.NewError(status, http.StatusText(status))
+}
+
+// AddDelegatedContact adds a contact on the owner cozy for a contact proposed
+// by a recipient.
 func (s *Sharing) AddDelegatedContact(inst *instance.Instance, m Member) (string, error) {
 	m.Status = MemberStatusPendingInvitation
 	if m.Instance != "" || m.Email == "" {
 
@@ -138,6 +138,8 @@ type CreateShareByLinkOptions struct {
 	ValidatePermissions ValidatePermissionsFn
 	// controls whether CreateShareSet's standard permission validation is skipped.
 	SkipValidation bool
+	// overrides the app slug stored in metadata.
+	CreatorSlug *string
 	// overrides the creator domain stored in metadata.
 	CreatorDomain *string
 }
@@ -171,9 +173,12 @@ func HandleCreateShareByLink(c echo.Context, inst *instance.Instance, opts Creat
 	}
 
 	var slug string
+	if opts.CreatorSlug != nil {
+		slug = *opts.CreatorSlug
+	}
 	sourceID := parent.SourceID
 	// Check if the permission is linked to an OAuth Client
-	if parent.Client != nil {
+	if slug == "" && parent.Client != nil {
 		oauthClient := parent.Client.(*oauth.Client)
 		if slug = oauth.GetLinkedAppSlug(oauthClient.SoftwareID); slug != "" {
 			// Changing the sourceID from the OAuth clientID to the classic
@@ -185,8 +190,12 @@ func HandleCreateShareByLink(c echo.Context, inst *instance.Instance, opts Creat
 	// Getting the slug from the token if it has not been retrieved before
 	// with the linkedapp
 	if slug == "" {
-		claims := c.Get("claims").(permission.Claims)
-		slug = claims.Subject
+		if claims, ok := c.Get("claims").(permission.Claims); ok {
+			switch claims.AudienceString() {
+			case consts.AppAudience, consts.KonnectorAudience, consts.AccessTokenAudience:
+				slug = claims.Subject
+			}
+		}
 	}
 
 	names := strings.Split(c.QueryParam("codes"), ",")