Merge pull request #11931 from kobergj/ExternalSharerPermission

kobergj · web-flow · commit ca799c653fab · 2026-01-22T13:41:53.000+01:00
[OCISDEV-454] Add Permission to allow external shares
diff --git a/changelog/unreleased/external-shares-permission.md b/changelog/unreleased/external-shares-permission.md
@@ -0,0 +1,5 @@
+Enhancement: Introduce external shares permission
+
+Introduces a permission allowing to share between instances in multi-instance ocis. This permission is by default added to the admin and space-admin role.
+
+https://github.com/owncloud/ocis/pull/11931
diff --git a/services/graph/pkg/service/v0/api_driveitem_permissions.go b/services/graph/pkg/service/v0/api_driveitem_permissions.go
@@ -69,8 +69,9 @@ type DriveItemPermissionsProvider interface {
 // DriveItemPermissionsService contains the production business logic for everything that relates to permissions on drive items.
 type DriveItemPermissionsService struct {
 	BaseGraphService
-	tp              trace.TracerProvider
-	identityBackend identity.Backend
+	tp                         trace.TracerProvider
+	identityBackend            identity.Backend
+	hasExternalSharePermission externalSharePermissionChecker
 }
 
 type permissionType int
@@ -83,17 +84,26 @@ const (
 	OCM
 )
 
+// supposed to return true if the user can share to users from other instances (multi-instance only)
+type externalSharePermissionChecker func(context.Context) bool
+
 // NewDriveItemPermissionsService creates a new DriveItemPermissionsService
-func NewDriveItemPermissionsService(logger log.Logger, gatewaySelector pool.Selectable[gateway.GatewayAPIClient], identityCache identity.IdentityCache, config *config.Config, tp trace.TracerProvider, be identity.Backend) (DriveItemPermissionsService, error) {
+func NewDriveItemPermissionsService(logger log.Logger, gatewaySelector pool.Selectable[gateway.GatewayAPIClient], identityCache identity.IdentityCache, config *config.Config, tp trace.TracerProvider, be identity.Backend, espc externalSharePermissionChecker) (DriveItemPermissionsService, error) {
+	f := func(context.Context) bool { return false }
+	if espc != nil {
+		f = espc
+	}
+
 	return DriveItemPermissionsService{
 		BaseGraphService: BaseGraphService{
 			logger:          &log.Logger{Logger: logger.With().Str("graph api", "DrivesDriveItemService").Logger()},
 			gatewaySelector: gatewaySelector,
 			identityCache:   identityCache,
 			config:          config,
 		},
-		tp:              tp,
-		identityBackend: be,
+		tp:                         tp,
+		identityBackend:            be,
+		hasExternalSharePermission: f,
 	}, nil
 }
 
@@ -193,7 +203,7 @@ func (s DriveItemPermissionsService) Invite(ctx context.Context, resourceId *sto
 	default:
 		user, err := s.identityCache.GetUser(ctx, objectID)
 		if errors.Is(err, identity.ErrNotFound) {
-			if s.config.MultiInstance.Enabled {
+			if s.config.MultiInstance.Enabled && s.hasExternalSharePermission(ctx) {
 				user, err = s.identityBackend.AddUser(ctx, objectID, s.config.MultiInstance.InstanceID)
 			}
 			if s.config.IncludeOCMSharees && err != nil {
diff --git a/services/graph/pkg/service/v0/api_driveitem_permissions_links_test.go b/services/graph/pkg/service/v0/api_driveitem_permissions_links_test.go
@@ -55,7 +55,7 @@ var _ = Describe("createLinkTests", func() {
 		cache := identity.NewIdentityCache(identity.IdentityCacheWithGatewaySelector(gatewaySelector))
 
 		cfg := defaults.FullDefaultConfig()
-		svc, err = service.NewDriveItemPermissionsService(logger, gatewaySelector, cache, cfg, otel.GetTracerProvider(), nil)
+		svc, err = service.NewDriveItemPermissionsService(logger, gatewaySelector, cache, cfg, otel.GetTracerProvider(), nil, nil)
 		Expect(err).ToNot(HaveOccurred())
 		driveItemId = &provider.ResourceId{
 			StorageId: "1",
diff --git a/services/graph/pkg/service/v0/api_driveitem_permissions_test.go b/services/graph/pkg/service/v0/api_driveitem_permissions_test.go
@@ -80,7 +80,7 @@ var _ = Describe("DriveItemPermissionsService", func() {
 		cfg.UnifiedRoles.AvailableRoles = slices.DeleteFunc(cfg.UnifiedRoles.AvailableRoles, func(s string) bool {
 			return s == unifiedrole.UnifiedRoleSecureViewerID
 		})
-		service, err := svc.NewDriveItemPermissionsService(logger, gatewaySelector, cache, cfg, otel.GetTracerProvider(), nil)
+		service, err := svc.NewDriveItemPermissionsService(logger, gatewaySelector, cache, cfg, otel.GetTracerProvider(), nil, nil)
 		Expect(err).ToNot(HaveOccurred())
 		driveItemPermissionsService = service
 		ctx = revactx.ContextSetUser(context.Background(), currentUser)
@@ -270,7 +270,7 @@ var _ = Describe("DriveItemPermissionsService", func() {
 				// remove SecureViewer from allowed roles for this unit test
 				return s == unifiedrole.UnifiedRoleSecureViewerID
 			})
-			service, err := svc.NewDriveItemPermissionsService(log.NewLogger(), gatewaySelector, cache, cfg, otel.GetTracerProvider(), nil)
+			service, err := svc.NewDriveItemPermissionsService(log.NewLogger(), gatewaySelector, cache, cfg, otel.GetTracerProvider(), nil, nil)
 			Expect(err).ToNot(HaveOccurred())
 
 			driveItemInvite.Roles = []string{unifiedrole.UnifiedRoleViewerID, unifiedrole.UnifiedRoleSecureViewerID}
diff --git a/services/graph/pkg/service/v0/service.go b/services/graph/pkg/service/v0/service.go
@@ -213,7 +213,7 @@ func NewService(opts ...Option) (Graph, error) { //nolint:maintidx
 		return svc, err
 	}
 
-	driveItemPermissionsService, err := NewDriveItemPermissionsService(options.Logger, options.GatewaySelector, identityCache, options.Config, options.TraceProvider, svc.identityBackend)
+	driveItemPermissionsService, err := NewDriveItemPermissionsService(options.Logger, options.GatewaySelector, identityCache, options.Config, options.TraceProvider, svc.identityBackend, svc.contextUserHasExternalSharePermission)
 	if err != nil {
 		return svc, err
 	}
diff --git a/services/graph/pkg/service/v0/users.go b/services/graph/pkg/service/v0/users.go
@@ -210,6 +210,22 @@ func (g Graph) contextUserHasFullAccountPerms(reqctx context.Context) bool {
 	return true
 }
 
+func (g Graph) contextUserHasExternalSharePermission(reqctx context.Context) bool {
+	// mostly copied from the canCreateSpace method
+	pr, err := g.permissionsService.GetPermissionByID(reqctx, &settingssvc.GetPermissionByIDRequest{
+		PermissionId: defaults.CreateExternalSharePermission(0).Id,
+	})
+	if err != nil || pr.Permission == nil {
+		return false
+	}
+
+	if pr.Permission.Constraint != defaults.All {
+		return false
+	}
+
+	return true
+}
+
 // UserWithAttributes is a wrapper for the User type that includes attributes.
 // Attributes are a list of attributes that are displayed in the user search results.
 type UserWithAttributes struct {
@@ -361,7 +377,7 @@ func (g Graph) GetUsers(w http.ResponseWriter, r *http.Request) {
 	username, instancename := g.parseExternalSearch(odataReq)
 
 	switch {
-	case username != "" && instancename != "":
+	case username != "" && instancename != "" && g.contextUserHasExternalSharePermission(r.Context()):
 		users = make([]*libregraph.User, 1)
 		users[0], err = g.identityBackend.GetPreciseUser(r.Context(), username, instancename, odataReq)
 	case odataReq.Query.Filter != nil:
diff --git a/services/settings/pkg/store/defaults/defaults.go b/services/settings/pkg/store/defaults/defaults.go
@@ -114,6 +114,7 @@ func generateBundleAdminRole() *settingsmsg.Bundle {
 			AccountManagementPermission(All),
 			AutoAcceptSharesPermission(Own),
 			ChangeLogoPermission(All),
+			CreateExternalSharePermission(All),
 			CreatePublicLinkPermission(All),
 			CreateSharePermission(All),
 			CreateSpacesPermission(All),
@@ -158,6 +159,7 @@ func generateBundleSpaceAdminRole() *settingsmsg.Bundle {
 		},
 		Settings: []*settingsmsg.Setting{
 			AutoAcceptSharesPermission(Own),
+			CreateExternalSharePermission(All),
 			CreatePublicLinkPermission(All),
 			CreateSharePermission(All),
 			CreateSpacesPermission(All),
diff --git a/services/settings/pkg/store/defaults/permissions.go b/services/settings/pkg/store/defaults/permissions.go
@@ -67,6 +67,25 @@ func ChangeLogoPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Sett
 	}
 }
 
+// CreateExternalSharePermission is the permission to create shares to other instances (Multi-Instance only)
+func CreateExternalSharePermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting {
+	return &settingsmsg.Setting{
+		Id:          "5c03dc05-0bef-4b30-8ee6-e5a51713fd3a",
+		Name:        "ExternalShare.Write",
+		DisplayName: "Write external share",
+		Description: "This permission allows creating shares to users on other instances.",
+		Resource: &settingsmsg.Resource{
+			Type: settingsmsg.Resource_TYPE_SHARE,
+		},
+		Value: &settingsmsg.Setting_PermissionValue{
+			PermissionValue: &settingsmsg.Permission{
+				Operation:  settingsmsg.Permission_OPERATION_WRITE,
+				Constraint: c,
+			},
+		},
+	}
+}
+
 // CreatePublicLinkPermission is the permission to create public links
 func CreatePublicLinkPermission(c settingsmsg.Permission_Constraint) *settingsmsg.Setting {
 	return &settingsmsg.Setting{

Original file line number	Diff line number	Diff line change
`@@ -213,7 +213,7 @@ func NewService(opts ...Option) (Graph, error) { //nolint:maintidx`
`213`	`213`	`return svc, err`
`214`	`214`	`}`
`215`	`215`
`216`		`- driveItemPermissionsService, err := NewDriveItemPermissionsService(options.Logger, options.GatewaySelector, identityCache, options.Config, options.TraceProvider, svc.identityBackend)`
	`216`	`+ driveItemPermissionsService, err := NewDriveItemPermissionsService(options.Logger, options.GatewaySelector, identityCache, options.Config, options.TraceProvider, svc.identityBackend, svc.contextUserHasExternalSharePermission)`
`217`	`217`	`if err != nil {`
`218`	`218`	`return svc, err`
`219`	`219`	`}`