Allow to patch password/expires_at for permissions

cozy · Jan 9, 2025 · 411b5ca · 411b5ca
1 parent 953a478
commit 411b5ca
Show file tree

Hide file tree

Showing 2 changed files with 58 additions and 8 deletions.
diff --git a/docs/permissions.md b/docs/permissions.md
@@ -57,7 +57,7 @@ Some known types:
 -   `io.cozy.jobs` and `io.cozy.triggers`, for [jobs](jobs.md)
 -   `io.cozy.oauth.clients`, to list and revoke [OAuth 2 clients](auth.md)
 
-It is also possible to use a wildcard to use a doctype and its sub-doctypes if 
+It is also possible to use a wildcard to use a doctype and its sub-doctypes if
 the doctype contains at least 3 `.`.
 For example, `io.cozy.bank.*` will give access to `io.cozy.bank`,
 `io.cozy.bank.accounts`, `io.cozy.bank.accounts.stats`,
@@ -444,6 +444,34 @@ Accept: application/vnd.api+json
 }
 ```
 
+#### Request to update the password and the expiration date of the sharing link
+
+```http
+PATCH /permissions/a340d5e0-d647-11e6-b66c-5fc9ce1e17c6 HTTP/1.1
+Host: cozy.example.net
+Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
+Content-Type: application/vnd.api+json
+Accept: application/vnd.api+json
+```
+
+```json
+{
+    "data": {
+        "id": "a340d5e0-d647-11e6-b66c-5fc9ce1e17c6",
+        "type": "io.cozy.permissions",
+        "attributes": {
+            "password": "NewPassword",
+            "expires_at": "2025-01-01T00:00:00Z"
+        },
+        "cozyMetadata": {
+            "doctypeVersion": 1,
+            "metadataVersion": 1,
+            "updatedAt": "2019-05-14T12:00:37.372193145+02:00"
+        }
+    }
+}
+```
+
 #### Request to add permissions
 
 ```http

diff --git a/web/permissions/permissions.go b/web/permissions/permissions.go
@@ -357,19 +357,36 @@ func patchPermission(getPerms getPermsFunc, paramName string) echo.HandlerFunc {
 		patchSet := patch.Permissions != nil && len(patch.Permissions) > 0
 		patchCodes := len(patch.Codes) > 0
 
-		if patchCodes == patchSet {
-			return ErrPatchCodeOrSet
-		}
-
 		toPatch, err := getPerms(instance, c.Param(paramName))
 		if err != nil {
 			return err
 		}
 
-		if patchCodes {
-			if !current.CanUpdateShareByLink(toPatch) {
-				return permission.ErrNotParent
+		if !patchSet && !current.CanUpdateShareByLink(toPatch) {
+			return permission.ErrNotParent
+		}
+
+		if patchCodes == patchSet {
+			if patchSet {
+				return ErrPatchCodeOrSet
+			}
+			if patch.Password == nil && patch.ExpiresAt == nil {
+				return ErrPatchCodeOrSet
 			}
+		}
+
+		if pass, _ := patch.Password.(string); pass != "" {
+			hash, err := crypto.GenerateFromPassphrase([]byte(pass))
+			if err != nil {
+				return err
+			}
+			toPatch.Password = hash
+		}
+		if patch.ExpiresAt != nil {
+			toPatch.ExpiresAt = patch.ExpiresAt
+		}
+
+		if patchCodes {
 			toPatch.PatchCodes(patch.Codes)
 		}
 
@@ -406,6 +423,11 @@ func patchPermission(getPerms getPermsFunc, paramName string) echo.HandlerFunc {
 			return err
 		}
 
+		// Don't send the password hash to the client
+		if toPatch.Password != nil {
+			toPatch.Password = true
+		}
+
 		return jsonapi.Data(c, http.StatusOK, &APIPermission{toPatch, nil}, nil)
 	}
 }