[OCM] User can share resource to federated user with permission roles that is not allowed

[PrajwolAmatya]

Describe the bug

When sharing a resource to a federated user with permissions role Secure Viewer via API, the federated user can access to the share.
When enabling all the permissions role , the enabled permissions role are not available on UI as they are filtered out and only two permissions Can View and Can edit are available.

But the behavior is different with API, resources can be shared with permissions role Secure Viewer.

Steps to reproduce

1. Enable all permissions role
2. Local user Alice creates a file textfile.txt
3. Alilce shares the file with permissions role Secure Viewer to federated user Brian via API
4. Brian lists the shares sharedWithMe

curl -kv -XGET https://localhost:10200/graph/v1beta1/me/drives/sharedWithMe -ubrian:1234

Expected behavior

The resource shared with permissions role Secure Viewer should not be shared with user Brian and the resource should not be listed for user Brian.

Actual behavior

The response sharedWithMe lists the shared resource.

{
    "value": [
        {
            "@UI.Hidden": false,
            "@client.synchronize": false,
            "createdBy": {
                "user": {
                    "@libre.graph.userType": "Federated",
                    "displayName": "Alice Hansen",
                    "id": "NzQ5ZDQyYzQtMDMyNy00N2M0LWI3NTktYTJhYTBlZTgyNzhmQGh0dHBzOi8vbG9jYWxob3N0OjkyMDA="
                }
            },
            "eTag": "\"f4482cf1698e402631f3e20ed292a042\"",
            "file": {
                "mimeType": "text/plain"
            },
            "id": "89f37a33-858b-45fa-8890-a1f2b27d90e1$89f37a33-858b-45fa-8890-a1f2b27d90e1!b8d7d7e5-4a55-4f3d-b076-7aad894c966d",
            "lastModifiedDateTime": "2025-01-02T15:25:55+05:45",
            "name": "textfile.txt",
            "parentReference": {
                "driveId": "a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668",
                "driveType": "virtual",
                "id": "a0ca6a90-a365-4782-871e-d44447bbc668$a0ca6a90-a365-4782-871e-d44447bbc668!a0ca6a90-a365-4782-871e-d44447bbc668"
            },
            "remoteItem": {
                "createdBy": {
                    "user": {
                        "@libre.graph.userType": "Federated",
                        "displayName": "Alice Hansen",
                        "id": "NzQ5ZDQyYzQtMDMyNy00N2M0LWI3NTktYTJhYTBlZTgyNzhmQGh0dHBzOi8vbG9jYWxob3N0OjkyMDA="
                    }
                },
                "eTag": "\"f4482cf1698e402631f3e20ed292a042\"",
                "file": {
                    "mimeType": "text/plain"
                },
                "id": "89f37a33-858b-45fa-8890-a1f2b27d90e1$59d9dc0e-d57d-4bfa-a10f-70dfad83924e!L3RleHRmaWxlLnR4dA==",
                "lastModifiedDateTime": "2025-01-02T15:25:55+05:45",
                "name": "textfile.txt",
                "permissions": [
                    {
                        "createdDateTime": "2025-01-02T15:25:56.322654426+05:45",
                        "grantedToV2": {
                            "user": {
                                "@libre.graph.userType": "Member",
                                "displayName": "Brian Murphy",
                                "id": "ae36eccb-8ec5-42ef-8ca9-8ad92659e4b3"
                            }
                        },
                        "id": "59d9dc0e-d57d-4bfa-a10f-70dfad83924e",
                        "invitation": {
                            "invitedBy": {
                                "user": {
                                    "@libre.graph.userType": "Federated",
                                    "displayName": "Alice Hansen",
                                    "id": "NzQ5ZDQyYzQtMDMyNy00N2M0LWI3NTktYTJhYTBlZTgyNzhmQGh0dHBzOi8vbG9jYWxob3N0OjkyMDA="
                                }
                            }
                        }
                    }
                ],
                "size": 12
            },
            "size": 12
        }
    ]
}

Also, for user Brian the share is accessed with PROPFIND request:

curl https://localhost:10200/remote.php/dav/spaces/89f37a33-858b-45fa-8890-a1f2b27d90e1%2478b71658-af19-4a88-998d-dd77438a841b\!L3RleHRmaWxlLnR4dA%3D%3D -XPROPFIND -ubrian:1234 -kv

<d:multistatus
	xmlns:s="http://sabredav.org/ns"
	xmlns:d="DAV:"
	xmlns:oc="http://owncloud.org/ns">
	<d:response>
		<d:href>/remote.php/dav/spaces/89f37a33-858b-45fa-8890-a1f2b27d90e1$78b71658-af19-4a88-998d-dd77438a841b%21L3RleHRmaWxlLnR4dA==</d:href>
		<d:propstat>
			<d:prop>
				<oc:id>89f37a33-858b-45fa-8890-a1f2b27d90e1$78b71658-af19-4a88-998d-dd77438a841b!L3RleHRmaWxlLnR4dA==</oc:id>
				<oc:fileid>89f37a33-858b-45fa-8890-a1f2b27d90e1$78b71658-af19-4a88-998d-dd77438a841b!L3RleHRmaWxlLnR4dA==</oc:fileid>
				<oc:spaceid>89f37a33-858b-45fa-8890-a1f2b27d90e1$78b71658-af19-4a88-998d-dd77438a841b</oc:spaceid>
				<oc:name>textfile.txt</oc:name>
				<d:displayname>textfile.txt</d:displayname>
				<d:getetag>"91af43b815f5adb7d53b810f4bcb844f"</d:getetag>
				<oc:permissions></oc:permissions>
				<d:resourcetype></d:resourcetype>
				<d:getcontentlength>12</d:getcontentlength>
				<d:getcontenttype>text/plain</d:getcontenttype>
				<d:getlastmodified>Thu, 02 Jan 2025 09:57:00 GMT</d:getlastmodified>
				<oc:checksums>
					<oc:checksum>SHA1:94e66df8cd09d410c62d9e0dc59d3a884e458e05 MD5:989* Connection #0 to host localhost left intact
3532233caff98cd083a116b013c0b ADLER32:1ec804d0</oc:checksum>
				</oc:checksum>
			</oc:checksums>
			<oc:favorite>0</oc:favorite>
		</d:prop>
		<d:status>HTTP/1.1 200 OK</d:status>
	</d:propstat>
	<d:propstat>
		<d:prop>
			<oc:file-parent></oc:file-parent>
		</d:prop>
		<d:status>HTTP/1.1 404 Not Found</d:status>
	</d:propstat>
</d:response>undefined</d:multistatus>

Federated user cannot download this share shared with Secure Viewer.
Reported in: #10822