fix: fix deny access to prevent a regression

[micbar]

Regression in ocis 7.0.0-rc.3

After updating an ocis 5.0.9 to ocis 7.0.0-rc.3, existing denials are breaking the web client.

Related Issue

• Fixes <issue_link>

Motivation and Context

How Has This Been Tested?

• test environment:
• test case 1:
• test case 2:
• ...

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Technical debt
• Tests only (no source changes)

Checklist:

• Code changes
• Unit tests added
• Acceptance tests added
• Documentation ticket raised:

[update-docs]

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

[ScharfViktor]

• TODO check deny feature during the upgrade test between 5.0.0 and 7.0.0
• put FRONTEND_OCS_ENABLE_DENIALS to deprecated envs
• enable e2e test https://github.com/owncloud/web/blob/master/tests/e2e/cucumber/features/shares/denyShareAccess.feature

[mmattel]

If this gets merged, I will do the needed translation on transifex for the new strings.

Note, if TX needs to be added quickly befor final releasing, one needs to initiate a manualy sync, I will do the TX and another sync needs to be done. Then all is up to date.

[ScharfViktor]

tested:

• creating/changing/deleting share with role cannot access - works correct
• user can see/change/delete cannot access share which was created in 5.0 version

remarks:

• 500 error when deleting deny share (was created in version 5.0) but looks like works -> user recipient can see resource
  steps:
  • switch ocis version 5
  • admin creates folder and shares folder to Users group
  • admin shares folder to einstein with denied role
  • upgrade ocis to version 7
  • admin deletes denied role
    log:
    {"level":"error","service":"sharing","pkg":"rgrpc","traceid":"56df2dfcf09102480861bcf5efb79e17","hostname":"","userID":"9955764e-d4f7-4191-96ea-7d559e8f7955","shareID":"b1b4a413-4987-45ed-8cee-986911d246cd:9955764e-d4f7-4191-96ea-7d559e8f7955:fa3ce1ec-9cd8-475e-80f9-053e86c1c836","error":"error: already exists: already exists","time":"2024-11-22T17:23:14+01:00","message":"persisting removed share failed"}

@micbar today I saw that you had similar issue and fixed it. it was case with project space - it works

• no german translation

• user can see activity of the denied resource
• sse events in this case work correct but confuse users. If we deny access -> user gets notification that resource was shared but user doesn't see resource. If we delete cannot access - user see notification that share was deleted and user can see resource.
• user can search by denied resource and cannot create resource with same name - existing bugs User doesn't get correct message if he creates resource with same of denied resource name web#9029 Denial of access to a resource. User can find denied resource #6288

[micbar]

@micbar today I saw that you had similar issue and fixed it. it was case with project space - it works

Correct. That was a general issue with sharing and has been fixed in reva cs3org/reva#4968.

Needs a reva bump to arrive in ocis master.

[micbar]

@rhafer Not the "nicest" solution, I admit.

We have the contract with the clients that we

• either set a value on roles
• or set a value on @libre.graph.permissions.actions

That means, if we disable the role "RoleDenied" and have existing shares, we need to return at least a hint to the user.

Fine for me, if you want to solve it differently.

[micbar]

After discussion with @butonic and @kobergj we decided to return none in that case.

[micbar]

Important Info: We decided long ago, that we will only go with a "full denial", we do not intend to think about negative permissions in the future. So my assumption here is valid.

[mmattel]

• put FRONTEND_OCS_ENABLE_DENIALS to deprecated envs

Before merging, if the var has been deprecated, please run make -C docs docs-generate to add the changed env_vars.yaml to the PR. I need to do afterwards with a separate PR the changed envvar magic... 😅

[micbar]

Before merging, if the var has been deprecated, please run make -C docs docs-generate to add the changed env_vars.yaml to the PR. I need to do afterwards with a separate PR the changed envvar magic... 😅

Needs to be discussed with @kobergj

We deprecated the whole OCS Api with 5.0.0.

I would have removed it already but the clients were not able to move to the LibreGraph API in time.

[butonic]

We deprecated the whole OCS Api with 5.0.0.

7.0.0?

[micbar]

We deprecated the whole OCS Api with 5.0.0.

7.0.0?

5.0.0

https://doc.owncloud.com/ocis_release_notes.html#deprecation-announcements

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud