diff --git a/changelog/unreleased/correctly-deny.md b/changelog/unreleased/correctly-deny.md new file mode 100644 index 0000000000..26dab16b12 --- /dev/null +++ b/changelog/unreleased/correctly-deny.md @@ -0,0 +1,5 @@ +Bugfix: Deny correctlty in decomposedfs + +Decomposedfs had problems denying resources for groups. This is now fixed + +https://github.com/cs3org/reva/pull/3823 diff --git a/pkg/storage/utils/decomposedfs/node/node.go b/pkg/storage/utils/decomposedfs/node/node.go index c802ebfa1e..bd3726e7bc 100644 --- a/pkg/storage/utils/decomposedfs/node/node.go +++ b/pkg/storage/utils/decomposedfs/node/node.go @@ -1046,19 +1046,46 @@ func (n *Node) ReadUserPermissions(ctx context.Context, u *userpb.User) (ap prov // IsDenied checks if the node was denied to that user func (n *Node) IsDenied(ctx context.Context) bool { - u := ctxpkg.ContextMustGetUser(ctx) - userace := prefixes.GrantUserAcePrefix + u.Id.OpaqueId - g, err := n.ReadGrant(ctx, userace) - switch { - case err == nil: - // If all permissions are set to false we have a deny grant - return grants.PermissionsEqual(g.Permissions, &provider.ResourcePermissions{}) - case metadata.IsAttrUnset(err): - return false - default: + gs, err := n.ListGrants(ctx) + if err != nil { // be paranoid, resource is denied return true } + + u := ctxpkg.ContextMustGetUser(ctx) + isExecutant := func(g *provider.Grantee) bool { + switch g.GetType() { + case provider.GranteeType_GRANTEE_TYPE_USER: + return g.GetUserId().GetOpaqueId() == u.GetId().GetOpaqueId() + case provider.GranteeType_GRANTEE_TYPE_GROUP: + // check gid + gid := g.GetGroupId().GetOpaqueId() + for _, group := range u.Groups { + if gid == group { + return true + } + + } + return false + default: + return false + } + + } + + for _, g := range gs { + if !isExecutant(g.Grantee) { + continue + } + + if grants.PermissionsEqual(g.Permissions, &provider.ResourcePermissions{}) { + // resource is denied + return true + } + } + + // no deny grants + return false } // ListGrantees lists the grantees of the current node