mirror of
https://github.com/verdigado/organization_folders.git
synced 2024-11-21 20:28:11 +01:00
finalized ACL management
This commit is contained in:
parent
fdb4b8fc76
commit
22c06b5689
3 changed files with 125 additions and 46 deletions
|
@ -4,6 +4,8 @@ declare(strict_types=1);
|
||||||
|
|
||||||
namespace OCA\OrganizationFolders\Service;
|
namespace OCA\OrganizationFolders\Service;
|
||||||
|
|
||||||
|
use Psr\Container\ContainerInterface;
|
||||||
|
|
||||||
use OCP\AppFramework\Db\TTransactional;
|
use OCP\AppFramework\Db\TTransactional;
|
||||||
use OCP\IDBConnection;
|
use OCP\IDBConnection;
|
||||||
|
|
||||||
|
@ -31,7 +33,7 @@ class OrganizationFolderService {
|
||||||
protected PathManager $pathManager,
|
protected PathManager $pathManager,
|
||||||
protected GroupfolderManager $groupfolderManager,
|
protected GroupfolderManager $groupfolderManager,
|
||||||
protected ACLManager $aclManager,
|
protected ACLManager $aclManager,
|
||||||
protected ResourceService $resourceService,
|
protected ContainerInterface $container,
|
||||||
) {
|
) {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -96,6 +98,8 @@ class OrganizationFolderService {
|
||||||
organizationId: $organizationId,
|
organizationId: $organizationId,
|
||||||
);
|
);
|
||||||
|
|
||||||
|
$this->applyPermissions($groupfolderId);
|
||||||
|
|
||||||
return $organizationFolder;
|
return $organizationFolder;
|
||||||
}, $this->db);
|
}, $this->db);
|
||||||
}
|
}
|
||||||
|
@ -107,7 +111,7 @@ class OrganizationFolderService {
|
||||||
?string $organizationProviderId = null,
|
?string $organizationProviderId = null,
|
||||||
?int $organizationId = null
|
?int $organizationId = null
|
||||||
): OrganizationFolder {
|
): OrganizationFolder {
|
||||||
return $this->atomic(function () use ($id, $name, $quota, $organizationProviderId, $organizationId) {
|
$this->atomic(function () use ($id, $name, $quota, $organizationProviderId, $organizationId) {
|
||||||
if(isset($name)) {
|
if(isset($name)) {
|
||||||
$this->folderManager->renameFolder($id, $name);
|
$this->folderManager->renameFolder($id, $name);
|
||||||
}
|
}
|
||||||
|
@ -136,9 +140,11 @@ class OrganizationFolderService {
|
||||||
$this->tagService->update($id, "organization_provider", $organizationProviderId);
|
$this->tagService->update($id, "organization_provider", $organizationProviderId);
|
||||||
$this->tagService->update($id, "organization_id", (string)$organization->getId());
|
$this->tagService->update($id, "organization_id", (string)$organization->getId());
|
||||||
}
|
}
|
||||||
|
|
||||||
return $this->find($id);
|
|
||||||
}, $this->db);
|
}, $this->db);
|
||||||
|
|
||||||
|
$this->applyPermissions($id);
|
||||||
|
|
||||||
|
return $this->find($id);
|
||||||
}
|
}
|
||||||
|
|
||||||
public function applyPermissions(int $id) {
|
public function applyPermissions(int $id) {
|
||||||
|
@ -149,7 +155,9 @@ class OrganizationFolderService {
|
||||||
$this->setGroupsAsGroupfolderMembers($organizationFolder->getId(), $memberGroups);
|
$this->setGroupsAsGroupfolderMembers($organizationFolder->getId(), $memberGroups);
|
||||||
$this->setRootFolderACLs($organizationFolder, $memberGroups);
|
$this->setRootFolderACLs($organizationFolder, $memberGroups);
|
||||||
|
|
||||||
return $this->resourceService->setAllFolderResourceAclsInOrganizationFolder($organizationFolder, $memberGroups);
|
/** @var ResourceService */
|
||||||
|
$resourceService = $this->container->get(ResourceService::class);
|
||||||
|
return $resourceService->setAllFolderResourceAclsInOrganizationFolder($organizationFolder, $memberGroups);
|
||||||
}
|
}
|
||||||
|
|
||||||
protected function getMemberGroups(OrganizationFolder $organizationFolder) {
|
protected function getMemberGroups(OrganizationFolder $organizationFolder) {
|
||||||
|
|
|
@ -17,7 +17,9 @@ use OCA\OrganizationFolders\Enum\MemberType;
|
||||||
|
|
||||||
class ResourceMemberService {
|
class ResourceMemberService {
|
||||||
public function __construct(
|
public function __construct(
|
||||||
private ResourceMemberMapper $mapper
|
protected ResourceMemberMapper $mapper,
|
||||||
|
protected ResourceService $resourceService,
|
||||||
|
protected OrganizationFolderService $organizationFolderService,
|
||||||
) {
|
) {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -48,8 +50,11 @@ class ResourceMemberService {
|
||||||
MemberType $type,
|
MemberType $type,
|
||||||
string $principal
|
string $principal
|
||||||
): ResourceMember {
|
): ResourceMember {
|
||||||
|
$resource = $this->resourceService->find($resourceId);
|
||||||
|
|
||||||
$member = new ResourceMember();
|
$member = new ResourceMember();
|
||||||
$member->setResourceId($resourceId);
|
|
||||||
|
$member->setResourceId($resource->getId());
|
||||||
$member->setPermissionLevel($permissionLevel->value);
|
$member->setPermissionLevel($permissionLevel->value);
|
||||||
$member->setType($type->value);
|
$member->setType($type->value);
|
||||||
|
|
||||||
|
@ -58,7 +63,11 @@ class ResourceMemberService {
|
||||||
$member->setCreatedTimestamp(time());
|
$member->setCreatedTimestamp(time());
|
||||||
$member->setLastUpdatedTimestamp(time());
|
$member->setLastUpdatedTimestamp(time());
|
||||||
|
|
||||||
return $this->mapper->insert($member);
|
$member = $this->mapper->insert($member);
|
||||||
|
|
||||||
|
$this->organizationFolderService->applyPermissions($resource->getOrganizationFolderId());
|
||||||
|
|
||||||
|
return $member;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function update(int $id, ?MemberPermissionLevel $permissionLevel = null, ?MemberType $type = null, ?string $principal = null): ResourceMember {
|
public function update(int $id, ?MemberPermissionLevel $permissionLevel = null, ?MemberType $type = null, ?string $principal = null): ResourceMember {
|
||||||
|
@ -81,7 +90,12 @@ class ResourceMemberService {
|
||||||
$member->setLastUpdatedTimestamp(time());
|
$member->setLastUpdatedTimestamp(time());
|
||||||
}
|
}
|
||||||
|
|
||||||
return $this->mapper->update($member);
|
$member = $this->mapper->update($member);
|
||||||
|
|
||||||
|
$resource = $this->resourceService->find($member->getResourceId());
|
||||||
|
$this->organizationFolderService->applyPermissions($resource->getOrganizationFolderId());
|
||||||
|
|
||||||
|
return $member;
|
||||||
} catch (Exception $e) {
|
} catch (Exception $e) {
|
||||||
$this->handleException($e);
|
$this->handleException($e);
|
||||||
}
|
}
|
||||||
|
@ -90,7 +104,12 @@ class ResourceMemberService {
|
||||||
public function delete(int $id): ResourceMember {
|
public function delete(int $id): ResourceMember {
|
||||||
try {
|
try {
|
||||||
$member = $this->mapper->find($id);
|
$member = $this->mapper->find($id);
|
||||||
|
|
||||||
$this->mapper->delete($member);
|
$this->mapper->delete($member);
|
||||||
|
|
||||||
|
$resource = $this->resourceService->find($member->getResourceId());
|
||||||
|
$this->organizationFolderService->applyPermissions($resource->getOrganizationFolderId());
|
||||||
|
|
||||||
return $member;
|
return $member;
|
||||||
} catch (Exception $e) {
|
} catch (Exception $e) {
|
||||||
$this->handleException($e);
|
$this->handleException($e);
|
||||||
|
|
|
@ -4,6 +4,8 @@ namespace OCA\OrganizationFolders\Service;
|
||||||
|
|
||||||
use Exception;
|
use Exception;
|
||||||
|
|
||||||
|
use Psr\Container\ContainerInterface;
|
||||||
|
|
||||||
use OCP\AppFramework\Db\DoesNotExistException;
|
use OCP\AppFramework\Db\DoesNotExistException;
|
||||||
use OCP\AppFramework\Db\MultipleObjectsReturnedException;
|
use OCP\AppFramework\Db\MultipleObjectsReturnedException;
|
||||||
|
|
||||||
|
@ -29,8 +31,9 @@ class ResourceService {
|
||||||
protected PathManager $pathManager,
|
protected PathManager $pathManager,
|
||||||
protected ACLManager $aclManager,
|
protected ACLManager $aclManager,
|
||||||
protected UserMappingManager $userMappingManager,
|
protected UserMappingManager $userMappingManager,
|
||||||
protected ResourceMemberService $resourceMemberService,
|
|
||||||
protected OrganizationProviderManager $organizationProviderManager,
|
protected OrganizationProviderManager $organizationProviderManager,
|
||||||
|
protected OrganizationFolderService $organizationFolderService,
|
||||||
|
protected ContainerInterface $container,
|
||||||
) {
|
) {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -120,6 +123,8 @@ class ResourceService {
|
||||||
|
|
||||||
$resource = $this->mapper->insert($resource);
|
$resource = $this->mapper->insert($resource);
|
||||||
|
|
||||||
|
$this->organizationFolderService->applyPermissions($organizationFolderId);
|
||||||
|
|
||||||
return $resource;
|
return $resource;
|
||||||
} else {
|
} else {
|
||||||
throw new ResourceNameNotUnique();
|
throw new ResourceNameNotUnique();
|
||||||
|
@ -187,14 +192,27 @@ class ResourceService {
|
||||||
$resource->setLastUpdatedTimestamp(time());
|
$resource->setLastUpdatedTimestamp(time());
|
||||||
}
|
}
|
||||||
|
|
||||||
return $this->mapper->update($resource);
|
$resource = $this->mapper->update($resource);
|
||||||
|
|
||||||
|
$this->organizationFolderService->applyPermissions($resource->getOrganizationFolderId());
|
||||||
|
|
||||||
|
return $resource;
|
||||||
|
|
||||||
// TODO: improve error handing: if db update fails roll back changes in the filesystem
|
// TODO: improve error handing: if db update fails roll back changes in the filesystem
|
||||||
}
|
}
|
||||||
|
|
||||||
public function setAllFolderResourceAclsInOrganizationFolder(OrganizationFolder $organizationFolder, array $inheritingGroups) {
|
public function setAllFolderResourceAclsInOrganizationFolder(OrganizationFolder $organizationFolder, array $inheritingGroups) {
|
||||||
$topLevelFolderResources = $this->findAll($organizationFolder->getId(), null, ["type" => "folder"]);
|
$topLevelFolderResources = $this->findAll($organizationFolder->getId(), null, ["type" => "folder"]);
|
||||||
|
|
||||||
return $this->recursivelySetFolderResourceALCs($topLevelFolderResources, "", $inheritingGroups);
|
$inheritingPrincipals = [];
|
||||||
|
foreach($inheritingGroups as $inheritingGroup) {
|
||||||
|
$inheritingPrincipals[] = [
|
||||||
|
"type" => "group",
|
||||||
|
"groupId" => $inheritingGroup,
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
||||||
|
return $this->recursivelySetFolderResourceALCs($topLevelFolderResources, "", $inheritingPrincipals);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -207,23 +225,41 @@ class ResourceService {
|
||||||
* @param array $inheritingGroups
|
* @param array $inheritingGroups
|
||||||
* @psalm-param string[] $inheritingGroups
|
* @psalm-param string[] $inheritingGroups
|
||||||
*/
|
*/
|
||||||
public function recursivelySetFolderResourceALCs(array $folderResources, string $path, array $inheritingGroups) {
|
public function recursivelySetFolderResourceALCs(array $folderResources, string $path, array $inheritingPrincipals) {
|
||||||
foreach($folderResources as $folderResource) {
|
foreach($folderResources as $folderResource) {
|
||||||
$resourceFileId = $folderResource->getFileId();
|
$resourceFileId = $folderResource->getFileId();
|
||||||
$acls = [];
|
$acls = [];
|
||||||
|
|
||||||
// inherit ACLs
|
// inherit ACLs
|
||||||
foreach($inheritingGroups as $inheritingGroup) {
|
foreach($inheritingPrincipals as $inheritingPrincipal) {
|
||||||
$acls[] = new Rule(
|
if($inheritingPrincipal["type"] === "group") {
|
||||||
userMapping: $this->userMappingManager->mappingFromId("group", $inheritingGroup),
|
$acls[] = new Rule(
|
||||||
fileId: $resourceFileId,
|
userMapping: $this->userMappingManager->mappingFromId("group", $inheritingPrincipal["groupId"]),
|
||||||
mask: 31,
|
fileId: $resourceFileId,
|
||||||
permissions: $folderResource->getInheritedAclPermission(),
|
mask: 31,
|
||||||
);
|
permissions: $folderResource->getInheritedAclPermission(),
|
||||||
|
);
|
||||||
|
} else if($inheritingPrincipal["type"] === "user") {
|
||||||
|
$acls[] = new Rule(
|
||||||
|
userMapping: $this->userMappingManager->mappingFromId("user", $inheritingPrincipal["userId"]),
|
||||||
|
fileId: $resourceFileId,
|
||||||
|
mask: 31,
|
||||||
|
permissions: $folderResource->getInheritedAclPermission(),
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// inherited principals will affect resources further down, if they have any permissions at this level
|
||||||
|
if($folderResource->getInheritedAclPermission() !== 0) {
|
||||||
|
$nextInheritingPrincipals = $inheritingPrincipals;
|
||||||
|
} else {
|
||||||
|
$nextInheritingPrincipals = [];
|
||||||
}
|
}
|
||||||
|
|
||||||
// member ACLs
|
// member ACLs
|
||||||
$resourceMembers = $this->resourceMemberService->findAll($folderResource->getId());
|
/** @var ResourceService */
|
||||||
|
$resourceMemberService = $this->container->get(ResourceMemberService::class);
|
||||||
|
$resourceMembers = $resourceMemberService->findAll($folderResource->getId());
|
||||||
foreach($resourceMembers as $resourceMember) {
|
foreach($resourceMembers as $resourceMember) {
|
||||||
if($resourceMember->getPermissionLevel() === MemberPermissionLevel::MANAGER->value) {
|
if($resourceMember->getPermissionLevel() === MemberPermissionLevel::MANAGER->value) {
|
||||||
$resourceMemberPermissions = $folderResource->getManagersAclPermission();
|
$resourceMemberPermissions = $folderResource->getManagersAclPermission();
|
||||||
|
@ -233,36 +269,52 @@ class ResourceService {
|
||||||
throw new Exception("invalid resource member permission level");
|
throw new Exception("invalid resource member permission level");
|
||||||
}
|
}
|
||||||
|
|
||||||
if($resourceMember->getType() === MemberType::USER->value) {
|
if($resourceMemberPermissions !== 0) {
|
||||||
$mapping = $this->userMappingManager->mappingFromId("user", $resourceMember->getPrincipal());
|
if($resourceMember->getType() === MemberType::USER->value) {
|
||||||
} else if($resourceMember->getType() === MemberType::GROUP->value) {
|
$mapping = $this->userMappingManager->mappingFromId("user", $resourceMember->getPrincipal());
|
||||||
$mapping = $this->userMappingManager->mappingFromId("group", $resourceMember->getPrincipal());
|
$nextInheritingPrincipals[] = [
|
||||||
} else if($resourceMember->getType() === MemberType::ROLE->value) {
|
"type" => "user",
|
||||||
['organizationProviderId' => $organizationProviderId, 'roleId' => $roleId] = $resourceMember->getParsedPrincipal();
|
"userId" => $resourceMember->getPrincipal(),
|
||||||
|
];
|
||||||
|
} else if($resourceMember->getType() === MemberType::GROUP->value) {
|
||||||
|
$mapping = $this->userMappingManager->mappingFromId("group", $resourceMember->getPrincipal());
|
||||||
|
$nextInheritingPrincipals[] = [
|
||||||
|
"type" => "group",
|
||||||
|
"groupId" => $resourceMember->getPrincipal(),
|
||||||
|
];
|
||||||
|
} else if($resourceMember->getType() === MemberType::ROLE->value) {
|
||||||
|
['organizationProviderId' => $organizationProviderId, 'roleId' => $roleId] = $resourceMember->getParsedPrincipal();
|
||||||
|
|
||||||
$organizationProvider = $this->organizationProviderManager->getOrganizationProvider($organizationProviderId);
|
$organizationProvider = $this->organizationProviderManager->getOrganizationProvider($organizationProviderId);
|
||||||
$role = $organizationProvider->getRole($roleId);
|
$role = $organizationProvider->getRole($roleId);
|
||||||
$mapping = $this->userMappingManager->mappingFromId("group", $role->getMembersGroup());
|
$mapping = $this->userMappingManager->mappingFromId("group", $role->getMembersGroup());
|
||||||
} else {
|
$nextInheritingPrincipals[] = [
|
||||||
throw new Exception("invalid resource member type");
|
"type" => "group",
|
||||||
|
"groupId" => $role->getMembersGroup(),
|
||||||
|
];
|
||||||
|
} else {
|
||||||
|
throw new Exception("invalid resource member type");
|
||||||
|
}
|
||||||
|
|
||||||
|
if(is_null($mapping)) {
|
||||||
|
// TODO: skip member instead of crashing
|
||||||
|
throw new Exception(message: "invalid mapping, likely non-existing group");
|
||||||
|
}
|
||||||
|
|
||||||
|
$acls[] = new Rule(
|
||||||
|
userMapping: $mapping,
|
||||||
|
fileId: $resourceFileId,
|
||||||
|
mask: 31,
|
||||||
|
permissions: $resourceMemberPermissions,
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
if(is_null($mapping)) {
|
|
||||||
// TODO: skip member instead of crashing
|
|
||||||
throw new Exception(message: "invalid mapping, likely non-existing group");
|
|
||||||
}
|
|
||||||
|
|
||||||
$acls[] = new Rule(
|
|
||||||
userMapping: $mapping,
|
|
||||||
fileId: $resourceFileId,
|
|
||||||
mask: 31,
|
|
||||||
permissions: $resourceMemberPermissions,
|
|
||||||
);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$this->aclManager->overwriteACLsForFileId($resourceFileId, $acls);
|
$this->aclManager->overwriteACLsForFileId($resourceFileId, $acls);
|
||||||
|
|
||||||
// TODO: recurse sub-resources
|
// recurse sub-resources
|
||||||
|
$subFolderResources = $this->getSubResources($folderResource, ["type" => "folder"]);
|
||||||
|
$this->recursivelySetFolderResourceALCs($subFolderResources, $path . $folderResource->getName() . "/", $nextInheritingPrincipals);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -287,8 +339,8 @@ class ResourceService {
|
||||||
/**
|
/**
|
||||||
* get all direct sub-resources
|
* get all direct sub-resources
|
||||||
*/
|
*/
|
||||||
public function getSubResources(Resource $resource) {
|
public function getSubResources(Resource $resource, array $filters = []) {
|
||||||
return $this->findAll($resource->getOrganizationFolderId(), $resource->getId());
|
return $this->findAll($resource->getOrganizationFolderId(), $resource->getId(), $filters);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
Loading…
Reference in a new issue