mirror of
https://github.com/verdigado/organization_folders.git
synced 2024-11-27 15:10:26 +01:00
first draft of ACL rule management
This commit is contained in:
parent
5a2f872b2d
commit
f652b13dd3
6 changed files with 223 additions and 17 deletions
|
@ -24,6 +24,7 @@
|
||||||
<command>OCA\OrganizationFolders\Command\OrganizationFolder\CreateOrganizationFolder</command>
|
<command>OCA\OrganizationFolders\Command\OrganizationFolder\CreateOrganizationFolder</command>
|
||||||
<command>OCA\OrganizationFolders\Command\OrganizationFolder\UpdateOrganizationFolder</command>
|
<command>OCA\OrganizationFolders\Command\OrganizationFolder\UpdateOrganizationFolder</command>
|
||||||
<command>OCA\OrganizationFolders\Command\OrganizationFolder\RemoveOrganizationFolder</command>
|
<command>OCA\OrganizationFolders\Command\OrganizationFolder\RemoveOrganizationFolder</command>
|
||||||
|
<command>OCA\OrganizationFolders\Command\OrganizationFolder\FixACLsOfOrganizationFolder</command>
|
||||||
<command>OCA\OrganizationFolders\Command\Resource\CreateResource</command>
|
<command>OCA\OrganizationFolders\Command\Resource\CreateResource</command>
|
||||||
<command>OCA\OrganizationFolders\Command\Resource\ListResources</command>
|
<command>OCA\OrganizationFolders\Command\Resource\ListResources</command>
|
||||||
<command>OCA\OrganizationFolders\Command\ResourceMember\CreateResourceMember</command>
|
<command>OCA\OrganizationFolders\Command\ResourceMember\CreateResourceMember</command>
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
namespace OCA\OrganizationFolders\Command\OrganizationFolder;
|
||||||
|
|
||||||
|
use OCP\DB\Exception;
|
||||||
|
use Symfony\Component\Console\Input\InputArgument;
|
||||||
|
use Symfony\Component\Console\Input\InputInterface;
|
||||||
|
use Symfony\Component\Console\Output\OutputInterface;
|
||||||
|
|
||||||
|
use OCA\OrganizationFolders\Command\BaseCommand;
|
||||||
|
|
||||||
|
class FixACLsOfOrganizationFolder extends BaseCommand {
|
||||||
|
protected function configure(): void {
|
||||||
|
$this
|
||||||
|
->setName('organization-folders:recreate-acls')
|
||||||
|
->setDescription('Ensures all ACLs of organization folder are correctly set. Should not be neccessary to run unless ACL rules have been modified accidentally by an admin as ACLs will be created/modified automatically as resources are changed')
|
||||||
|
->addArgument('id', InputArgument::REQUIRED, 'Id of the organization folder');
|
||||||
|
}
|
||||||
|
|
||||||
|
protected function execute(InputInterface $input, OutputInterface $output): int {
|
||||||
|
$id = (int)$input->getArgument('id');
|
||||||
|
|
||||||
|
try {
|
||||||
|
$output->writeln(var_dump($this->organizationFolderService->applyPermissions($id)));
|
||||||
|
|
||||||
|
$output->writeln("done");
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
} catch (Exception $e) {
|
||||||
|
$output->writeln("<error>Exception \"{$e->getMessage()}\" at {$e->getFile()} line {$e->getLine()}</error>");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -42,7 +42,7 @@ class ResourceMapper extends QBMapper {
|
||||||
/* @var $qb IQueryBuilder */
|
/* @var $qb IQueryBuilder */
|
||||||
$qb = $this->db->getQueryBuilder();
|
$qb = $this->db->getQueryBuilder();
|
||||||
|
|
||||||
$qb->select('resource.*', 'folder.members_acl_permission', 'folder.managers_acl_permission', 'folder.inherited_acl_permission')
|
$qb->select('resource.*', 'folder.members_acl_permission', 'folder.managers_acl_permission', 'folder.inherited_acl_permission', 'folder.file_id')
|
||||||
->from(self::RESOURCES_TABLE, "resource")
|
->from(self::RESOURCES_TABLE, "resource")
|
||||||
->where($qb->expr()->eq('id', $qb->createNamedParameter($id, IQueryBuilder::PARAM_INT)));
|
->where($qb->expr()->eq('id', $qb->createNamedParameter($id, IQueryBuilder::PARAM_INT)));
|
||||||
|
|
||||||
|
@ -56,21 +56,27 @@ class ResourceMapper extends QBMapper {
|
||||||
* @param int $parentResourceId
|
* @param int $parentResourceId
|
||||||
* @return array
|
* @return array
|
||||||
*/
|
*/
|
||||||
public function findAll(int $organizationFolderId, ?int $parentResourceId = null): array {
|
public function findAll(int $organizationFolderId, ?int $parentResourceId = null, array $filters = []): array {
|
||||||
/* @var $qb IQueryBuilder */
|
/* @var $qb IQueryBuilder */
|
||||||
$qb = $this->db->getQueryBuilder();
|
$qb = $this->db->getQueryBuilder();
|
||||||
|
|
||||||
$qb->select('resource.*', 'folder.members_acl_permission', 'folder.managers_acl_permission', 'folder.inherited_acl_permission')
|
$qb->select('resource.*', 'folder.members_acl_permission', 'folder.managers_acl_permission', 'folder.inherited_acl_permission', 'folder.file_id')
|
||||||
->from(self::RESOURCES_TABLE, "resource")
|
->from(self::RESOURCES_TABLE, "resource")
|
||||||
->where($qb->expr()->eq('organization_folder_id', $qb->createNamedParameter($organizationFolderId, IQueryBuilder::PARAM_INT)));
|
->where($qb->expr()->eq('organization_folder_id', $qb->createNamedParameter($organizationFolderId, IQueryBuilder::PARAM_INT)));
|
||||||
|
|
||||||
if(is_null($parentResourceId)) {
|
if(is_null($parentResourceId)) {
|
||||||
$qb->andWhere($qb->expr()->isNull('parent_resource'));
|
$qb->andWhere($qb->expr()->isNull('resource.parent_resource'));
|
||||||
} else {
|
} else {
|
||||||
$qb->andWhere($qb->expr()->eq('parent_resource', $qb->createNamedParameter($parentResourceId, IQueryBuilder::PARAM_INT)));
|
$qb->andWhere($qb->expr()->eq('resource.parent_resource', $qb->createNamedParameter($parentResourceId, IQueryBuilder::PARAM_INT)));
|
||||||
}
|
}
|
||||||
|
|
||||||
$qb->leftJoin('resource', self::FOLDER_RESOURCES_TABLE, 'folder', $qb->expr()->eq('resource.id', 'folder.resource_id'),);
|
$folderJoinCondition = $qb->expr()->eq('resource.id', 'folder.resource_id');
|
||||||
|
if(isset($filters["type"]) && $filters["type"] === "folder") {
|
||||||
|
$qb->andWhere($qb->expr()->eq('resource.type', $qb->createNamedParameter("folder")));
|
||||||
|
$qb->innerJoin('resource', self::FOLDER_RESOURCES_TABLE, 'folder', $folderJoinCondition);
|
||||||
|
} else {
|
||||||
|
$qb->leftJoin('resource', self::FOLDER_RESOURCES_TABLE, 'folder', $folderJoinCondition);
|
||||||
|
}
|
||||||
|
|
||||||
return $this->findEntities($qb);
|
return $this->findEntities($qb);
|
||||||
}
|
}
|
||||||
|
|
41
lib/Manager/PathManager.php
Normal file
41
lib/Manager/PathManager.php
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
namespace OCA\OrganizationFolders\Manager;
|
||||||
|
|
||||||
|
use OCP\IConfig;
|
||||||
|
use OCP\Files\IRootFolder;
|
||||||
|
use OCP\Files\Node;
|
||||||
|
use OCP\Files\Folder;
|
||||||
|
|
||||||
|
use OCA\GroupFolders\Folder\FolderManager;
|
||||||
|
use OCA\GroupFolders\Mount\MountProvider;
|
||||||
|
|
||||||
|
use OCA\OrganizationFolders\Db\FolderResource;
|
||||||
|
use OCA\OrganizationFolders\Model\OrganizationFolder;
|
||||||
|
|
||||||
|
class PathManager {
|
||||||
|
public function __construct(
|
||||||
|
private IConfig $config,
|
||||||
|
private IRootFolder $rootFolder,
|
||||||
|
private FolderManager $groupfolderFolderManager,
|
||||||
|
private MountProvider $mountProvider,
|
||||||
|
){}
|
||||||
|
|
||||||
|
private function getRootFolderStorageId(): ?int {
|
||||||
|
return $this->rootFolder->getMountPoint()->getNumericStorageId();
|
||||||
|
}
|
||||||
|
|
||||||
|
public function getOrganizationFolderNode(OrganizationFolder $organizationFolder): ?Folder {
|
||||||
|
return $this->getOrganizationFolderNodeById($organizationFolder->getId());
|
||||||
|
}
|
||||||
|
|
||||||
|
public function getOrganizationFolderNodeById(int $id): ?Folder {
|
||||||
|
return $this->mountProvider->getFolder($id, False);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function getFolderResourceNode(FolderResource $resource): ?Folder {
|
||||||
|
$organizationFolderNode = $this->getOrganizationFolderNodeById($resource->getOrganizationFolderId());
|
||||||
|
|
||||||
|
return $organizationFolderNode->getFirstNodeById($resource->getFileId());
|
||||||
|
}
|
||||||
|
}
|
|
@ -9,19 +9,29 @@ use OCP\IDBConnection;
|
||||||
|
|
||||||
use OCA\GroupFolders\Folder\FolderManager;
|
use OCA\GroupFolders\Folder\FolderManager;
|
||||||
use OCA\GroupfolderTags\Service\TagService;
|
use OCA\GroupfolderTags\Service\TagService;
|
||||||
|
use OCA\GroupFolders\ACL\UserMapping\UserMappingManager;
|
||||||
|
use OCA\GroupFolders\ACL\Rule;
|
||||||
|
|
||||||
use OCA\OrganizationFolders\Errors\OrganizationFolderNotFound;
|
use OCA\OrganizationFolders\Errors\OrganizationFolderNotFound;
|
||||||
use OCA\OrganizationFolders\Model\OrganizationFolder;
|
use OCA\OrganizationFolders\Model\OrganizationFolder;
|
||||||
use OCA\OrganizationFolders\OrganizationProvider\OrganizationProviderManager;
|
use OCA\OrganizationFolders\OrganizationProvider\OrganizationProviderManager;
|
||||||
|
use OCA\OrganizationFolders\Manager\PathManager;
|
||||||
|
use OCA\OrganizationFolders\Manager\GroupfolderManager;
|
||||||
|
use OCA\OrganizationFolders\Manager\ACLManager;
|
||||||
|
|
||||||
class OrganizationFolderService {
|
class OrganizationFolderService {
|
||||||
use TTransactional;
|
use TTransactional;
|
||||||
|
|
||||||
public function __construct(
|
public function __construct(
|
||||||
private IDBConnection $db,
|
protected IDBConnection $db,
|
||||||
private FolderManager $folderManager,
|
protected FolderManager $folderManager,
|
||||||
private TagService $tagService,
|
protected UserMappingManager $userMappingManager,
|
||||||
private OrganizationProviderManager $organizationProviderManager,
|
protected TagService $tagService,
|
||||||
|
protected OrganizationProviderManager $organizationProviderManager,
|
||||||
|
protected PathManager $pathManager,
|
||||||
|
protected GroupfolderManager $groupfolderManager,
|
||||||
|
protected ACLManager $aclManager,
|
||||||
|
protected ResourceService $resourceService,
|
||||||
) {
|
) {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -132,7 +142,60 @@ class OrganizationFolderService {
|
||||||
}
|
}
|
||||||
|
|
||||||
public function applyPermissions(int $id) {
|
public function applyPermissions(int $id) {
|
||||||
|
$organizationFolder = $this->find($id);
|
||||||
|
|
||||||
|
$memberGroups = $this->getMemberGroups($organizationFolder);
|
||||||
|
|
||||||
|
$this->setGroupsAsGroupfolderMembers($organizationFolder->getId(), $memberGroups);
|
||||||
|
$this->setRootFolderACLs($organizationFolder, $memberGroups);
|
||||||
|
|
||||||
|
return $this->resourceService->setAllFolderResourceAclsInOrganizationFolder($organizationFolder, $memberGroups);
|
||||||
|
}
|
||||||
|
|
||||||
|
protected function getMemberGroups(OrganizationFolder $organizationFolder) {
|
||||||
|
// TODO: fetch member groups, for now only use organization members
|
||||||
|
$memberGroups = [];
|
||||||
|
|
||||||
|
if(!is_null($organizationFolder->getOrganizationProvider()) && !is_null($organizationFolder->getOrganizationId())) {
|
||||||
|
$organizationProvider = $this->organizationProviderManager->getOrganizationProvider($organizationFolder->getOrganizationProvider());
|
||||||
|
$organization = $organizationProvider->getOrganization($organizationFolder->getOrganizationId());
|
||||||
|
|
||||||
|
$memberGroups[] = $organization->getMembersGroup();
|
||||||
|
}
|
||||||
|
|
||||||
|
return $memberGroups;
|
||||||
|
}
|
||||||
|
|
||||||
|
protected function setGroupsAsGroupfolderMembers($groupfolderId, array $groups) {
|
||||||
|
$groupfolderMembers = [];
|
||||||
|
|
||||||
|
foreach($groups as $group) {
|
||||||
|
$groupfolderMembers[] = [
|
||||||
|
"group_id" => $group,
|
||||||
|
"permissions" => \OCP\Constants::PERMISSION_ALL,
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
||||||
|
return $this->groupfolderManager->overwriteMemberGroups($groupfolderId, $groupfolderMembers);
|
||||||
|
}
|
||||||
|
/**
|
||||||
|
* In the root folder of an organization folder only resource folders can exist
|
||||||
|
* To prevent adding files there all member groups of the groupfolder need to have a read-only ACL rule on the root folder
|
||||||
|
*/
|
||||||
|
protected function setRootFolderACLs(OrganizationFolder $organizationFolder, $groups) {
|
||||||
|
$folderNode = $this->pathManager->getOrganizationFolderNode($organizationFolder);
|
||||||
|
$fileId = $folderNode->getId();
|
||||||
|
|
||||||
|
$acls = [];
|
||||||
|
foreach($groups as $group) {
|
||||||
|
$acls[] = new Rule(userMapping: $this->userMappingManager->mappingFromId("group", $group),
|
||||||
|
fileId: $fileId,
|
||||||
|
mask: 31,
|
||||||
|
permissions: 1,
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
$this->aclManager->overwriteACLsForFileId($fileId, $acls);
|
||||||
}
|
}
|
||||||
|
|
||||||
public function remove($id): void {
|
public function remove($id): void {
|
||||||
|
|
|
@ -7,21 +7,30 @@ use Exception;
|
||||||
use OCP\AppFramework\Db\DoesNotExistException;
|
use OCP\AppFramework\Db\DoesNotExistException;
|
||||||
use OCP\AppFramework\Db\MultipleObjectsReturnedException;
|
use OCP\AppFramework\Db\MultipleObjectsReturnedException;
|
||||||
|
|
||||||
|
use OCA\GroupFolders\ACL\UserMapping\UserMappingManager;
|
||||||
|
use OCA\GroupFolders\ACL\Rule;
|
||||||
|
|
||||||
use OCA\OrganizationFolders\Db\Resource;
|
use OCA\OrganizationFolders\Db\Resource;
|
||||||
use OCA\OrganizationFolders\Db\FolderResource;
|
use OCA\OrganizationFolders\Db\FolderResource;
|
||||||
use OCA\OrganizationFolders\Db\ResourceMapper;
|
use OCA\OrganizationFolders\Db\ResourceMapper;
|
||||||
|
use OCA\OrganizationFolders\Model\OrganizationFolder;
|
||||||
use OCA\OrganizationFolders\Errors\InvalidResourceType;
|
use OCA\OrganizationFolders\Errors\InvalidResourceType;
|
||||||
use OCA\OrganizationFolders\Errors\ResourceNotFound;
|
use OCA\OrganizationFolders\Errors\ResourceNotFound;
|
||||||
use OCA\OrganizationFolders\Errors\ResourceNameNotUnique;
|
use OCA\OrganizationFolders\Errors\ResourceNameNotUnique;
|
||||||
|
use OCA\OrganizationFolders\Manager\PathManager;
|
||||||
|
use OCA\OrganizationFolders\Manager\ACLManager;
|
||||||
|
|
||||||
class ResourceService {
|
class ResourceService {
|
||||||
public function __construct(
|
public function __construct(
|
||||||
private ResourceMapper $mapper
|
private ResourceMapper $mapper,
|
||||||
|
private PathManager $pathManager,
|
||||||
|
protected ACLManager $aclManager,
|
||||||
|
private UserMappingManager $userMappingManager,
|
||||||
) {
|
) {
|
||||||
}
|
}
|
||||||
|
|
||||||
public function findAll(int $organizationFolderId, int $parentResourceId = null) {
|
public function findAll(int $organizationFolderId, int $parentResourceId = null, array $filters = []) {
|
||||||
return $this->mapper->findAll($organizationFolderId, $parentResourceId);
|
return $this->mapper->findAll($organizationFolderId, $parentResourceId, $filters);
|
||||||
}
|
}
|
||||||
|
|
||||||
private function handleException(Exception $e, int $id): void {
|
private function handleException(Exception $e, int $id): void {
|
||||||
|
@ -46,7 +55,7 @@ class ResourceService {
|
||||||
string $type,
|
string $type,
|
||||||
int $organizationFolderId,
|
int $organizationFolderId,
|
||||||
string $name,
|
string $name,
|
||||||
?int $parentResource = null,
|
?int $parentResourceId = null,
|
||||||
bool $active = true,
|
bool $active = true,
|
||||||
|
|
||||||
?int $membersAclPermission = null,
|
?int $membersAclPermission = null,
|
||||||
|
@ -59,18 +68,35 @@ class ResourceService {
|
||||||
throw new InvalidResourceType($type);
|
throw new InvalidResourceType($type);
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!$this->mapper->existsWithName($organizationFolderId, $parentResource, $name)) {
|
if(!$this->mapper->existsWithName($organizationFolderId, $parentResourceId, $name)) {
|
||||||
$resource->setOrganizationFolderId($organizationFolderId);
|
$resource->setOrganizationFolderId($organizationFolderId);
|
||||||
$resource->setName($name);
|
$resource->setName($name);
|
||||||
$resource->setParentResource($parentResource);
|
|
||||||
$resource->setActive($active);
|
$resource->setActive($active);
|
||||||
$resource->setLastUpdatedTimestamp(time());
|
$resource->setLastUpdatedTimestamp(time());
|
||||||
|
|
||||||
|
if(isset($parentResourceId)) {
|
||||||
|
$parentResource = $this->find($parentResourceId);
|
||||||
|
|
||||||
|
$resource->setParentResource($parentResource->getId());
|
||||||
|
|
||||||
|
$parentNode = $this->pathManager->getFolderResourceNode($parentResource);
|
||||||
|
} else {
|
||||||
|
$parentNode = $this->pathManager->getOrganizationFolderNodeById($organizationFolderId);
|
||||||
|
}
|
||||||
|
|
||||||
if($type === "folder") {
|
if($type === "folder") {
|
||||||
|
$resourceNode = $parentNode->newFolder($name);
|
||||||
|
$fileId = $resourceNode->getId();
|
||||||
|
|
||||||
|
if($fileId === -1) {
|
||||||
|
throw new Exception("Unknown error occured while creating resource folder");
|
||||||
|
}
|
||||||
|
|
||||||
if(isset($membersAclPermission, $managersAclPermission, $inheritedAclPermission)) {
|
if(isset($membersAclPermission, $managersAclPermission, $inheritedAclPermission)) {
|
||||||
$resource->setMembersAclPermission($membersAclPermission);
|
$resource->setMembersAclPermission($membersAclPermission);
|
||||||
$resource->setManagersAclPermission($managersAclPermission);
|
$resource->setManagersAclPermission($managersAclPermission);
|
||||||
$resource->setInheritedAclPermission($inheritedAclPermission);
|
$resource->setInheritedAclPermission($inheritedAclPermission);
|
||||||
|
$resource->setFileId($fileId);
|
||||||
} else {
|
} else {
|
||||||
throw new \InvalidArgumentException("Folder specific parameters must be included, when creating a resource of type folder");
|
throw new \InvalidArgumentException("Folder specific parameters must be included, when creating a resource of type folder");
|
||||||
}
|
}
|
||||||
|
@ -137,6 +163,41 @@ class ResourceService {
|
||||||
return $this->mapper->update($resource);
|
return $this->mapper->update($resource);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function setAllFolderResourceAclsInOrganizationFolder(OrganizationFolder $organizationFolder, array $inheritingGroups) {
|
||||||
|
$topLevelFolderResources = $this->findAll($organizationFolder->getId(), null, ["type" => "folder"]);
|
||||||
|
|
||||||
|
return $this->recursivelySetFolderResourceALCs($topLevelFolderResources, "", $inheritingGroups);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Recursively overwrite ACL rules for an array of folder resources
|
||||||
|
*
|
||||||
|
* @param array $folderResources
|
||||||
|
* @psalm-param FolderResource[] $folderResources
|
||||||
|
* @param string $path
|
||||||
|
* @psalm-param string $path
|
||||||
|
* @param array $inheritingGroups
|
||||||
|
* @psalm-param string[] $inheritingGroups
|
||||||
|
*/
|
||||||
|
public function recursivelySetFolderResourceALCs(array $folderResources, string $path, array $inheritingGroups) {
|
||||||
|
foreach($folderResources as $folderResource) {
|
||||||
|
$resourceFileId = $folderResource->getFileId();
|
||||||
|
$acls = [];
|
||||||
|
|
||||||
|
foreach($inheritingGroups as $inheritingGroup) {
|
||||||
|
$acls[] = new Rule(userMapping: $this->userMappingManager->mappingFromId("group", $inheritingGroup),
|
||||||
|
fileId: $resourceFileId,
|
||||||
|
mask: 31,
|
||||||
|
permissions: $folderResource->getInheritedAclPermission(),
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
$this->aclManager->overwriteACLsForFileId($resourceFileId, $acls);
|
||||||
|
|
||||||
|
// TODO: recurse sub-resources
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public function delete(int $id): Resource {
|
public function delete(int $id): Resource {
|
||||||
try {
|
try {
|
||||||
$resource = $this->mapper->find($id);
|
$resource = $this->mapper->find($id);
|
||||||
|
|
Loading…
Reference in a new issue