Merge pull request #52526 from nextcloud/fix/no-issue/prevent-create-delete-perms-on-file-shares

fix(files_sharing): Prevent create/delete permissions on file shares

apps/files_sharing/src/mixins/ShareDetails.js

@@ -5,6 +5,8 @@
 
 import Share from '../models/Share.ts'
 import Config from '../services/ConfigService.ts'
+import { ATOMIC_PERMISSIONS } from '../lib/SharePermissionsToolBox.js'
+import logger from '../services/logger.ts'
 
 export default {
 	methods: {
@@ -26,6 +28,18 @@ export default {
 				share = this.mapShareRequestToShareObject(shareRequestObject)
 			}
 
+			if (this.fileInfo.type !== 'dir') {
+				const originalPermissions = share.permissions
+				const strippedPermissions = originalPermissions
+					& ~ATOMIC_PERMISSIONS.CREATE
+					& ~ATOMIC_PERMISSIONS.DELETE
+
+				if (originalPermissions !== strippedPermissions) {
+					logger.debug('Removed create/delete permissions from file share (only valid for folders)')
+					share.permissions = strippedPermissions
+				}
+			}
+
 			const shareDetails = {
 				fileInfo: this.fileInfo,
 				share,

apps/files_sharing/src/views/SharingDetailsTab.vue

@@ -38,7 +38,7 @@
 					<NcCheckboxRadioSwitch :button-variant="true"
 						data-cy-files-sharing-share-permissions-bundle="upload-edit"
 						:checked.sync="sharingPermission"
-						:value="bundledPermissions.ALL.toString()"
+						:value="allPermissions"
 						name="sharing_permission_radio"
 						type="radio"
 						button-variant-grouped="vertical"
@@ -400,6 +400,9 @@ export default {
 			}
 			}
 		},
+		allPermissions() {
+			return this.isFolder ? this.bundledPermissions.ALL.toString() : this.bundledPermissions.ALL_FILE.toString()
+		},
 		/**
 		 * Can the sharee edit the shared file ?
 		 */
@@ -712,8 +715,15 @@ export default {
 				[ATOMIC_PERMISSIONS.DELETE]: this.t('files_sharing', 'Delete'),
 			}
 
-			return [ATOMIC_PERMISSIONS.READ, ATOMIC_PERMISSIONS.CREATE, ATOMIC_PERMISSIONS.UPDATE, ...(this.resharingIsPossible ? [ATOMIC_PERMISSIONS.SHARE] : []), ATOMIC_PERMISSIONS.DELETE]
-				.filter((permission) => hasPermissions(this.share.permissions, permission))
+			const permissionsList = [
+				ATOMIC_PERMISSIONS.READ,
+				...(this.isFolder ? [ATOMIC_PERMISSIONS.CREATE] : []),
+				ATOMIC_PERMISSIONS.UPDATE,
+				...(this.resharingIsPossible ? [ATOMIC_PERMISSIONS.SHARE] : []),
+				...(this.isFolder ? [ATOMIC_PERMISSIONS.DELETE] : []),
+			]
+
+			return permissionsList.filter((permission) => hasPermissions(this.share.permissions, permission))
 				.map((permission, index) => index === 0
 					? translatedPermissions[permission]
 					: translatedPermissions[permission].toLocaleLowerCase(getLanguage()))
@@ -831,6 +841,13 @@ export default {
 			isReshareChecked = this.canReshare,
 		} = {}) {
 			// calc permissions if checked
+
+			if (!this.isFolder && (isCreateChecked || isDeleteChecked)) {
+				logger.debug('Ignoring create/delete permissions for file share — only available for folders')
+				isCreateChecked = false
+				isDeleteChecked = false
+			}
+
 			const permissions = 0
 				| (isReadChecked ? ATOMIC_PERMISSIONS.READ : 0)
 				| (isCreateChecked ? ATOMIC_PERMISSIONS.CREATE : 0)

dist/6241-6241.js.map.license

@@ -1 +0,0 @@
-6241-6241.js.license

dist/9134-9134.js.map.license

@@ -0,0 +1 @@
+9134-9134.js.license