check CreateContainer permission when creating space

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>
cs3org · Feb 21, 2022 · 8beb33a · 8beb33a
1 parent 78d32d3
commit 8beb33a
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 7 deletions.
diff --git a/pkg/storage/utils/decomposedfs/recycle_test.go b/pkg/storage/utils/decomposedfs/recycle_test.go
@@ -47,7 +47,7 @@ var _ = Describe("Recycle", func() {
 		When("a user deletes files from the same space", func() {
 
 			BeforeEach(func() {
-				// in this scenario user "userid" has this permissions:
+				// in this scenario user "u-s-e-r-id" has this permissions:
 				registerPermissions(env.Permissions, "u-s-e-r-id", &provider.ResourcePermissions{
 					InitiateFileUpload: true,
 					Delete:             true,
@@ -132,7 +132,7 @@ var _ = Describe("Recycle", func() {
 					Username: "anotherusername",
 				})
 
-				// in this scenario user "userid" has this permissions:
+				// in this scenario user "u-s-e-r-id" has this permissions:
 				registerPermissions(env.Permissions, "u-s-e-r-id", &provider.ResourcePermissions{
 					InitiateFileUpload: true,
 					Delete:             true,
@@ -244,7 +244,7 @@ var _ = Describe("Recycle", func() {
 				Expect(err).ToNot(HaveOccurred())
 				Expect(projectID).ToNot(BeNil())
 
-				// in this scenario user "userid" has this permissions:
+				// in this scenario user "u-s-e-r-id" has this permissions:
 				registerPermissions(env.Permissions, "u-s-e-r-id", &provider.ResourcePermissions{
 					InitiateFileUpload: true,
 					Delete:             true,
@@ -316,13 +316,13 @@ var _ = Describe("Recycle", func() {
 					Username: "readusername",
 				})
 
-				// in this scenario user "userid" has this permissions:
-				registerPermissions(env.Permissions, "u-s-e-r-id", &provider.ResourcePermissions{
+				// in this scenario user "u-s-e-r-id" has this permissions:
+				/*registerPermissions(env.Permissions, "u-s-e-r-id", &provider.ResourcePermissions{
 					Delete:             true,
 					ListRecycle:        true,
 					PurgeRecycle:       true,
 					RestoreRecycleItem: true,
-				})
+				})*/
 
 				// and user "readuserid" has this permissions:
 				registerPermissions(env.Permissions, "readuserid", &provider.ResourcePermissions{
@@ -342,7 +342,7 @@ var _ = Describe("Recycle", func() {
 				Expect(len(items)).To(Equal(1))
 			})
 
-			It("cannot delete files", func() {
+			FIt("cannot delete files", func() {
 				err := env.Fs.Delete(ctx, &provider.Reference{
 					ResourceId: env.SpaceRootRes,
 					Path:       "/dir1/file1",

diff --git a/pkg/storage/utils/decomposedfs/spaces.go b/pkg/storage/utils/decomposedfs/spaces.go
@@ -86,6 +86,18 @@ func (fs *Decomposedfs) CreateStorageSpace(ctx context.Context, req *provider.Cr
 		return nil, errtypes.AlreadyExists("decomposedfs: spaces: space already exists")
 	}
 
+	// FIXME properly check if the user can create a storage space!
+	// how do we authenticate space provisioning for personal spaces?
+	ok, err := fs.p.HasPermission(ctx, root, func(rp *provider.ResourcePermissions) bool {
+		return rp.CreateContainer
+	})
+	switch {
+	case err != nil:
+		return nil, errtypes.InternalError(err.Error())
+	case !ok:
+		return nil, errtypes.PermissionDenied(filepath.Join(root.ParentID, root.Name))
+	}
+
 	// create a directory node
 	rootPath := root.InternalPath()
 	if err = os.MkdirAll(rootPath, 0700); err != nil {