Fix create share API permissions for links

[julien-nc]

When publicUpload is false:

• default share link permissions (set in settings/admin/sharing)
• and the permissions request parameter

are ignored. PERMISSION_READ is always set.

The createShare api method still has some permission issues with publicUpload (#17504) and it's still impossible to create a share without expiration date if a default one is defined (#10178). But these issues are a bit trickier to fix.

[skjnldsv]

are ignored. PERMISSION_READ is always set.

I mean, that seems logical, no?
When nothing is provided, the minimum for a public share should be READ, no?

[julien-nc]

@skjnldsv Hmmm the minimum yes, but there it's forced to PERMISSION_READ even if some permissions were provided via a request param. Even the default permissions are ignored.

[skjnldsv]

Can you give more details about the issue you faced?
Public share links have certains preset for sharing, they cannot have random permissions, to me this is on purpose, not a mistake. Either it's a public upload, or just a read-only access 🤔

[julien-nc]

@skjnldsv Sorry for the lack of details.

When creating a share link for a file (publicUpload is false) by calling /ocs/v2.php/apps/files_sharing/api/v1/shares (POST), even if you provide some permissions with the permissions param, they are ignored and PERMISSION_READ is set.

Afterwards, you can still edit the share link and set the permissions you want with /ocs/v2.php/apps/files_sharing/api/v1/shares/SHARE_ID (PUT) but it's not possible to directly set the permissions on creation.

For example, one cannot allow edition when creating a share link on a file. This can be useful when creating a share link for a markdown file.

[skjnldsv]

Afterwards, you can still edit the share link and set the permissions you want with /ocs/v2.php/apps/files_sharing/api/v1/shares/SHARE_ID (PUT) but it's not possible to directly set the permissions on creation.

this is the issue then, it needs to be limited to the three options we support ?

[julien-nc]

@skjnldsv Here is a cleaner approach:

When creating a public link (with publicUpload request param to false):

• If there was no permissions request param: set permissions to READ
• Else, use those requested permissions

it needs to be limited to the three options we support ?

I might be wrong but I think the limitation is already applied earlier in this method: https://github.com/nextcloud/server/blob/master/apps/files_sharing/lib/Controller/ShareAPIController.php#L504-L508

[skjnldsv]

What's the status? Is this still needed @julien-nc ?

[skjnldsv]

no activity, closing