feat: add permissions for public link shares

Signed-off-by: Benjamin Frueh <benjamin.frueh@gmail.com>

Author: benjaminfrueh

appinfo/routes.php

@@ -97,6 +97,7 @@
 		['name' => 'share#show', 'url' => '/share/{id}', 'verb' => 'GET'],
 		['name' => 'share#create', 'url' => '/share', 'verb' => 'POST'],
 		['name' => 'share#updatePermission', 'url' => '/share/{id}/permission', 'verb' => 'PUT'],
+		['name' => 'share#updatePermissions', 'url' => '/share/{id}/permissions', 'verb' => 'PUT'],
 		['name' => 'share#updateDisplayMode', 'url' => '/share/{id}/display-mode', 'verb' => 'PUT'],
 		['name' => 'share#destroy', 'url' => '/share/{id}', 'verb' => 'DELETE'],
 

lib/Controller/Api1Controller.php

@@ -672,7 +672,7 @@ public function deleteShare(int $shareId): DataResponse {
 	#[OpenAPI(scope: OpenAPI::SCOPE_DEFAULT)]
 	public function updateSharePermissions(int $shareId, string $permissionType, bool $permissionValue): DataResponse {
 		try {
-			return new DataResponse($this->shareService->updatePermission($shareId, $permissionType, $permissionValue)->jsonSerialize());
+			return new DataResponse($this->shareService->updatePermission($shareId, [$permissionType => $permissionValue])->jsonSerialize());
 		} catch (PermissionError $e) {
 			$this->logger->warning('A permission error occurred: ' . $e->getMessage(), ['exception' => $e]);
 			$message = ['message' => $e->getMessage()];

lib/Controller/PublicRowOCSController.php

@@ -9,12 +9,14 @@
 namespace OCA\Tables\Controller;
 
 use OCA\Tables\AppInfo\Application;
+use OCA\Tables\Db\Row2Mapper;
 use OCA\Tables\Errors\BadRequestError;
 use OCA\Tables\Errors\InternalError;
 use OCA\Tables\Errors\NotFoundError;
 use OCA\Tables\Errors\PermissionError;
 use OCA\Tables\Helper\ConversionHelper;
 use OCA\Tables\Middleware\Attribute\AssertShareAccessIsAccessible;
+use OCA\Tables\Model\RowDataInput;
 use OCA\Tables\ResponseDefinitions;
 use OCA\Tables\Service\RowService;
 use OCA\Tables\Service\ShareService;
@@ -37,11 +39,13 @@ class PublicRowOCSController extends AOCSController {
 	public function __construct(
 		protected ShareService $shareService,
 		protected RowService $rowService,
+		protected Row2Mapper $row2Mapper,
 		IRequest $request,
 		LoggerInterface $logger,
 		IL10N $l,
 	) {
 		parent::__construct($request, $logger, $l, '');
+		$this->rowService->setPublicContext();
 	}
 
 	/**
@@ -68,6 +72,10 @@ public function getRows(string $token, ?int $limit, ?int $offset): DataResponse
 			$shareToken = new ShareToken($token);
 			$share = $this->shareService->findByToken($shareToken);
 
+			if (!$share->getPermissionRead()) {
+				return $this->handlePermissionError(new PermissionError('No read permission on this share'));
+			}
+
 			$limit = $limit !== null ? max(0, min(500, $limit)) : null;
 			$offset = $offset !== null ? max(0, $offset) : null;
 
@@ -90,4 +98,153 @@ public function getRows(string $token, ?int $limit, ?int $offset): DataResponse
 			return $this->handleBadRequestError($e);
 		}
 	}
+
+	/**
+	 * [api v2] Create a row in a link share
+	 *
+	 * @param string $token The share token
+	 * @param string|array<string, mixed> $data An array containing the column identifiers and their values
+	 * @return DataResponse<Http::STATUS_OK, TablesPublicRow, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_BAD_REQUEST|Http::STATUS_NOT_FOUND|Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
+	 *
+	 * 200: Row created
+	 * 400: Invalid request parameters
+	 * 403: No permissions
+	 * 404: Not found
+	 * 500: Internal error
+	 */
+	#[PublicPage]
+	#[AssertShareAccessIsAccessible]
+	#[ApiRoute(verb: 'POST', url: '/api/2/public/{token}/rows', requirements: ['token' => '[a-zA-Z0-9]{16}'])]
+	#[OpenAPI]
+	#[AnonRateLimit(limit: 20, period: 30)]
+	public function createRow(string $token, mixed $data): DataResponse {
+		try {
+			$shareToken = new ShareToken($token);
+			$share = $this->shareService->findByToken($shareToken);
+			$this->row2Mapper->setUserId('public-' . $token);
+
+			if (!$share->getPermissionCreate()) {
+				return $this->handlePermissionError(new PermissionError('No create permission on this share'));
+			}
+
+			if (is_string($data)) {
+				$data = json_decode($data, true);
+			}
+			if (!is_array($data)) {
+				return $this->handleBadRequestError(new BadRequestError('Invalid data input'));
+			}
+
+			$newRowData = new RowDataInput();
+			foreach ($data as $key => $value) {
+				$newRowData->add((int)$key, $value);
+			}
+
+			$tableId = $share->getNodeType() === 'table' ? $share->getNodeId() : null;
+			$viewId = $share->getNodeType() === 'view' ? $share->getNodeId() : null;
+
+			$row = $this->rowService->create($tableId, $viewId, $newRowData);
+			return new DataResponse($this->rowService->formatRowsForPublicShare([$row])[0]);
+		} catch (PermissionError $e) {
+			return $this->handlePermissionError($e);
+		} catch (NotFoundError $e) {
+			return $this->handleNotFoundError($e);
+		} catch (BadRequestError $e) {
+			return $this->handleBadRequestError($e);
+		} catch (InternalError|\Exception $e) {
+			return $this->handleError($e);
+		}
+	}
+
+	/**
+	 * [api v2] Update a row in a link share
+	 *
+	 * @param string $token The share token
+	 * @param int $rowId The row identifier
+	 * @param string|array<string, mixed> $data An array containing the column identifiers and their values
+	 * @return DataResponse<Http::STATUS_OK, TablesPublicRow, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_BAD_REQUEST|Http::STATUS_NOT_FOUND|Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
+	 *
+	 * 200: Row updated
+	 * 400: Invalid request parameters
+	 * 403: No permissions
+	 * 404: Not found
+	 * 500: Internal error
+	 */
+	#[PublicPage]
+	#[AssertShareAccessIsAccessible]
+	#[ApiRoute(verb: 'PUT', url: '/api/2/public/{token}/rows/{rowId}', requirements: ['token' => '[a-zA-Z0-9]{16}', 'rowId' => '\d+'])]
+	#[OpenAPI]
+	#[AnonRateLimit(limit: 20, period: 30)]
+	public function updateRow(string $token, int $rowId, mixed $data): DataResponse {
+		try {
+			$shareToken = new ShareToken($token);
+			$share = $this->shareService->findByToken($shareToken);
+			$this->row2Mapper->setUserId('public-' . $token);
+
+			if (!$share->getPermissionUpdate()) {
+				return $this->handlePermissionError(new PermissionError('No update permission on this share'));
+			}
+
+			if (is_string($data)) {
+				$data = json_decode($data, true);
+			}
+			if (!is_array($data)) {
+				return $this->handleBadRequestError(new BadRequestError('Invalid data input'));
+			}
+
+			$viewId = $share->getNodeType() === 'view' ? $share->getNodeId() : null;
+			$tableId = $share->getNodeType() === 'table' ? $share->getNodeId() : null;
+
+			$row = $this->rowService->updateSet($rowId, $viewId, $data, '', $tableId);
+			return new DataResponse($this->rowService->formatRowsForPublicShare([$row])[0]);
+		} catch (PermissionError $e) {
+			return $this->handlePermissionError($e);
+		} catch (NotFoundError $e) {
+			return $this->handleNotFoundError($e);
+		} catch (BadRequestError $e) {
+			return $this->handleBadRequestError($e);
+		} catch (InternalError|\Exception $e) {
+			return $this->handleError($e);
+		}
+	}
+
+	/**
+	 * [api v2] Delete a row in a link share
+	 *
+	 * @param string $token The share token
+	 * @param int $rowId The row identifier
+	 * @return DataResponse<Http::STATUS_OK, TablesPublicRow, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_NOT_FOUND|Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
+	 *
+	 * 200: Row deleted
+	 * 403: No permissions
+	 * 404: Not found
+	 * 500: Internal error
+	 */
+	#[PublicPage]
+	#[AssertShareAccessIsAccessible]
+	#[ApiRoute(verb: 'DELETE', url: '/api/2/public/{token}/rows/{rowId}', requirements: ['token' => '[a-zA-Z0-9]{16}', 'rowId' => '\d+'])]
+	#[OpenAPI]
+	#[AnonRateLimit(limit: 20, period: 30)]
+	public function deleteRow(string $token, int $rowId): DataResponse {
+		try {
+			$shareToken = new ShareToken($token);
+			$share = $this->shareService->findByToken($shareToken);
+			$this->row2Mapper->setUserId('public-' . $token);
+
+			if (!$share->getPermissionDelete()) {
+				return $this->handlePermissionError(new PermissionError('No delete permission on this share'));
+			}
+
+			$viewId = $share->getNodeType() === 'view' ? $share->getNodeId() : null;
+			$tableId = $share->getNodeType() === 'table' ? $share->getNodeId() : null;
+
+			$row = $this->rowService->delete($rowId, $viewId, '', $tableId);
+			return new DataResponse($this->rowService->formatRowsForPublicShare([$row])[0]);
+		} catch (PermissionError $e) {
+			return $this->handlePermissionError($e);
+		} catch (NotFoundError $e) {
+			return $this->handleNotFoundError($e);
+		} catch (InternalError|\Exception $e) {
+			return $this->handleError($e);
+		}
+	}
 }

lib/Controller/PublicSharePageController.php

@@ -71,6 +71,12 @@ public function showShare(): TemplateResponse {
 		$this->initialState->provideInitialState('shareToken', (string)$this->shareToken);
 		$this->initialState->provideInitialState('nodeType', $this->share->getNodeType());
 		$this->initialState->provideInitialState('nodeData', $nodeData);
+		$this->initialState->provideInitialState('sharePermissions', [
+			'read' => $this->share->getPermissionRead(),
+			'create' => $this->share->getPermissionCreate(),
+			'update' => $this->share->getPermissionUpdate(),
+			'delete' => $this->share->getPermissionDelete(),
+		]);
 
 		if (class_exists(LoadEditor::class)) {
 			$this->eventDispatcher->dispatchTyped(new LoadEditor());

lib/Controller/ShareController.php

@@ -85,7 +85,25 @@ public function create(
 	#[NoAdminRequired]
 	public function updatePermission(int $id, string $permission, bool $value): DataResponse {
 		return $this->handleError(function () use ($id, $permission, $value) {
-			return $this->service->updatePermission($id, $permission, $value);
+			return $this->service->updatePermission($id, [$permission => $value]);
+		});
+	}
+
+	#[NoAdminRequired]
+	public function updatePermissions(
+		int $id,
+		bool $permissionRead = false,
+		bool $permissionCreate = false,
+		bool $permissionUpdate = false,
+		bool $permissionDelete = false,
+	): DataResponse {
+		return $this->handleError(function () use ($id, $permissionRead, $permissionCreate, $permissionUpdate, $permissionDelete) {
+			return $this->service->updatePermission($id, [
+				'read' => $permissionRead,
+				'create' => $permissionCreate,
+				'update' => $permissionUpdate && $permissionRead,
+				'delete' => $permissionDelete && $permissionRead,
+			]);
 		});
 	}
 

lib/Db/Row2Mapper.php

@@ -122,6 +122,10 @@ public function getTableIdForRow(int $rowId): ?int {
 		return $rowSleeve->getTableId();
 	}
 
+	public function setUserId(string $userId): void {
+		$this->userId = $userId;
+	}
+
 	/**
 	 * @return int[]
 	 * @throws InternalError

lib/Service/PermissionsService.php

@@ -45,6 +45,8 @@ class PermissionsService {
 
 	protected bool $isCli = false;
 
+	private bool $isPublicContext = false;
+
 	private ContextMapper $contextMapper;
 
 	public function __construct(
@@ -549,6 +551,11 @@ public function getPermissionArrayForNodeFromContexts(int $nodeId, string $nodeT
 		);
 	}
 
+	public function setPublicContext(): void {
+		$this->userId = '';
+		$this->isPublicContext = true;
+	}
+
 	private function hasPermission(int $existingPermissions, string $permissionName): bool {
 		$constantName = 'PERMISSION_' . strtoupper($permissionName);
 		try {
@@ -634,7 +641,7 @@ private function basisCheck(Table|View|Context $element, string $nodeType, ?stri
 		}
 
 		if ($userId === '') {
-			return true;
+			return $this->isCli || $this->isPublicContext;
 		}
 
 		if ($this->userIsElementOwner($element, $userId, $nodeType)) {

lib/Service/RowService.php

@@ -178,7 +178,7 @@ public function find(int $rowId): Row2 {
 	 * @throws InternalError
 	 */
 	public function create(?int $tableId, ?int $viewId, RowDataInput|array $data): Row2 {
-		if ($this->userId === null || $this->userId === '') {
+		if ($this->userId === null) {
 			$e = new \Exception('No user id in context, but needed.');
 			$this->logger->error($e->getMessage(), ['exception' => $e]);
 			throw new InternalError(get_class($this) . ' - ' . __FUNCTION__ . ': ' . $e->getMessage());
@@ -523,10 +523,10 @@ private function getRowById(int $rowId): Row2 {
 			}
 			$row = $this->row2Mapper->find($rowId, $this->columnMapper->findAllByTable($this->row2Mapper->getTableIdForRow($rowId)));
 			$row->markAsLoaded();
-		} catch (InternalError|DoesNotExistException|MultipleObjectsReturnedException|Exception $e) {
+		} catch (InternalError|MultipleObjectsReturnedException|Exception $e) {
 			$this->logger->error($e->getMessage(), ['exception' => $e]);
 			throw new InternalError(get_class($this) . ' - ' . __FUNCTION__ . ': ' . $e->getMessage());
-		} catch (NotFoundError $e) {
+		} catch (NotFoundError|DoesNotExistException $e) {
 			$this->logger->error($e->getMessage(), ['exception' => $e]);
 			throw new NotFoundError(get_class($this) . ' - ' . __FUNCTION__ . ': ' . $e->getMessage());
 		}
@@ -677,7 +677,7 @@ public function updateSet(
 	 * @throws PermissionError
 	 * @noinspection DuplicatedCode
 	 */
-	public function delete(int $id, ?int $viewId, string $userId): Row2 {
+	public function delete(int $id, ?int $viewId, string $userId, ?int $tableId = null): Row2 {
 		try {
 			$item = $this->getRowById($id);
 		} catch (InternalError $e) {
@@ -688,6 +688,10 @@ public function delete(int $id, ?int $viewId, string $userId): Row2 {
 			throw new NotFoundError(get_class($this) . ' - ' . __FUNCTION__ . ': ' . $e->getMessage());
 		}
 
+		if ($tableId !== null && $tableId !== $item->getTableId()) {
+			throw new NotFoundError('Row not found');
+		}
+
 		if ($viewId) {
 			// security
 			if (!$this->permissionsService->canReadRowsByElementId($viewId, 'view', $userId)) {