allow scope check to impersonate space owners (cs3org#3843)

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
2403905 · May 19, 2023 · ba4eedd · ba4eedd
1 parent 9b136a2
commit ba4eedd
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 4 deletions.
diff --git a/changelog/unreleased/allow-scope-to-impersonate-space-owner.md b/changelog/unreleased/allow-scope-to-impersonate-space-owner.md
@@ -0,0 +1,6 @@
+Bugfix: allow scope check to impersonate space owners
+
+The publicshare scope check now fakes a user to mint an access token when impersonating a user of type `SPACE_OWNER` which is used for project spaces. This fixes downloading archives from public link shares in project spaces.
+
+https://github.com/cs3org/reva/pull/3843
+https://github.com/owncloud/ocis/issues/5229
diff --git a/internal/grpc/interceptors/auth/scope.go b/internal/grpc/interceptors/auth/scope.go
@@ -251,16 +251,25 @@ func checkIfNestedResource(ctx context.Context, ref *provider.Reference, parent
 		// We mint a token as the owner of the public share and try to stat the reference
 		// TODO(ishank011): We need to find a better alternative to this
 
-		userResp, err := client.GetUser(ctx, &userpb.GetUserRequest{UserId: statResponse.Info.Owner, SkipFetchingUserGroups: true})
-		if err != nil || userResp.Status.Code != rpc.Code_CODE_OK {
-			return false, err
+		var user *userpb.User
+		if statResponse.GetInfo().GetOwner().GetType() == userpb.UserType_USER_TYPE_SPACE_OWNER {
+			// fake a space owner user
+			user = &userpb.User{
+				Id: statResponse.GetInfo().GetOwner(),
+			}
+		} else {
+			userResp, err := client.GetUser(ctx, &userpb.GetUserRequest{UserId: statResponse.Info.Owner, SkipFetchingUserGroups: true})
+			if err != nil || userResp.Status.Code != rpc.Code_CODE_OK {
+				return false, err
+			}
+			user = userResp.User
 		}
 
 		scope, err := scope.AddOwnerScope(map[string]*authpb.Scope{})
 		if err != nil {
 			return false, err
 		}
-		token, err := mgr.MintToken(ctx, userResp.User, scope)
+		token, err := mgr.MintToken(ctx, user, scope)
 		if err != nil {
 			return false, err
 		}