From 4be3eacbe2d44295f83192ccc46fe8f0786f6497 Mon Sep 17 00:00:00 2001
From: Giuseppe Lo Presti <giuseppe.lopresti@cern.ch>
Date: Wed, 19 Apr 2023 16:56:18 +0200
Subject: [PATCH] apps: fixed viewMode resolution by making permissions
 override user's choices

---
 internal/http/services/appprovider/appprovider.go | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/internal/http/services/appprovider/appprovider.go b/internal/http/services/appprovider/appprovider.go
index c4366dc148e..c57d9fbc789 100644
--- a/internal/http/services/appprovider/appprovider.go
+++ b/internal/http/services/appprovider/appprovider.go
@@ -449,19 +449,23 @@ func filterAppsByUserAgent(mimeTypes []*appregistry.MimeTypeInfo, userAgent stri
 }
 
 func resolveViewMode(res *provider.ResourceInfo, vm string) gateway.OpenInAppRequest_ViewMode {
+	var viewMode gateway.OpenInAppRequest_ViewMode
 	if vm != "" {
-		return utils.GetViewMode(vm)
+		viewMode = utils.GetViewMode(vm)
+	} else {
+		viewMode = gateway.OpenInAppRequest_VIEW_MODE_READ_WRITE
 	}
-
-	var viewMode gateway.OpenInAppRequest_ViewMode
 	canEdit := res.PermissionSet.InitiateFileUpload
 	canView := res.PermissionSet.InitiateFileDownload
 
 	switch {
 	case canEdit && canView:
-		viewMode = gateway.OpenInAppRequest_VIEW_MODE_READ_WRITE
+		// ok
 	case canView:
-		viewMode = gateway.OpenInAppRequest_VIEW_MODE_READ_ONLY
+		if viewMode == gateway.OpenInAppRequest_VIEW_MODE_READ_WRITE || viewMode == gateway.OpenInAppRequest_VIEW_MODE_PREVIEW {
+			// downgrade to the maximum permitted viewmode
+			viewMode = gateway.OpenInAppRequest_VIEW_MODE_READ_ONLY
+		}
 	default:
 		// no permissions, will return access denied
 		viewMode = gateway.OpenInAppRequest_VIEW_MODE_INVALID