cernbox: fix shares to external accounts

cs3org · Sep 17, 2024 · e98eb85 · e98eb85
1 parent 122da0b
commit e98eb85
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/changelog/unreleased/lwshares-fix.md b/changelog/unreleased/lwshares-fix.md
@@ -0,0 +1,7 @@
+Bugfix: fix shares for external accounts
+
+We may have external accounts with regular usernames (and with null uid):
+This patch decorates such usernames when storing them as Grantee in a share,
+such that when a share is retrieved, permissions are checked correctly.
+
+https://github.com/cs3org/reva/pull/4849
diff --git a/pkg/cbox/utils/conversions.go b/pkg/cbox/utils/conversions.go
@@ -20,6 +20,7 @@ package utils
 
 import (
 	"database/sql"
+	"fmt"
 	"strings"
 	"time"
 
@@ -165,6 +166,14 @@ func IntToShareState(g int) collaboration.ShareState {
 
 // FormatUserID formats a CS3API user ID to a string.
 func FormatUserID(u *userpb.UserId) string {
+	if (u.Type == userpb.UserType_USER_TYPE_LIGHTWEIGHT || u.Type == userpb.UserType_USER_TYPE_FEDERATED) &&
+		!strings.Contains(u.OpaqueId, "guest:") && !strings.Contains(u.OpaqueId, "@") {
+		// in this case we have an external user, but its username does not contain an Idp identifier:
+		// this may happen for a SSO (e.g. the CERN SSO) that allows to register external accounts via email
+		// and generates regular usernames for such accounts. Here we decorate those usernames
+		// so that ExtractUserID below can do the reverse identification:
+		return fmt.Sprintf("%s@localidp", u.OpaqueId)
+	}
 	return u.OpaqueId
 }