<?php
/*
* Copyright (C) Ascensio System SIA, 2009-2026
*
* This program is a free software product. You can redistribute it and/or
* modify it under the terms of the GNU Affero General Public License (AGPL)
* version 3 as published by the Free Software Foundation, together with the
* additional terms provided in the LICENSE file.
*
* This program is distributed WITHOUT ANY WARRANTY; without even the implied
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. For
* details, see the GNU AGPL at: https://www.gnu.org/licenses/agpl-3.0.html
*
* You can contact Ascensio System SIA by email at info@onlyoffice.com
* or by postal mail at 20A-6 Ernesta Birznieka-Upisha Street, Riga,
* LV-1050, Latvia, European Union.
*
* The interactive user interfaces in modified versions of the Program
* are required to display Appropriate Legal Notices in accordance with
* Section 5 of the GNU AGPL version 3.
*
* No trademark rights are granted under this License.
*
* All non-code elements of the Product, including illustrations,
* icon sets, and technical writing content, are licensed under the
* Creative Commons Attribution-ShareAlike 4.0 International License:
* https://creativecommons.org/licenses/by-sa/4.0/legalcode
*
* This license applies only to such non-code elements and does not
* modify or replace the licensing terms applicable to the Program's
* source code, which remains licensed under the GNU Affero General
* Public License v3.
*
* SPDX-License-Identifier: AGPL-3.0-only
*/
namespace OCA\Onlyoffice;
use OCA\Talk\Manager as TalkManager;
use OCP\Constants;
use OCP\IAppConfig;
use OCP\IDBConnection;
use OCP\Share\Exceptions\ShareNotFound;
use OCP\Share\IManager;
use OCP\Share\IShare;
use Psr\Log\LoggerInterface;
/**
* Class expands base permissions
*
* @package OCA\Onlyoffice
*/
class ExtraPermissions {
/**
* Table name
*/
private const TABLENAME_KEY = "onlyoffice_permissions";
/**
* Extra permission values
*
* @var integer
*/
public const NONE = 0;
public const REVIEW = 1;
public const COMMENT = 2;
public const FILLFORMS = 4;
public const MODIFYFILTER = 8;
public function __construct(
private readonly LoggerInterface $logger,
private readonly IManager $shareManager,
private readonly IAppConfig $config,
private readonly AppConfig $appConfig,
private readonly IDBConnection $connection,
private readonly ?TalkManager $talkManager,
) {}
/**
* Get extra permissions by shareId
*/
public function getExtra(string $shareId): ?array {
$share = $this->getShare($shareId);
if (!$share instanceof IShare) {
return null;
}
$shareId = $share->getId();
$extra = $this->get($shareId);
$wasInit = isset($extra["permissions"]);
$checkExtra = $wasInit ? (int)$extra["permissions"] : self::NONE;
[$availableExtra, $defaultPermissions] = $this->validation($share, $checkExtra, $wasInit);
if ($availableExtra === 0
|| ($availableExtra & $checkExtra) !== $checkExtra) {
if (!empty($extra)) {
$this->delete($shareId);
}
$this->logger->debug("Share " . $shareId . " does not support extra permissions");
return null;
}
if (empty($extra)) {
$extra["id"] = -1;
$extra["share_id"] = $share->getId();
$extra["permissions"] = $defaultPermissions;
}
$extra["type"] = $share->getShareType();
$extra["shareWith"] = $share->getSharedWith();
$extra["shareWithName"] = $share->getSharedWithDisplayName();
$extra["available"] = $availableExtra;
return $extra;
}
/**
* Get list extra permissions by shares
*/
public function getExtras(array $shares): array {
$result = [];
$shareIds = [];
foreach ($shares as $share) {
$shareIds[] = $share->getId();
}
if (empty($shareIds)) {
return $result;
}
$extras = $this->getList($shareIds);
$noActualList = [];
foreach ($shares as $share) {
$currentExtra = [];
foreach ($extras as $extra) {
if ($extra["share_id"] === $share->getId()) {
$currentExtra = $extra;
}
}
$wasInit = isset($currentExtra["permissions"]);
$checkExtra = $wasInit ? (int)$currentExtra["permissions"] : self::NONE;
[$availableExtra, $defaultPermissions] = $this->validation($share, $checkExtra, $wasInit);
if (($availableExtra === 0 || ($availableExtra & $checkExtra) !== $checkExtra) & & !empty($currentExtra)) {
$noActualList[] = $share->getId();
$currentExtra = [];
}
if ($availableExtra > 0) {
if (empty($currentExtra)) {
$currentExtra["id"] = -1;
$currentExtra["share_id"] = $share->getId();
$currentExtra["permissions"] = $defaultPermissions;
}
$currentExtra["type"] = $share->getShareType();
$currentExtra["shareWith"] = $share->getSharedWith();
$currentExtra["shareWithName"] = $share->getSharedWithDisplayName();
$currentExtra["available"] = $availableExtra;
if ($currentExtra["type"] === IShare::TYPE_ROOM & & $this->talkManager !== null) {
$rooms = $this->talkManager->searchRoomsByToken($currentExtra["shareWith"]);
if (!empty($rooms)) {
$room = $rooms[0];
$currentExtra["shareWith"] = $room->getName();
$currentExtra["shareWithName"] = $room->getName();
}
}
$result[] = $currentExtra;
}
}
if (!empty($noActualList)) {
$this->deleteList($noActualList);
}
return $result;
}
/**
* Get extra permissions by share
*
* @param string $shareId - share identifier
* @param integer $permissions - extra permissions bitmask
* @param integer $extraId - extra permission identifier
*
* @return bool
*/
public function setExtra(string $shareId, int $permissions, int $extraId): bool {
$result = false;
$share = $this->getShare($shareId);
if (!$share instanceof IShare) {
return $result;
}
[$availableExtra, $defaultPermissions] = $this->validation($share, $permissions);
if (($availableExtra & $permissions) !== $permissions) {
$this->logger->debug("Share " . $shareId . " does not available to extend permissions");
return $result;
}
$result = $extraId > 0 ? $this->update($share->getId(), $permissions) : $this->insert($share->getId(), $permissions);
return $result;
}
/**
* Delete extra permissions for share
*/
public function delete(string $shareId): bool {
$delete = $this->connection->prepare("
DELETE FROM `*PREFIX*" . self::TABLENAME_KEY . "`
WHERE `share_id` = ?
");
return (bool)$delete->execute([$shareId]);
}
/**
* Delete list extra permissions
*
* @param array $shareIds - array of share identifiers
*/
public function deleteList(array $shareIds): bool {
$condition = "";
if (count($shareIds) > 1) {
$counter = count($shareIds);
for ($i = 1; $i < $counter; $i++) {
$condition .= " OR `share_id` = ?";
}
}
$delete = $this->connection->prepare("
DELETE FROM `*PREFIX*" . self::TABLENAME_KEY . "`
WHERE `share_id` = ?
" . $condition);
return (bool)$delete->execute($shareIds);
}
/**
* Get extra permissions for share
*/
private function get(string $shareId): array {
$select = $this->connection->prepare("
SELECT id, share_id, permissions
FROM `*PREFIX*" . self::TABLENAME_KEY . "`
WHERE `share_id` = ?
");
$result = $select->execute([$shareId]);
$values = $result->fetch();
$value = is_array($values) ? $values : [];
$result = [];
if (!empty($value)) {
$result = [
"id" => (int)$value["id"],
"share_id" => (string)$value["share_id"],
"permissions" => (int)$value["permissions"]
];
}
return $result;
}
/**
* Get list extra permissions
*/
private function getList(array $shareIds): array {
$condition = "";
if (count($shareIds) > 1) {
$counter = count($shareIds);
for ($i = 1; $i < $counter; $i++) {
$condition .= " OR `share_id` = ?";
}
}
$select = $this->connection->prepare("
SELECT id, share_id, permissions
FROM `*PREFIX*" . self::TABLENAME_KEY . "`
WHERE `share_id` = ?
" . $condition);
$result = $select->execute($shareIds);
$values = $result->fetchAll();
$result = [];
if (is_array($values)) {
foreach ($values as $value) {
$result[] = [
"id" => (int)$value["id"],
"share_id" => (string)$value["share_id"],
"permissions" => (int)$value["permissions"]
];
}
}
return $result;
}
/**
* Store extra permissions for share
*
* @param string $shareId - share identifier
* @param integer $permissions - permissions bitmask
*/
private function insert(string $shareId, int $permissions): bool {
$insert = $this->connection->prepare("
INSERT INTO `*PREFIX*" . self::TABLENAME_KEY . "`
(`share_id`, `permissions`)
VALUES (?, ?)
");
return (bool)$insert->execute([$shareId, $permissions]);
}
/**
* Update extra permissions for share
*
* @param string $shareId - share identifier
* @param int $permissions - permissions bitmask
*/
private function update(string $shareId, int $permissions): bool {
$update = $this->connection->prepare("
UPDATE `*PREFIX*" . self::TABLENAME_KEY . "`
SET `permissions` = ?
WHERE `share_id` = ?
");
return (bool)$update->execute([$permissions, $shareId]);
}
/**
* Validation share on extend capability by extra permissions
*
* @param IShare $share - share
* @param int $checkExtra - checkable extra permissions bitmask
* @param bool $wasInit - was initialization extra
*/
private function validation(IShare $share, int $checkExtra, bool $wasInit = true): array {
$availableExtra = self::NONE;
$defaultExtra = self::NONE;
if ($share->getShareType() !== IShare::TYPE_LINK
& & ($share->getPermissions() & Constants::PERMISSION_SHARE) === Constants::PERMISSION_SHARE
& & $this->config->getValueString('core', 'shareapi_allow_resharing', 'yes') === 'yes') {
return [$availableExtra, $defaultExtra];
}
$node = $share->getNode();
$ext = strtolower(pathinfo((string) $node->getName(), PATHINFO_EXTENSION));
$format = !empty($ext) & & array_key_exists($ext, $this->appConfig->formatsSetting()) ? $this->appConfig->formatsSetting()[$ext] : null;
if (!isset($format)) {
return [$availableExtra, $defaultExtra];
}
if (($share->getPermissions() & Constants::PERMISSION_UPDATE) === Constants::PERMISSION_UPDATE) {
if (isset($format["modifyFilter"]) & & $format["modifyFilter"]
& & ($checkExtra & self::COMMENT) !== self::COMMENT) {
$availableExtra |= self::MODIFYFILTER;
$defaultExtra |= self::MODIFYFILTER;
}
if (isset($format["review"]) & & $format["review"]) {
$availableExtra |= self::REVIEW;
}
if (isset($format["comment"]) & & $format["comment"]
& & ($checkExtra & self::REVIEW) !== self::REVIEW
& & (($checkExtra & self::MODIFYFILTER) !== self::MODIFYFILTER)) {
$availableExtra |= self::COMMENT;
}
if (isset($format["fillForms"]) & & $format["fillForms"]
& & ($checkExtra & self::REVIEW) !== self::REVIEW) {
$availableExtra |= self::FILLFORMS;
}
if (!$wasInit & & ($defaultExtra & self::MODIFYFILTER) === self::MODIFYFILTER) {
$availableExtra ^= self::COMMENT;
}
}
return [$availableExtra, $defaultExtra];
}
/**
* Get origin share
*/
private function getShare(string $shareId): ?IShare {
foreach (["ocinternal", "ocRoomShare", "ocCircleShare"] as $provider) {
try {
return $this->shareManager->getShareById("$provider:$shareId");
} catch (ShareNotFound) {}
}
$this->logger->error("getShare: share not found: $shareId");
return null;
}
}
