Merge pull request #47227 from nextcloud/backport/47192/stable28

[stable28] Apply group limit on remove from group

Author: blizzz

cypress/e2e/files_sharing/limit_to_same_group.cy.ts

@@ -0,0 +1,107 @@
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import { User } from "@nextcloud/cypress"
+import { createShare } from "./FilesSharingUtils.ts"
+
+describe('Limit to sharing to people in the same group', () => {
+	let alice: User
+	let bob: User
+	let randomFileName1 = ''
+	let randomFileName2 = ''
+	let randomGroupName = ''
+	let randomGroupName2 = ''
+	let randomGroupName3 = ''
+
+	before(() => {
+		randomFileName1 = Math.random().toString(36).replace(/[^a-z]+/g, '').substring(0, 10) + '.txt'
+		randomFileName2 = Math.random().toString(36).replace(/[^a-z]+/g, '').substring(0, 10) + '.txt'
+		randomGroupName = Math.random().toString(36).replace(/[^a-z]+/g, '').substring(0, 10)
+		randomGroupName2 = Math.random().toString(36).replace(/[^a-z]+/g, '').substring(0, 10)
+		randomGroupName3 = Math.random().toString(36).replace(/[^a-z]+/g, '').substring(0, 10)
+
+		cy.runOccCommand('config:app:set core shareapi_only_share_with_group_members --value yes')
+
+		cy.createRandomUser()
+			.then(user => {
+				alice = user
+				cy.createRandomUser()
+			})
+			.then(user => {
+				bob = user
+
+				cy.runOccCommand(`group:add ${randomGroupName}`)
+				cy.runOccCommand(`group:add ${randomGroupName2}`)
+				cy.runOccCommand(`group:add ${randomGroupName3}`)
+				cy.runOccCommand(`group:adduser ${randomGroupName} ${alice.userId}`)
+				cy.runOccCommand(`group:adduser ${randomGroupName} ${bob.userId}`)
+				cy.runOccCommand(`group:adduser ${randomGroupName2} ${alice.userId}`)
+				cy.runOccCommand(`group:adduser ${randomGroupName2} ${bob.userId}`)
+				cy.runOccCommand(`group:adduser ${randomGroupName3} ${bob.userId}`)
+
+				cy.uploadContent(alice, new Blob(['share to bob'], { type: 'text/plain' }), 'text/plain', `/${randomFileName1}`)
+				cy.uploadContent(bob, new Blob(['share by bob'], { type: 'text/plain' }), 'text/plain', `/${randomFileName2}`)
+
+				cy.login(alice)
+				cy.visit('/apps/files')
+				createShare(randomFileName1, bob.userId)
+				cy.login(bob)
+				cy.visit('/apps/files')
+				createShare(randomFileName2, alice.userId)
+			})
+	})
+
+	after(() => {
+		cy.runOccCommand('config:app:set core shareapi_only_share_with_group_members --value no')
+	})
+
+	it('Alice can see the shared file', () => {
+		cy.login(alice)
+		cy.visit('/apps/files')
+		cy.get(`[data-cy-files-list] [data-cy-files-list-row-name="${randomFileName2}"]`).should('exist')
+	})
+
+	it('Bob can see the shared file', () => {
+		cy.login(alice)
+		cy.visit('/apps/files')
+		cy.get(`[data-cy-files-list] [data-cy-files-list-row-name="${randomFileName1}"]`).should('exist')
+	})
+
+	context('Bob is removed from the first group', () => {
+		before(() => {
+			cy.runOccCommand(`group:removeuser ${randomGroupName} ${bob.userId}`)
+		})
+
+		it('Alice can see the shared file', () => {
+			cy.login(alice)
+			cy.visit('/apps/files')
+			cy.get(`[data-cy-files-list] [data-cy-files-list-row-name="${randomFileName2}"]`).should('exist')
+		})
+
+		it('Bob can see the shared file', () => {
+			cy.login(alice)
+			cy.visit('/apps/files')
+			cy.get(`[data-cy-files-list] [data-cy-files-list-row-name="${randomFileName1}"]`).should('exist')
+		})
+	})
+
+	context('Bob is removed from the second group', () => {
+		before(() => {
+			cy.runOccCommand(`group:removeuser ${randomGroupName2} ${bob.userId}`)
+		})
+
+		it('Alice cannot see the shared file', () => {
+			cy.login(alice)
+			cy.visit('/apps/files')
+		cy.get(`[data-cy-files-list] [data-cy-files-list-row-name="${randomFileName2}"]`).should('not.exist')
+		})
+
+		it('Bob cannot see the shared file', () => {
+			cy.login(alice)
+			cy.visit('/apps/files')
+		cy.get(`[data-cy-files-list] [data-cy-files-list-row-name="${randomFileName1}"]`).should('not.exist')
+		})
+	})
+})

lib/private/Share20/DefaultShareProvider.php

@@ -53,6 +53,7 @@
 use OCP\Mail\IMailer;
 use OCP\Share\Exceptions\ShareNotFound;
 use OCP\Share\IAttributes;
+use OCP\Share\IManager;
 use OCP\Share\IShare;
 use OCP\Share\IShareProvider;
 use function str_starts_with;
@@ -102,6 +103,7 @@ public function __construct(
 		IFactory $l10nFactory,
 		IURLGenerator $urlGenerator,
 		ITimeFactory $timeFactory,
+		private IManager $shareManager,
 	) {
 		$this->dbConn = $connection;
 		$this->userManager = $userManager;
@@ -1304,6 +1306,7 @@ public function groupDeleted($gid) {
 	 *
 	 * @param string $uid
 	 * @param string $gid
+	 * @return void
 	 */
 	public function userDeletedFromGroup($uid, $gid) {
 		/*
@@ -1315,7 +1318,7 @@ public function userDeletedFromGroup($uid, $gid) {
 			->where($qb->expr()->eq('share_type', $qb->createNamedParameter(IShare::TYPE_GROUP)))
 			->andWhere($qb->expr()->eq('share_with', $qb->createNamedParameter($gid)));
 
-		$cursor = $qb->execute();
+		$cursor = $qb->executeQuery();
 		$ids = [];
 		while ($row = $cursor->fetch()) {
 			$ids[] = (int)$row['id'];
@@ -1332,7 +1335,45 @@ public function userDeletedFromGroup($uid, $gid) {
 					->where($qb->expr()->eq('share_type', $qb->createNamedParameter(IShare::TYPE_USERGROUP)))
 					->andWhere($qb->expr()->eq('share_with', $qb->createNamedParameter($uid)))
 					->andWhere($qb->expr()->in('parent', $qb->createNamedParameter($chunk, IQueryBuilder::PARAM_INT_ARRAY)));
-				$qb->execute();
+				$qb->executeStatement();
+			}
+		}
+
+		if ($this->shareManager->shareWithGroupMembersOnly()) {
+			$user = $this->userManager->get($uid);
+			if ($user === null) {
+				return;
+			}
+			$userGroups = $this->groupManager->getUserGroupIds($user);
+
+			// Delete user shares received by the user from users in the group.
+			$userReceivedShares = $this->shareManager->getSharedWith($uid, IShare::TYPE_USER, null, -1);
+			foreach ($userReceivedShares as $share) {
+				$owner = $this->userManager->get($share->getSharedBy());
+				if ($owner === null) {
+					continue;
+				}
+				$ownerGroups = $this->groupManager->getUserGroupIds($owner);
+				$mutualGroups = array_intersect($userGroups, $ownerGroups);
+
+				if (count($mutualGroups) === 0) {
+					$this->shareManager->deleteShare($share);
+				}
+			}
+
+			// Delete user shares from the user to users in the group.
+			$userEmittedShares = $this->shareManager->getSharesBy($uid, IShare::TYPE_USER, null, true, -1);
+			foreach ($userEmittedShares as $share) {
+				$recipient = $this->userManager->get($share->getSharedWith());
+				if ($recipient === null) {
+					continue;
+				}
+				$recipientGroups = $this->groupManager->getUserGroupIds($recipient);
+				$mutualGroups = array_intersect($userGroups, $recipientGroups);
+
+				if (count($mutualGroups) === 0) {
+					$this->shareManager->deleteShare($share);
+				}
 			}
 		}
 	}

lib/private/Share20/ProviderFactory.php

@@ -106,6 +106,7 @@ protected function defaultShareProvider() {
 				$this->serverContainer->getL10NFactory(),
 				$this->serverContainer->getURLGenerator(),
 				$this->serverContainer->query(ITimeFactory::class),
+				$this->serverContainer->get(IManager::class),
 			);
 		}
 

tests/lib/Share20/DefaultShareProviderTest.php

@@ -39,6 +39,7 @@
 use OCP\IUserManager;
 use OCP\L10N\IFactory;
 use OCP\Mail\IMailer;
+use OCP\Share\IManager as IShareManager;
 use OCP\Share\IShare;
 use PHPUnit\Framework\MockObject\MockObject;
 
@@ -82,6 +83,9 @@ class DefaultShareProviderTest extends \Test\TestCase {
 	/** @var ITimeFactory|MockObject */
 	protected $timeFactory;
 
+	/** @var IShareManager&MockObject */
+	protected $shareManager;
+
 	protected function setUp(): void {
 		$this->dbConn = \OC::$server->getDatabaseConnection();
 		$this->userManager = $this->createMock(IUserManager::class);
@@ -93,6 +97,7 @@ protected function setUp(): void {
 		$this->defaults = $this->getMockBuilder(Defaults::class)->disableOriginalConstructor()->getMock();
 		$this->urlGenerator = $this->createMock(IURLGenerator::class);
 		$this->timeFactory = $this->createMock(ITimeFactory::class);
+		$this->shareManager = $this->createMock(IShareManager::class);
 
 		$this->userManager->expects($this->any())->method('userExists')->willReturn(true);
 		$this->timeFactory->expects($this->any())->method('now')->willReturn(new \DateTimeImmutable("2023-05-04 00:00 Europe/Berlin"));
@@ -109,7 +114,8 @@ protected function setUp(): void {
 			$this->defaults,
 			$this->l10nFactory,
 			$this->urlGenerator,
-			$this->timeFactory
+			$this->timeFactory,
+			$this->shareManager,
 		);
 	}
 
@@ -470,7 +476,8 @@ public function testDeleteSingleShare() {
 				$this->defaults,
 				$this->l10nFactory,
 				$this->urlGenerator,
-				$this->timeFactory
+				$this->timeFactory,
+				$this->shareManager,
 			])
 			->setMethods(['getShareById'])
 			->getMock();
@@ -565,7 +572,8 @@ public function testDeleteGroupShareWithUserGroupShares() {
 				$this->defaults,
 				$this->l10nFactory,
 				$this->urlGenerator,
-				$this->timeFactory
+				$this->timeFactory,
+				$this->shareManager,
 			])
 			->setMethods(['getShareById'])
 			->getMock();
@@ -2525,7 +2533,8 @@ public function testGetSharesInFolder() {
 			$this->defaults,
 			$this->l10nFactory,
 			$this->urlGenerator,
-			$this->timeFactory
+			$this->timeFactory,
+			$this->shareManager,
 		);
 
 		$password = md5(time());
@@ -2623,7 +2632,8 @@ public function testGetAccessListNoCurrentAccessRequired() {
 			$this->defaults,
 			$this->l10nFactory,
 			$this->urlGenerator,
-			$this->timeFactory
+			$this->timeFactory,
+			$this->shareManager,
 		);
 
 		$u1 = $userManager->createUser('testShare1', 'test');
@@ -2719,7 +2729,8 @@ public function testGetAccessListCurrentAccessRequired() {
 			$this->defaults,
 			$this->l10nFactory,
 			$this->urlGenerator,
-			$this->timeFactory
+			$this->timeFactory,
+			$this->shareManager,
 		);
 
 		$u1 = $userManager->createUser('testShare1', 'test');