fix: Propagate permissions to new federated conversations

Besides propagating the permissions to federated servers when modified the existing permissions need to be set when creating the federated conversation (or if a federated user is added again to the conversation when all the previous federated users left it already). Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
nextcloud · Aug 17, 2024 · e6db057 · e6db057
1 parent e8c51ce
commit e6db057
Show file tree

Hide file tree

Showing 4 changed files with 74 additions and 1 deletion.
diff --git a/lib/Federation/BackendNotifier.php b/lib/Federation/BackendNotifier.php
@@ -69,6 +69,8 @@ public function sendRemoteShare(
 		$roomName = $room->getName();
 		$roomType = $room->getType();
 		$roomToken = $room->getToken();
+		$roomCallPermissions = $room->getCallPermissions();
+		$roomDefaultPermissions = $room->getDefaultPermissions();
 
 		try {
 			$this->restrictionValidator->isAllowedToInvite($sharedBy, $invitedCloudId);
@@ -101,6 +103,8 @@ public function sendRemoteShare(
 		$protocol['invitedCloudId'] = $invitedCloudId->getId();
 		$protocol['roomName'] = $roomName;
 		$protocol['roomType'] = $roomType;
+		$protocol['roomCallPermissions'] = $roomCallPermissions;
+		$protocol['roomDefaultPermissions'] = $roomDefaultPermissions;
 		$protocol['name'] = FederationManager::TALK_PROTOCOL_NAME;
 		$share->setProtocol($protocol);
 

diff --git a/lib/Federation/CloudFederationProviderTalk.php b/lib/Federation/CloudFederationProviderTalk.php
@@ -125,6 +125,8 @@ public function shareReceived(ICloudFederationShare $share): string {
 		$remoteId = $share->getProviderId();
 		$roomToken = $share->getResourceName();
 		$roomName = $share->getProtocol()['roomName'];
+		$roomCallPermissions = $share->getProtocol()['roomCallPermissions'];
+		$roomDefaultPermissions = $share->getProtocol()['roomDefaultPermissions'];
 		if (isset($share->getProtocol()['invitedCloudId'])) {
 			$localCloudId = $share->getProtocol()['invitedCloudId'];
 		} else {
@@ -173,7 +175,7 @@ public function shareReceived(ICloudFederationShare $share): string {
 				throw new ProviderCouldNotAddShareException('User does not exist', '', Http::STATUS_BAD_REQUEST);
 			}
 
-			$invite = $this->federationManager->addRemoteRoom($shareWithUser, (int) $remoteId, $roomType, $roomName, $roomToken, $remote, $shareSecret, $sharedByFederatedId, $sharedByDisplayName, $localCloudId);
+			$invite = $this->federationManager->addRemoteRoom($shareWithUser, (int) $remoteId, $roomType, $roomName, $roomCallPermissions, $roomDefaultPermissions, $roomToken, $remote, $shareSecret, $sharedByFederatedId, $sharedByDisplayName, $localCloudId);
 
 			$this->notifyAboutNewShare($shareWithUser, (string) $invite->getId(), $sharedByFederatedId, $sharedByDisplayName, $roomName, $roomToken, $remote);
 			return (string) $invite->getId();

diff --git a/lib/Federation/FederationManager.php b/lib/Federation/FederationManager.php
@@ -19,6 +19,7 @@
 use OCA\Talk\Participant;
 use OCA\Talk\Room;
 use OCA\Talk\Service\ParticipantService;
+use OCA\Talk\Service\RoomService;
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Http;
 use OCP\Federation\Exceptions\ProviderCouldNotAddShareException;
@@ -50,6 +51,7 @@ class FederationManager {
 	public function __construct(
 		private Manager $manager,
 		private ParticipantService $participantService,
+		private RoomService $roomService,
 		private InvitationMapper $invitationMapper,
 		private BackendNotifier $backendNotifier,
 		private IManager $notificationManager,
@@ -75,6 +77,8 @@ public function addRemoteRoom(
 		int $remoteAttendeeId,
 		int $roomType,
 		string $roomName,
+		int $roomCallPermissions,
+		int $roomDefaultPermissions,
 		string $remoteToken,
 		string $remoteServerUrl,
 		#[SensitiveParameter]
@@ -91,6 +95,14 @@ public function addRemoteRoom(
 			$room = $this->manager->createRemoteRoom($roomType, $roomName, $remoteToken, $remoteServerUrl);
 		}
 
+		// Only update the room permissions if there are no participants in the
+		// remote room. Otherwise the room permissions would be up to date
+		// already due to the notifications about room permission changes.
+		if (empty($participant = $this->participantService->getParticipantsForRoom($room))) {
+			$this->roomService->setPermissions($room, 'call', Attendee::PERMISSIONS_MODIFY_SET, $roomCallPermissions, true);
+			$this->roomService->setPermissions($room, 'default', Attendee::PERMISSIONS_MODIFY_SET, $roomDefaultPermissions, true);
+		}
+
 		if ($couldHaveInviteWithOtherCasing) {
 			try {
 				$this->invitationMapper->getInvitationForUserByLocalRoom($room, $user->getUID(), true);

diff --git a/tests/integration/features/federation/permissions.feature b/tests/integration/features/federation/permissions.feature
@@ -40,6 +40,24 @@ Feature: federation/permissions
       | permissions |
       | CLM         |
 
+  Scenario: change permissions for all attendees before inviting federated user
+    Given user "participant1" creates room "room" (v4)
+      | roomType | 2 |
+      | roomName | room name |
+    When user "participant1" sets permissions for all attendees in room "room" to "SM" with 200 (v4)
+    And user "participant1" removes permissions for all attendees in room "room" to "S" with 200 (v4)
+    And user "participant1" adds permissions for all attendees in room "room" to "L" with 200 (v4)
+    And user "participant1" adds federated_user "participant2" to room "room" with 200 (v4)
+    And user "participant2" has the following invitations (v1)
+      | remoteServerUrl | remoteToken | state | inviterCloudId                     | inviterDisplayName       |
+      | LOCAL           | room        | 0     | participant1@http://localhost:8080 | participant1-displayname |
+    And user "participant2" accepts invite to room "room" of server "LOCAL" with 200 (v1)
+      | id          | name      | type | remoteServer | remoteToken |
+      | LOCAL::room | room name | 2    | LOCAL        | room        |
+    Then user "participant2" is participant of room "LOCAL::room" (v4)
+      | permissions |
+      | CLM         |
+
   Scenario: change permissions for all attendees before federated user accepts invitation
     Given user "participant1" creates room "room" (v4)
       | roomType | 2 |
@@ -74,6 +92,43 @@ Feature: federation/permissions
       | permissions |
       | CM          |
 
+  Scenario: set conversation permissions before inviting federated user
+    Given user "participant1" creates room "room" (v4)
+      | roomType | 2 |
+      | roomName | room name |
+    When user "participant1" sets default permissions for room "room" to "M" with 200 (v4)
+    And user "participant1" adds federated_user "participant2" to room "room" with 200 (v4)
+    And user "participant2" has the following invitations (v1)
+      | remoteServerUrl | remoteToken | state | inviterCloudId                     | inviterDisplayName       |
+      | LOCAL           | room        | 0     | participant1@http://localhost:8080 | participant1-displayname |
+    And user "participant2" accepts invite to room "room" of server "LOCAL" with 200 (v1)
+      | id          | name      | type | remoteServer | remoteToken |
+      | LOCAL::room | room name | 2    | LOCAL        | room        |
+    Then user "participant2" is participant of room "LOCAL::room" (v4)
+      | permissions |
+      | CM          |
+
+  Scenario: set conversation permissions before inviting federated user again
+    Given user "participant1" creates room "room" (v4)
+      | roomType | 2 |
+      | roomName | room name |
+    And user "participant1" adds federated_user "participant2" to room "room" with 200 (v4)
+    And user "participant2" has the following invitations (v1)
+      | remoteServerUrl | remoteToken | state | inviterCloudId                     | inviterDisplayName       |
+      | LOCAL           | room        | 0     | participant1@http://localhost:8080 | participant1-displayname |
+    And user "participant2" declines invite to room "room" of server "LOCAL" with 200 (v1)
+    When user "participant1" sets default permissions for room "room" to "M" with 200 (v4)
+    And user "participant1" adds federated_user "participant2" to room "room" with 200 (v4)
+    And user "participant2" has the following invitations (v1)
+      | remoteServerUrl | remoteToken | state | inviterCloudId                     | inviterDisplayName       |
+      | LOCAL           | room        | 0     | participant1@http://localhost:8080 | participant1-displayname |
+    And user "participant2" accepts invite to room "room" of server "LOCAL" with 200 (v1)
+      | id          | name      | type | remoteServer | remoteToken |
+      | LOCAL::room | room name | 2    | LOCAL        | room        |
+    Then user "participant2" is participant of room "LOCAL::room" (v4)
+      | permissions |
+      | CM          |
+
   Scenario: set conversation permissions before federated user accepts invitation
     Given user "participant1" creates room "room" (v4)
       | roomType | 2 |