search

IronCoreLabs / ironoxide

Rust SDK for IronCore Privacy Platform
https://docs.rs/ironoxide
GNU Affero General Public License v3.0
10 stars 3 forks source link

Group admins should be able to remove the group from a document's share list #238

Open giarc3 opened 3 years ago

giarc3 commented 3 years ago

Currently, users can remove themselves from a document's share list, but only the person who shared a document with a group can revoke that share. We should allow a group admin to remove the group from a document's share list. (Treat group admins as "themselves" for a group.)

Test showing the failure:

#[tokio::test]
async fn doc_revoke_from_group() -> Result<(), IronOxideErr> {
    // create two users
    let sdk = initialize_sdk().await?;
    let sdk2 = initialize_sdk().await?;
    let id = sdk.device().account_id();
    let id2 = sdk2.device().account_id();

    // user 2 creates a group. Both users are members and admins
    let group = sdk2
        .group_create(&GroupCreateOpts::new(
            None,
            None,
            true,
            true,
            None,
            vec![id.clone()],
            vec![id.clone()],
            false,
        ))
        .await?;

    // user 1 encrypts a document. Both users, as well as the group, are granted access
    let doc_result = sdk
        .document_encrypt(
            &[0u8; 64],
            &DocumentEncryptOpts::with_explicit_grants(
                None,
                None,
                true,
                vec![id2.into(), group.id().into()],
            ),
        )
        .await?;

    // user 2 tries to revoke the group's access to the document
    let revoke_result = sdk2
        .document_revoke_access(doc_result.id(), &vec![group.id().into()])
        .await?;

    assert_eq!(revoke_result.succeeded().len(), 1);

    Ok(())
}

This revoke_result.failed() contains:

[tests/document_ops.rs:837] revoke_result.failed() = [
    DocAccessEditErr {
        user_or_group: Group {
            id: GroupId(
                "8c9ab0f9afedd509645beb5951c2db70",
            ),
        },
        err: "No shares to \'8c9ab0f9afedd509645beb5951c2db70\' from \'abcABC012_.$#|@/:;=+\'-b6601d63-ca39-4532-89cf-fdc789312480\' for document \'04242636009f8caea684bf340bbae677\'",
    },
]
BobWall23 commented 3 years ago

The change will actually be made in ironcore-id - no changes should be required in this repo. Update this ticket with the ironcore-id ticket when that is generated.