Currently, users can remove themselves from a document's share list, but only the person who shared a document with a group can revoke that share. We should allow a group admin to remove the group from a document's share list. (Treat group admins as "themselves" for a group.)
Test showing the failure:
#[tokio::test]
async fn doc_revoke_from_group() -> Result<(), IronOxideErr> {
// create two users
let sdk = initialize_sdk().await?;
let sdk2 = initialize_sdk().await?;
let id = sdk.device().account_id();
let id2 = sdk2.device().account_id();
// user 2 creates a group. Both users are members and admins
let group = sdk2
.group_create(&GroupCreateOpts::new(
None,
None,
true,
true,
None,
vec![id.clone()],
vec![id.clone()],
false,
))
.await?;
// user 1 encrypts a document. Both users, as well as the group, are granted access
let doc_result = sdk
.document_encrypt(
&[0u8; 64],
&DocumentEncryptOpts::with_explicit_grants(
None,
None,
true,
vec![id2.into(), group.id().into()],
),
)
.await?;
// user 2 tries to revoke the group's access to the document
let revoke_result = sdk2
.document_revoke_access(doc_result.id(), &vec![group.id().into()])
.await?;
assert_eq!(revoke_result.succeeded().len(), 1);
Ok(())
}
This revoke_result.failed() contains:
[tests/document_ops.rs:837] revoke_result.failed() = [
DocAccessEditErr {
user_or_group: Group {
id: GroupId(
"8c9ab0f9afedd509645beb5951c2db70",
),
},
err: "No shares to \'8c9ab0f9afedd509645beb5951c2db70\' from \'abcABC012_.$#|@/:;=+\'-b6601d63-ca39-4532-89cf-fdc789312480\' for document \'04242636009f8caea684bf340bbae677\'",
},
]
The change will actually be made in ironcore-id - no changes should be required in this repo. Update this ticket with the ironcore-id ticket when that is generated.
Currently, users can remove themselves from a document's share list, but only the person who shared a document with a group can revoke that share. We should allow a group admin to remove the group from a document's share list. (Treat group admins as "themselves" for a group.)
Test showing the failure:
This
revoke_result.failed()
contains: