search

owncloud / ocis

:atom_symbol: ownCloud Infinite Scale Stack
https://doc.owncloud.com/ocis/next/
Apache License 2.0
1.4k stars 182 forks source link

Settings service user can see roles list #5079

Closed ScharfViktor closed 1 year ago

ScharfViktor commented 1 year ago

related https://github.com/owncloud/ocis/issues/5032

A normal user can see roles list: 

$ curl -k -s -u einstein:relativity -X POST 'https://localhost:9200/api/v0/settings/roles-list' -d '{}' | jq .
{
  "bundles": [
    {
      "id": "71881883-1768-46bd-a24d-a356a2afdf7f",
      "name": "admin",
      "type": "TYPE_ROLE",
      "extension": "ocis-roles",
      "displayName": "Admin",
      "settings": [
        {
          "id": "a53e601e-571f-4f86-8fec-d4576ef49c62",
          "name": "role-management",
          "displayName": "Role Management",
          "description": "This permission gives full access to everything that is related to role management.",
          "permissionValue": {
            "operation": "OPERATION_READWRITE",
            "constraint": "CONSTRAINT_ALL"
          },
          "resource": {
            "type": "TYPE_USER",
            "id": "all"
          }
        },
        {
          "id": "3d58f441-4a05-42f8-9411-ef5874528ae1",
          "name": "settings-management",
          "displayName": "Settings Management",
          "description": "This permission gives full access to everything that is related to settings management.",
          "permissionValue": {
            "operation": "OPERATION_READWRITE",
            "constraint": "CONSTRAINT_ALL"
          },
          "resource": {
            "type": "TYPE_USER",
            "id": "all"
          }
        },
        {
          "id": "7d81f103-0488-4853-bce5-98dcce36d649",
          "name": "language-readwrite",
          "displayName": "Permission to read and set the language (anyone)",
          "permissionValue": {
            "operation": "OPERATION_READWRITE",
            "constraint": "CONSTRAINT_ALL"
          },
          "resource": {
            "type": "TYPE_SETTING",
            "id": "aa8cfbe5-95d4-4f7e-a032-c3c01f5f062f"
          }
        },
        {
          "id": "8e587774-d929-4215-910b-a317b1e80f73",
          "name": "account-management",
          "displayName": "Account Management",
          "description": "This permission gives full access to everything that is related to account management.",
          "permissionValue": {
            "operation": "OPERATION_READWRITE",
            "constraint": "CONSTRAINT_ALL"
          },
          "resource": {
            "type": "TYPE_USER",
            "id": "all"
          }
        },
        {
          "id": "522adfbe-5908-45b4-b135-41979de73245",
          "name": "group-management",
          "displayName": "Group Management",
          "description": "This permission gives full access to everything that is related to group management.",
          "permissionValue": {
            "operation": "OPERATION_READWRITE",
            "constraint": "CONSTRAINT_ALL"
          },
          "resource": {
            "type": "TYPE_GROUP",
            "id": "all"
          }
        },
        {
          "id": "4e6f9709-f9e7-44f1-95d4-b762d27b7896",
          "name": "set-space-quota",
          "displayName": "Set Space Quota",
          "description": "This permission allows to manage space quotas.",
          "permissionValue": {
            "operation": "OPERATION_READWRITE",
            "constraint": "CONSTRAINT_ALL"
          },
          "resource": {
            "type": "TYPE_SYSTEM"
          }
        },
        {
          "id": "79e13b30-3e22-11eb-bc51-0b9f0bad9a58",
          "name": "create-space",
          "displayName": "Create Space",
          "description": "This permission allows to create new spaces.",
          "permissionValue": {
            "operation": "OPERATION_READWRITE",
            "constraint": "CONSTRAINT_ALL"
          },
          "resource": {
            "type": "TYPE_SYSTEM"
          }
        },
        {
          "id": "016f6ddd-9501-4a0a-8ebe-64a20ee8ec82",
          "name": "list-all-spaces",
          "displayName": "List All Spaces",
          "description": "This permission allows list all spaces.",
          "permissionValue": {
            "operation": "OPERATION_READ",
            "constraint": "CONSTRAINT_ALL"
          },
          "resource": {
            "type": "TYPE_SYSTEM"
          }
        },
        {
          "id": "5de9fe0a-4bc5-4a47-b758-28f370caf169",
          "name": "delete-all-home-spaces",
          "displayName": "Delete All Home Spaces",
          "description": "This permission allows to delete home spaces.",
          "permissionValue": {
            "operation": "OPERATION_DELETE",
            "constraint": "CONSTRAINT_ALL"
          },
          "resource": {
            "type": "TYPE_SYSTEM"
          }
        },
        {
          "id": "fb60b004-c1fa-4f09-bf87-55ce7d46ac61",
          "name": "delete-all-spaces",
          "displayName": "Delete AllSpaces",
          "description": "This permission allows to delete all spaces.",
          "permissionValue": {
            "operation": "OPERATION_DELETE",
            "constraint": "CONSTRAINT_ALL"
          },
          "resource": {
            "type": "TYPE_SYSTEM"
          }
        }
      ],
      "resource": {
        "type": "TYPE_SYSTEM"
      }
    },
    {
      "id": "d7beeea8-8ff4-406b-8fb6-ab2dd81e6b11",
      "name": "user",
      "type": "TYPE_ROLE",
      "extension": "ocis-roles",
      "displayName": "User",
      "settings": [
        {
          "id": "640e00d2-4df8-41bd-b1c2-9f30a01e0e99",
          "name": "language-readwrite",
          "displayName": "Permission to read and set the language (self)",
          "permissionValue": {
            "operation": "OPERATION_READWRITE",
            "constraint": "CONSTRAINT_OWN"
          },
          "resource": {
            "type": "TYPE_SETTING",
            "id": "aa8cfbe5-95d4-4f7e-a032-c3c01f5f062f"
          }
        },
        {
          "id": "e03070e9-4362-4cc6-a872-1c7cb2eb2b8e",
          "name": "self-management",
          "displayName": "Self Management",
          "description": "This permission gives access to self management.",
          "permissionValue": {
            "operation": "OPERATION_READWRITE",
            "constraint": "CONSTRAINT_OWN"
          },
          "resource": {
            "type": "TYPE_USER",
            "id": "me"
          }
        },
        {
          "id": "79e13b30-3e22-11eb-bc51-0b9f0bad9a58",
          "name": "create-space",
          "displayName": "Create own Space",
          "description": "This permission allows to create a space owned by the current user.",
          "permissionValue": {
            "operation": "OPERATION_CREATE",
            "constraint": "CONSTRAINT_OWN"
          },
          "resource": {
            "type": "TYPE_SYSTEM"
          }
        }
      ],
      "resource": {
        "type": "TYPE_SYSTEM"
      }
    },
    {
      "id": "2aadd357-682c-406b-8874-293091995fdd",
      "name": "spaceadmin",
      "type": "TYPE_ROLE",
      "extension": "ocis-roles",
      "displayName": "Space Admin",
      "settings": [
        {
          "id": "4e6f9709-f9e7-44f1-95d4-b762d27b7896",
          "name": "set-space-quota",
          "displayName": "Set Space Quota",
          "description": "This permission allows to manage space quotas.",
          "permissionValue": {
            "operation": "OPERATION_READWRITE",
            "constraint": "CONSTRAINT_ALL"
          },
          "resource": {
            "type": "TYPE_SYSTEM"
          }
        },
        {
          "id": "79e13b30-3e22-11eb-bc51-0b9f0bad9a58",
          "name": "create-space",
          "displayName": "Create Space",
          "description": "This permission allows to create new spaces.",
          "permissionValue": {
            "operation": "OPERATION_READWRITE",
            "constraint": "CONSTRAINT_ALL"
          },
          "resource": {
            "type": "TYPE_SYSTEM"
          }
        },
        {
          "id": "016f6ddd-9501-4a0a-8ebe-64a20ee8ec82",
          "name": "list-all-spaces",
          "displayName": "List All Spaces",
          "description": "This permission allows list all spaces.",
          "permissionValue": {
            "operation": "OPERATION_READ",
            "constraint": "CONSTRAINT_ALL"
          },
          "resource": {
            "type": "TYPE_SYSTEM"
          }
        },
        {
          "id": "640e00d2-4df8-41bd-b1c2-9f30a01e0e99",
          "name": "language-readwrite",
          "displayName": "Permission to read and set the language (self)",
          "permissionValue": {
            "operation": "OPERATION_READWRITE",
            "constraint": "CONSTRAINT_OWN"
          },
          "resource": {
            "type": "TYPE_SETTING",
            "id": "aa8cfbe5-95d4-4f7e-a032-c3c01f5f062f"
          }
        },
        {
          "id": "e03070e9-4362-4cc6-a872-1c7cb2eb2b8e",
          "name": "self-management",
          "displayName": "Self Management",
          "description": "This permission gives access to self management.",
          "permissionValue": {
            "operation": "OPERATION_READWRITE",
            "constraint": "CONSTRAINT_OWN"
          },
          "resource": {
            "type": "TYPE_USER",
            "id": "me"
          }
        },
        {
          "id": "79e13b30-3e22-11eb-bc51-0b9f0bad9a58",
          "name": "create-space",
          "displayName": "Create own Space",
          "description": "This permission allows to create a space owned by the current user.",
          "permissionValue": {
            "operation": "OPERATION_CREATE",
            "constraint": "CONSTRAINT_OWN"
          },
          "resource": {
            "type": "TYPE_SYSTEM"
          }
        }
      ],
      "resource": {
        "type": "TYPE_SYSTEM"
      }
    },
    {
      "id": "38071a68-456a-4553-846a-fa67bf5596cc",
      "name": "guest",
      "type": "TYPE_ROLE",
      "extension": "ocis-roles",
      "displayName": "Guest",
      "settings": [
        {
          "id": "ca878636-8b1a-4fae-8282-8617a4c13597",
          "name": "language-readwrite",
          "displayName": "Permission to read and set the language (self)",
          "permissionValue": {
            "operation": "OPERATION_READWRITE",
            "constraint": "CONSTRAINT_OWN"
          },
          "resource": {
            "type": "TYPE_SETTING",
            "id": "aa8cfbe5-95d4-4f7e-a032-c3c01f5f062f"
          }
        }
      ],
      "resource": {
        "type": "TYPE_SYSTEM"
      }
    }
  ]
}
ScharfViktor commented 1 year ago

After discussion with @C0rby, we decided that it was not critical to see all system roles for a user without administrator rights. user should get roles also using https://localhost:9200/graph/v1.0/applications cc @amrita-shrestha