From 0a535dc9e2b0feeba54bf5dc615f296e52d14060 Mon Sep 17 00:00:00 2001
From: Jannik Stehle <jannik.stehle@gmail.com>
Date: Thu, 18 Apr 2024 12:55:46 +0200
Subject: [PATCH 1/2] feat: add secure view share role

Adds a new share role "Secure view". This role only allows viewing resources, no downloading, editing or deleting.
---
 changelog/unreleased/secure-view-share-role.md |  5 +++++
 pkg/conversions/role.go                        | 16 ++++++++++++++++
 pkg/conversions/role_test.go                   | 15 +++++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 changelog/unreleased/secure-view-share-role.md

diff --git a/changelog/unreleased/secure-view-share-role.md b/changelog/unreleased/secure-view-share-role.md
new file mode 100644
index 0000000000..3405226cef
--- /dev/null
+++ b/changelog/unreleased/secure-view-share-role.md
@@ -0,0 +1,5 @@
+Enhancement: Secure view share role
+
+A new share role "Secure view" has been added. This role only allows viewing resources, no downloading, editing or deleting.
+
+https://github.com/cs3org/reva/pull/4643
diff --git a/pkg/conversions/role.go b/pkg/conversions/role.go
index 29621c4aae..a6916bf996 100644
--- a/pkg/conversions/role.go
+++ b/pkg/conversions/role.go
@@ -52,6 +52,8 @@ const (
 	RoleUploader = "uploader"
 	// RoleManager grants manager permissions on a resource. Semantically equivalent to co-owner.
 	RoleManager = "manager"
+	// RoleSecureView grants secure view permissions on a resource or space.
+	RoleSecureView = "secure-view"
 
 	// RoleUnknown is used for unknown roles.
 	RoleUnknown = "unknown"
@@ -159,6 +161,8 @@ func RoleFromName(name string) *Role {
 		return NewUploaderRole()
 	case RoleManager:
 		return NewManagerRole()
+	case RoleSecureView:
+		return NewSecureViewRole()
 	default:
 		return NewUnknownRole()
 	}
@@ -363,6 +367,18 @@ func NewManagerRole() *Role {
 	}
 }
 
+// NewSecureViewRole creates a secure view role
+func NewSecureViewRole() *Role {
+	return &Role{
+		Name: RoleSecureView,
+		cS3ResourcePermissions: &provider.ResourcePermissions{
+			GetPath:       true,
+			ListContainer: true,
+			Stat:          true,
+		},
+	}
+}
+
 // RoleFromOCSPermissions tries to map ocs permissions to a role
 // TODO: rethink using this. ocs permissions cannot be assigned 1:1 to roles
 func RoleFromOCSPermissions(p Permissions, ri *provider.ResourceInfo) *Role {
diff --git a/pkg/conversions/role_test.go b/pkg/conversions/role_test.go
index 0246cae22b..9f20e82a63 100644
--- a/pkg/conversions/role_test.go
+++ b/pkg/conversions/role_test.go
@@ -74,6 +74,21 @@ func TestSufficientPermissions(t *testing.T) {
 			Requested:  RoleFromName("denied").CS3ResourcePermissions(),
 			Sufficient: false,
 		},
+		{
+			Existing:   RoleFromName("secure-view").CS3ResourcePermissions(),
+			Requested:  RoleFromName("secure-view").CS3ResourcePermissions(),
+			Sufficient: true,
+		},
+		{
+			Existing:   RoleFromName("secure-view").CS3ResourcePermissions(),
+			Requested:  RoleFromName("viewer").CS3ResourcePermissions(),
+			Sufficient: false,
+		},
+		{
+			Existing:   RoleFromName("secure-view").CS3ResourcePermissions(),
+			Requested:  RoleFromName("editor").CS3ResourcePermissions(),
+			Sufficient: false,
+		},
 		{
 			Existing: &providerv1beta1.ResourcePermissions{
 				// all permissions, used for personal space owners

From e60a7fdf99d6383523f64c22b79b036b9b3aa427 Mon Sep 17 00:00:00 2001
From: Jannik Stehle <jannik.stehle@gmail.com>
Date: Mon, 22 Apr 2024 16:26:36 +0200
Subject: [PATCH 2/2] fix: align secure viewer role naming with other roles

---
 changelog/unreleased/secure-view-share-role.md |  4 ++--
 pkg/conversions/role.go                        | 14 +++++++-------
 pkg/conversions/role_test.go                   |  8 ++++----
 3 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/changelog/unreleased/secure-view-share-role.md b/changelog/unreleased/secure-view-share-role.md
index 3405226cef..3111011cde 100644
--- a/changelog/unreleased/secure-view-share-role.md
+++ b/changelog/unreleased/secure-view-share-role.md
@@ -1,5 +1,5 @@
-Enhancement: Secure view share role
+Enhancement: Secure viewer share role
 
-A new share role "Secure view" has been added. This role only allows viewing resources, no downloading, editing or deleting.
+A new share role "Secure viewer" has been added. This role only allows viewing resources, no downloading, editing or deleting.
 
 https://github.com/cs3org/reva/pull/4643
diff --git a/pkg/conversions/role.go b/pkg/conversions/role.go
index a6916bf996..52a860bd1a 100644
--- a/pkg/conversions/role.go
+++ b/pkg/conversions/role.go
@@ -52,8 +52,8 @@ const (
 	RoleUploader = "uploader"
 	// RoleManager grants manager permissions on a resource. Semantically equivalent to co-owner.
 	RoleManager = "manager"
-	// RoleSecureView grants secure view permissions on a resource or space.
-	RoleSecureView = "secure-view"
+	// RoleSecureViewer grants secure view permissions on a resource or space.
+	RoleSecureViewer = "secure-viewer"
 
 	// RoleUnknown is used for unknown roles.
 	RoleUnknown = "unknown"
@@ -161,8 +161,8 @@ func RoleFromName(name string) *Role {
 		return NewUploaderRole()
 	case RoleManager:
 		return NewManagerRole()
-	case RoleSecureView:
-		return NewSecureViewRole()
+	case RoleSecureViewer:
+		return NewSecureViewerRole()
 	default:
 		return NewUnknownRole()
 	}
@@ -367,10 +367,10 @@ func NewManagerRole() *Role {
 	}
 }
 
-// NewSecureViewRole creates a secure view role
-func NewSecureViewRole() *Role {
+// NewSecureViewerRole creates a secure viewer role
+func NewSecureViewerRole() *Role {
 	return &Role{
-		Name: RoleSecureView,
+		Name: RoleSecureViewer,
 		cS3ResourcePermissions: &provider.ResourcePermissions{
 			GetPath:       true,
 			ListContainer: true,
diff --git a/pkg/conversions/role_test.go b/pkg/conversions/role_test.go
index 9f20e82a63..c087e293e5 100644
--- a/pkg/conversions/role_test.go
+++ b/pkg/conversions/role_test.go
@@ -75,17 +75,17 @@ func TestSufficientPermissions(t *testing.T) {
 			Sufficient: false,
 		},
 		{
-			Existing:   RoleFromName("secure-view").CS3ResourcePermissions(),
-			Requested:  RoleFromName("secure-view").CS3ResourcePermissions(),
+			Existing:   RoleFromName("secure-viewer").CS3ResourcePermissions(),
+			Requested:  RoleFromName("secure-viewer").CS3ResourcePermissions(),
 			Sufficient: true,
 		},
 		{
-			Existing:   RoleFromName("secure-view").CS3ResourcePermissions(),
+			Existing:   RoleFromName("secure-viewer").CS3ResourcePermissions(),
 			Requested:  RoleFromName("viewer").CS3ResourcePermissions(),
 			Sufficient: false,
 		},
 		{
-			Existing:   RoleFromName("secure-view").CS3ResourcePermissions(),
+			Existing:   RoleFromName("secure-viewer").CS3ResourcePermissions(),
 			Requested:  RoleFromName("editor").CS3ResourcePermissions(),
 			Sufficient: false,
 		},