-
-
Notifications
You must be signed in to change notification settings - Fork 5.1k
feat(share): add public share-review API under OCP\Share\ShareReview #61543
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
de8fd65
492ecc3
021a3d8
df285d5
fa57f02
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,165 @@ | ||
| <?php | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| /** | ||
| * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors | ||
| * SPDX-License-Identifier: AGPL-3.0-or-later | ||
| */ | ||
|
|
||
| namespace OCP\Share\ShareReview\Events; | ||
|
|
||
| use OCP\AppFramework\Attribute\Consumable; | ||
| use OCP\EventDispatcher\Event; | ||
|
|
||
| /** | ||
| * Authorization gate for deleting an app-managed share through a share-review app. | ||
| * | ||
| * Background: Apps such as Deck or Tables manage their own shares outside of | ||
| * the regular sharing backend ({@see \OCP\Share\IManager}). They can expose | ||
| * those shares to a share-review app — a compliance tool that lets designated | ||
| * operators audit and revoke shares across all apps — by implementing | ||
| * {@see \OCP\Share\ShareReview\IShareReviewSource}. When a share-review | ||
| * operator requests the deletion of such a share, the deletion is executed by | ||
| * the app that owns the share, not by the share-review app. The owning app | ||
| * has no way of knowing whether the acting user is actually authorized to | ||
| * perform share reviews — only the share-review app knows that. This event | ||
| * closes that gap: it lets the owning app ask "may the current user delete | ||
| * this share on behalf of a share review?" before deleting anything. | ||
| * | ||
| * Dispatched by: the app that owns the share, i.e. the | ||
| * {@see \OCP\Share\ShareReview\IShareReviewSource} implementation, at the | ||
| * beginning of its deleteShare() method: | ||
| * | ||
| * public function deleteShare(string $shareId): bool { | ||
| * $event = new ShareReviewAccessCheckEvent('MyApp', $shareId); | ||
| * $this->dispatcher->dispatchTyped($event); | ||
| * if (!$event->isHandled() || !$event->isGranted()) { | ||
| * return false; // default-deny: no listener means no access | ||
| * } | ||
| * // ... actually delete the share ... | ||
| * } | ||
| * | ||
| * Listened to by: the share-review app. Its listener decides whether the | ||
| * current user is an authorized share-review operator (e.g. the app is | ||
| * enabled for the user) and answers with grantAccess() or denyAccess(): | ||
| * | ||
| * public function handle(Event $event): void { | ||
| * if (!$event instanceof ShareReviewAccessCheckEvent) { | ||
| * return; | ||
| * } | ||
| * if ($this->isShareReviewOperator()) { | ||
| * $event->grantAccess(); | ||
| * } else { | ||
| * $event->denyAccess('User is not a share-review operator.'); | ||
| * } | ||
| * } | ||
| * | ||
| * Apps that merely expose shares must not listen to this event; answering it | ||
| * is the responsibility of the share-review app that triggered the deletion. | ||
| * | ||
| * Semantics: | ||
| * - Default-deny: if no listener responds (isHandled() is false, e.g. no | ||
| * share-review app is installed), the dispatcher must not delete the share. | ||
| * - Deny wins: once denyAccess() is called, further grantAccess() calls are | ||
| * ignored and propagation is stopped immediately. | ||
| * - Multiple grants are harmless; the last listener to deny is authoritative. | ||
| * | ||
| * @since 34.0.2 | ||
| */ | ||
| #[Consumable(since: '34.0.2')] | ||
| class ShareReviewAccessCheckEvent extends Event { | ||
|
|
||
| private bool $handled = false; | ||
| private bool $granted = false; | ||
| private ?string $reason = null; | ||
|
|
||
| /** | ||
| * @param string $sourceName Stable, non-translated identifier for the app | ||
| * registering the share source (e.g. 'Deck', 'Tables'). | ||
| * @param string $shareId App-internal identifier of the share being deleted. | ||
| * | ||
| * @since 34.0.2 | ||
| */ | ||
| public function __construct( | ||
| private readonly string $sourceName, | ||
| private readonly string $shareId, | ||
| ) { | ||
| parent::__construct(); | ||
| } | ||
|
|
||
| /** | ||
| * Stable, non-translated identifier of the app that owns this share source. | ||
| * | ||
| * @since 34.0.2 | ||
| */ | ||
| public function getSourceName(): string { | ||
| return $this->sourceName; | ||
| } | ||
|
|
||
| /** | ||
| * App-internal identifier of the share being deleted. | ||
| * | ||
| * @since 34.0.2 | ||
| */ | ||
| public function getShareId(): string { | ||
| return $this->shareId; | ||
| } | ||
|
|
||
| /** | ||
| * Grant access to delete the share. | ||
| * | ||
| * Has no effect if denyAccess() was already called on this event — deny wins. | ||
| * | ||
| * @since 34.0.2 | ||
| */ | ||
| public function grantAccess(): void { | ||
| if ($this->handled && !$this->granted) { | ||
| return; // deny wins — a prior denyAccess() cannot be escalated to a grant | ||
| } | ||
| $this->handled = true; | ||
| $this->granted = true; | ||
| } | ||
|
|
||
| /** | ||
| * Deny access and provide a human-readable reason. | ||
| * | ||
| * Stops event propagation immediately — no further listeners will run. | ||
| * | ||
| * @since 34.0.2 | ||
| */ | ||
| public function denyAccess(string $reason): void { | ||
| $this->handled = true; | ||
| $this->granted = false; | ||
| $this->reason = $reason; | ||
| $this->stopPropagation(); | ||
| } | ||
|
|
||
| /** | ||
| * Whether any listener has responded to this event. | ||
| * | ||
| * @since 34.0.2 | ||
| */ | ||
| public function isHandled(): bool { | ||
| return $this->handled; | ||
| } | ||
|
|
||
| /** | ||
| * Whether access was granted. | ||
| * | ||
| * @since 34.0.2 | ||
| */ | ||
| public function isGranted(): bool { | ||
| return $this->granted; | ||
| } | ||
|
|
||
| /** | ||
| * Human-readable denial reason, or null if access was granted or the event | ||
| * has not been handled yet. | ||
| * | ||
| * @since 34.0.2 | ||
| */ | ||
| public function getReason(): ?string { | ||
| return $this->reason; | ||
| } | ||
| } | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| <?php | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| /** | ||
| * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors | ||
| * SPDX-License-Identifier: AGPL-3.0-or-later | ||
| */ | ||
|
|
||
| namespace OCP\Share\ShareReview; | ||
|
|
||
| use OCP\AppFramework\Attribute\Implementable; | ||
|
|
||
| /** | ||
| * Interface to be implemented by apps that want to expose their app-managed | ||
| * shares to a share-review app. Implementations are registered through | ||
| * {@see RegisterShareReviewSourceEvent} and resolved from the dependency | ||
| * injection container. | ||
| * | ||
| * @since 34.0.2 | ||
| */ | ||
| #[Implementable(since: '34.0.2')] | ||
| interface IShareReviewSource { | ||
| /** | ||
| * The name of the app, used in the review table | ||
| * | ||
| * @since 34.0.2 | ||
| */ | ||
| public function getName(): string; | ||
|
|
||
| /** | ||
| * Return all app-specific shares. | ||
| * | ||
| * The app name is added by the share-review app from getName(). | ||
| * | ||
| * @return list<ShareReviewEntry> | ||
| * | ||
| * @since 34.0.2 | ||
| */ | ||
| public function getShares(): array; | ||
|
|
||
| /** | ||
| * Delete an app-specific share. | ||
| * | ||
| * @since 34.0.2 | ||
| */ | ||
| public function deleteShare(string $shareId): bool; | ||
| } |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| <?php | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| /** | ||
| * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors | ||
| * SPDX-License-Identifier: AGPL-3.0-or-later | ||
| */ | ||
|
|
||
| namespace OCP\Share\ShareReview; | ||
|
|
||
| use OCP\AppFramework\Attribute\Dispatchable; | ||
| use OCP\AppFramework\Attribute\Listenable; | ||
| use OCP\EventDispatcher\Event; | ||
|
|
||
| /** | ||
| * Event dispatched by a share-review app to collect share sources from other | ||
| * apps. Listeners register the class name of their {@see IShareReviewSource} | ||
| * implementation; the share-review app resolves it from the dependency | ||
| * injection container. | ||
| * | ||
| * @since 34.0.2 | ||
| */ | ||
| #[Listenable(since: '34.0.2')] | ||
| #[Dispatchable(since: '34.0.2')] | ||
| class RegisterShareReviewSourceEvent extends Event { | ||
|
|
||
| /** @var array<int, class-string<IShareReviewSource>> */ | ||
| private array $sources = []; | ||
|
|
||
| /** | ||
| * @param class-string<IShareReviewSource> $source | ||
| * @since 34.0.2 | ||
| */ | ||
| public function registerSource(string $source): void { | ||
| $this->sources[] = $source; | ||
| } | ||
|
|
||
| /** | ||
| * @return array<int, class-string<IShareReviewSource>> | ||
| * @since 34.0.2 | ||
| */ | ||
| public function getSources(): array { | ||
| return $this->sources; | ||
| } | ||
| } |
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,57 @@ | ||||||
| <?php | ||||||
|
|
||||||
| declare(strict_types=1); | ||||||
|
|
||||||
| /** | ||||||
| * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors | ||||||
| * SPDX-License-Identifier: AGPL-3.0-or-later | ||||||
| */ | ||||||
|
|
||||||
| namespace OCP\Share\ShareReview; | ||||||
|
|
||||||
| use OCP\AppFramework\Attribute\Consumable; | ||||||
|
|
||||||
| /** | ||||||
| * Holds a single app-managed share as exposed to a share-review app through | ||||||
| * {@see IShareReviewSource::getShares()}. | ||||||
| * | ||||||
| * @since 34.0.2 | ||||||
| */ | ||||||
| #[Consumable(since: '34.0.2')] | ||||||
| final class ShareReviewEntry { | ||||||
| /** | ||||||
| * @param string $id Unique app-specific identifier for the share, passed | ||||||
| * to {@see IShareReviewSource::deleteShare()}. | ||||||
| * @param string $object Name or title of the shared object, such as a | ||||||
| * file path or report name. | ||||||
| * @param string $initiator User ID of the initiator. | ||||||
| * @param int $type {@see \OCP\Share\IShare} type of the share. | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
| * @param string $recipient User ID of the owner or the token of a link. | ||||||
| * @param int $permissions Permissions level of the share. | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
| * @param string $time Creation time of the share. | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
| * @param string $action Optional deletion identifier override. An empty | ||||||
| * string means $id is used. | ||||||
| * @param int|null $timestamp Optional creation Unix timestamp, used for sorting. | ||||||
| * @param bool $password Whether the share is password protected. Never | ||||||
| * the password itself. | ||||||
| * @param string|null $expiration Optional expiration date displayed for the share. | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
| * @param string|null $parent Optional identifier of the parent share. | ||||||
| * | ||||||
| * @since 34.0.2 | ||||||
| */ | ||||||
| public function __construct( | ||||||
| public readonly string $id, | ||||||
| public readonly string $object, | ||||||
| public readonly string $initiator, | ||||||
| public readonly int $type, | ||||||
| public readonly string $recipient, | ||||||
| public readonly int $permissions = 1, | ||||||
| public readonly string $time = '1970-01-01 01:00:00', | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This should be a proper ISO8601 string. |
||||||
| public readonly string $action = '', | ||||||
| public readonly ?int $timestamp = null, | ||||||
|
Comment on lines
+49
to
+51
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There should not be two fields for the creation time. Also their names are not descriptive enough, they should be called If you keep it like this, you can expect that they will be used incorrectly, because they're confusing 🙈 |
||||||
| public readonly bool $password = false, | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
| public readonly ?string $expiration = null, | ||||||
| public readonly ?string $parent = null, | ||||||
| ) { | ||||||
| } | ||||||
| } | ||||||
Uh oh!
There was an error while loading. Please reload this page.