feat: implicit access from apps to shared appdata dirs

Author: KernelDeimos

packages/backend/src/filesystem/FSNodeContext.js

@@ -165,17 +165,26 @@ module.exports = class FSNodeContext {
         return ! this.entry.parent_uid;
     }
 
-    async getUserPart () {
-        if ( this.isRoot ) return;
+    async getPathComponents () {
+        if ( this.isRoot ) return [];
 
         let path = await this.get('path');
         if ( path.startsWith('/') ) path = path.slice(1);
-        const components = path.split('/');
-        const userpart = components[0];
-        
-        return userpart;
+        return path.split('/');
+    }
+    
+    async getUserPart () {
+        if ( this.isRoot ) return;
+        const components = await this.getPathComponents();
+        return components[0];
     }
 
+    async getPathSize () {
+        if ( this.isRoot ) return;
+        const components = await this.getPathComponents();
+        return components.length;
+    }
+    
     async exists (fetch_options = {}) {
         await this.fetchEntry();
         if ( ! this.found ) {

packages/backend/src/filesystem/hl_operations/hl_write.js

@@ -31,6 +31,7 @@ const { RootNodeSelector, NodePathSelector } = require("../node/selectors");
 const { is_valid_node_name } = require("../validation");
 const { HLFilesystemOperation } = require("./definitions");
 const { MkTree } = require("./hl_mkdir");
+const { Actor } = require("../../services/auth/Actor");
 
 class WriteCommonTrait {
     install_in_instance (instance) {
@@ -186,10 +187,6 @@ class HLWrite extends HLFilesystemOperation {
             throw APIError.create('cannot_write_to_root');
         }
 
-        if ( values.user && ! await chkperm(await parent.get('entry'), values.user.id, 'write') ) {
-            throw APIError.create('forbidden');
-        }
-
         try {
             // old validator is kept here to avoid changing the
             // error messages; eventually is_valid_node_name
@@ -222,6 +219,21 @@ class HLWrite extends HLFilesystemOperation {
         if ( values.offset !== undefined && ! dest_exists ) {
             throw APIError.create('offset_without_existing_file');
         }
+        
+        // The correct ACL check here depends on context.
+        // ll_write checks ACL, but we need to shortcut it here
+        // or else we might send the user too much information.
+        {
+            const node_to_check =
+                ( dest_exists && overwrite && ! dedupe_name )
+                    ? destination : parent;
+
+            const actor = values.actor ?? Actor.adapt(values.user);
+            const svc_acl = context.get('services').get('acl');
+            if ( ! await svc_acl.check(actor, node_to_check, 'write') ) {
+                throw await svc_acl.get_safe_acl_error(actor, node_to_check, 'write');
+            }
+        }
 
         if ( dest_exists ) {
             console.log('DESTINATION EXISTS', dedupe_name)

packages/backend/src/services/auth/ACLService.js

@@ -78,7 +78,7 @@ class ACLService extends BaseService {
                 return true;
             }
         }
-
+        
         // app-under-user only works if the user also has permission
         if ( actor.type instanceof AppUnderUserActorType ) {
             const user_actor = new Actor({
@@ -88,6 +88,23 @@ class ACLService extends BaseService {
 
             if ( ! user_perm ) return false;
         }
+        
+        // Hard rule: if app-under-user is accessing appdata directory
+        //            under a **different user**, allow,
+        //            IFF that appdata directory is shared with  user
+        //              (by "user also has permission" check above)
+        if (await (async () => {
+            if ( ! (actor.type instanceof AppUnderUserActorType) ) {
+                return false;
+            }
+            if ( await fsNode.getUserPart() === actor.type.user.username ) {
+                return false;
+            }
+            const components = await fsNode.getPathComponents();
+            if ( components[1] !== 'AppData' ) return false;
+            if ( components[2] !== actor.type.app.uid ) return false;
+            return true;
+        })()) return true;
 
         const svc_permission = await context.get('services').get('permission');