when requesting with a rule having a group as approver, do not share the file with the group if it already has access

julien-nc · julien-nc · commit 901eea1f1635 · 2023-04-19T12:05:57.000+02:00
Signed-off-by: Julien Veyssier &lt;julien-nc@posteo.net&gt;
diff --git a/lib/Service/ApprovalService.php b/lib/Service/ApprovalService.php
@@ -582,7 +582,7 @@ private function shareWithApprovers(int $fileId, array $rule, string $userId): a
 		}
 		if ($this->shareManager->allowGroupSharing()) {
 			foreach ($rule['approvers'] as $approver) {
-				if ($approver['type'] === 'group') {
+				if ($approver['type'] === 'group' && !$this->utilsService->groupHasAccessTo($fileId, $approver['entityId'])) {
 					if ($this->utilsService->createShare($node, IShare::TYPE_GROUP, $approver['entityId'], $fileOwner, $label)) {
 						$createdShares[] = $approver;
 					}
diff --git a/lib/Service/UtilsService.php b/lib/Service/UtilsService.php
@@ -12,6 +12,8 @@
 namespace OCA\Approval\Service;
 
 use Exception;
+use OCP\IGroup;
+use OCP\IGroupManager;
 use OCP\IUserManager;
 use OCP\IUser;
 use OCP\Files\IRootFolder;
@@ -41,19 +43,25 @@ class UtilsService {
 	 * @var ISystemTagManager
 	 */
 	private $tagManager;
+	/**
+	 * @var IGroupManager
+	 */
+	private $groupManager;
 
 	/**
 	 * Service providing storage, circles and tags tools
 	 */
 	public function __construct(string $appName,
 								IUserManager $userManager,
+								IGroupManager $groupManager,
 								IShareManager $shareManager,
 								IRootFolder $root,
 								ISystemTagManager $tagManager) {
 		$this->userManager = $userManager;
 		$this->shareManager = $shareManager;
 		$this->root = $root;
 		$this->tagManager = $tagManager;
+		$this->groupManager = $groupManager;
 	}
 
 	/**
@@ -154,6 +162,26 @@ public function userHasAccessTo(int $fileId, ?string $userId): bool {
 		return false;
 	}
 
+	/**
+	 * Return false if at least one member of the group does not have access to the file
+	 *
+	 * @param int $fileId
+	 * @param string|null $groupId
+	 * @return bool
+	 */
+	public function groupHasAccessTo(int $fileId, ?string $groupId): bool {
+		$group = $this->groupManager->get($groupId);
+		if ($group instanceof IGroup) {
+			foreach ($group->getUsers() as $groupUser) {
+				if (!$this->userHasAccessTo($fileId, $groupUser->getUID())) {
+					return false;
+				}
+			}
+			return true;
+		}
+		return false;
+	}
+
 	/**
 	 * @param string $name of the new tag
 	 * @return array

Original file line number	Diff line number	Diff line change
`@@ -582,7 +582,7 @@ private function shareWithApprovers(int $fileId, array $rule, string $userId): a`
`582`	`582`	`}`
`583`	`583`	`if ($this->shareManager->allowGroupSharing()) {`
`584`	`584`	`foreach ($rule['approvers'] as $approver) {`
`585`		`- if ($approver['type'] === 'group') {`
	`585`	`+ if ($approver['type'] === 'group' && !$this->utilsService->groupHasAccessTo($fileId, $approver['entityId'])) {`
`586`	`586`	`if ($this->utilsService->createShare($node, IShare::TYPE_GROUP, $approver['entityId'], $fileOwner, $label)) {`
`587`	`587`	`$createdShares[] = $approver;`
`588`	`588`	`}`