From 403ad9efaa44d50d23390209d2434fdf5889f764 Mon Sep 17 00:00:00 2001 From: Cristian Scheid Date: Thu, 2 Jul 2026 09:02:22 -0300 Subject: [PATCH] fix(permission): get permissions for user from inherited when not direct member Signed-off-by: Cristian Scheid --- lib/Db/MembershipRequest.php | 20 ++++++++++++++++++++ lib/Service/PermissionService.php | 19 ++++++++++++++++--- 2 files changed, 36 insertions(+), 3 deletions(-) diff --git a/lib/Db/MembershipRequest.php b/lib/Db/MembershipRequest.php index 998acf8f0..eaed4546e 100644 --- a/lib/Db/MembershipRequest.php +++ b/lib/Db/MembershipRequest.php @@ -81,6 +81,26 @@ public function getMembership(string $circleId, string $singleId): Membership { } + /** + * @throws MembershipNotFoundException + */ + public function getMembershipByUserId(string $circleId, string $userId): Membership { + $qb = $this->getMembershipSelectSql(); + $qb->limitToCircleId($circleId); + + $expr = $qb->expr(); + $qb->leftJoin( + CoreQueryBuilder::MEMBERSHIPS, + CoreRequestBuilder::TABLE_MEMBER, + CoreQueryBuilder::MEMBER, + $expr->eq(CoreQueryBuilder::MEMBER . '.single_id', CoreQueryBuilder::MEMBERSHIPS . '.single_id') + ); + $qb->andWhere($expr->eq(CoreQueryBuilder::MEMBER . '.user_id', $qb->createNamedParameter($userId))); + + return $this->getItemFromRequest($qb); + } + + /** * @param string $singleId * diff --git a/lib/Service/PermissionService.php b/lib/Service/PermissionService.php index 047718b10..1ab76e369 100644 --- a/lib/Service/PermissionService.php +++ b/lib/Service/PermissionService.php @@ -12,6 +12,7 @@ namespace OCA\Circles\Service; use OCA\Circles\Db\MemberRequest; +use OCA\Circles\Db\MembershipRequest; use OCA\Circles\Exceptions\InitiatorNotFoundException; use OCA\Circles\Exceptions\InsufficientPermissionException; use OCA\Circles\Exceptions\MemberHelperException; @@ -37,6 +38,9 @@ class PermissionService { /** @var MemberRequest */ private $memberRequest; + /** @var MembershipRequest */ + private $membershipRequest; + /** * @param IL10N $l10n * @param FederatedUserService $federatedUserService @@ -47,11 +51,13 @@ public function __construct( FederatedUserService $federatedUserService, ConfigService $configService, MemberRequest $memberRequest, + MembershipRequest $membershipRequest, ) { $this->l10n = $l10n; $this->federatedUserService = $federatedUserService; $this->configService = $configService; $this->memberRequest = $memberRequest; + $this->membershipRequest = $membershipRequest; } @@ -174,9 +180,16 @@ public function userMustBeMember(string $userId, string $circleId): Member { try { return $this->memberRequest->getMemberByUserId($circleId, $userId); } catch (MemberNotFoundException) { - throw new InsufficientPermissionException( - $this->l10n->t('Insufficient permissions to perform this action') - ); + // not a direct member, check if user has inherited membership via group/circle + try { + $membership = $this->membershipRequest->getMembershipByUserId($circleId, $userId); + // return group/circle member through which access is inherited, to use its permission level + return $this->memberRequest->getMember($circleId, $membership->getInheritanceFirst()); + } catch (MembershipNotFoundException) { + throw new InsufficientPermissionException( + $this->l10n->t('Insufficient permissions to perform this action') + ); + } } }