Protect server-managed Android public links

This commit is contained in:
Курнат Андрей
2026-06-12 22:26:21 +03:00
parent c247af04a1
commit 32f7c59bd4
9 changed files with 76 additions and 18 deletions
@@ -238,16 +238,16 @@ class PublicShareDialogFragment : DialogFragment() {
if (updating()) {
binding.publicShareDialogTitle.setText(R.string.share_via_link_edit_title)
binding.shareViaLinkNameValue.setText(publicShare?.name)
val publicShareStatus = publicShare?.let { PublicShareStatusFormatter.statusFor(it) }
when (publicShare?.permissions) {
RemoteShare.CREATE_PERMISSION_FLAG
or RemoteShare.DELETE_PERMISSION_FLAG
or RemoteShare.UPDATE_PERMISSION_FLAG
or RemoteShare.READ_PERMISSION_FLAG ->
when (publicShareStatus?.accessMode) {
PublicShareAccessMode.READ_AND_WRITE ->
binding.shareViaLinkEditPermissionReadAndWrite.isChecked = true
RemoteShare.CREATE_PERMISSION_FLAG -> binding.shareViaLinkEditPermissionUploadFiles.isChecked = true
else -> binding.shareViaLinkEditPermissionReadOnly.isChecked = true
PublicShareAccessMode.UPLOAD_ONLY -> binding.shareViaLinkEditPermissionUploadFiles.isChecked = true
PublicShareAccessMode.READ_ONLY -> binding.shareViaLinkEditPermissionReadOnly.isChecked = true
PublicShareAccessMode.CUSTOM -> binding.shareViaLinkEditPermissionGroup.clearCheck()
null -> binding.shareViaLinkEditPermissionReadOnly.isChecked = true
}
if (publicShare?.isPasswordProtected == true) {
@@ -265,12 +265,19 @@ class PublicShareDialogFragment : DialogFragment() {
binding.shareViaLinkExpirationValue.text = formattedDate
}
if (publicShareStatus?.isEditableInOcsDialog == false) {
applyServerManagedPublicLinkState()
}
} else {
binding.shareViaLinkNameValue.setText(arguments?.getString(ARG_DEFAULT_LINK_NAME, ""))
}
}
private fun onSaveShareSetting() {
if (isServerManagedPublicLink()) {
return
}
// Get data filled by user
val publicLinkName = binding.shareViaLinkNameValue.text.toString()
var publicLinkPassword: String? = binding.shareViaLinkPasswordValue.text.toString()
@@ -826,6 +833,11 @@ class PublicShareDialogFragment : DialogFragment() {
QSferaVersion(it, it) // FIXME: check productversion as second parameter, not versionstring
}
if (isServerManagedPublicLink()) {
applyServerManagedPublicLinkState()
return
}
// Show keyboard to fill the public share name
dialog?.window?.setSoftInputMode(
WindowManager.LayoutParams.SOFT_INPUT_STATE_VISIBLE or WindowManager.LayoutParams.SOFT_INPUT_ADJUST_RESIZE
@@ -932,6 +944,23 @@ class PublicShareDialogFragment : DialogFragment() {
}
}
private fun isServerManagedPublicLink(): Boolean =
publicShare?.let { share -> !PublicShareStatusFormatter.statusFor(share).isEditableInOcsDialog } == true
private fun applyServerManagedPublicLinkState() {
binding.shareViaLinkManagedAccessMessage.isVisible = true
binding.shareViaLinkEditPermissionGroup.isVisible = false
binding.shareViaLinkNameValue.isEnabled = false
binding.shareViaLinkPasswordSwitch.isEnabled = false
binding.shareViaLinkPasswordValue.isEnabled = false
binding.generatePasswordButton.isEnabled = false
binding.copyPasswordButton.isEnabled = false
binding.shareViaLinkExpirationSwitch.isEnabled = false
binding.shareViaLinkExpirationLabel.isEnabled = false
binding.shareViaLinkExpirationValue.isEnabled = false
binding.saveButton.isEnabled = false
}
private fun isReadOnlyPermission() = binding.shareViaLinkEditPermissionReadOnly.isChecked &&
capabilities?.filesSharingPublicPasswordEnforcedReadOnly == CapabilityBooleanType.TRUE
@@ -6,11 +6,14 @@ import eu.qsfera.android.lib.resources.shares.RemoteShare
internal object PublicShareStatusFormatter {
fun statusFor(share: OCShare): PublicShareStatus =
PublicShareStatus(
accessMode = accessModeFor(share.permissions),
isPasswordProtected = share.isPasswordProtected,
expirationDateInMillis = share.expirationDate.takeIf { it > 0 }
)
accessModeFor(share.permissions).let { accessMode ->
PublicShareStatus(
accessMode = accessMode,
isPasswordProtected = share.isPasswordProtected,
expirationDateInMillis = share.expirationDate.takeIf { it > 0 },
isEditableInOcsDialog = accessMode != PublicShareAccessMode.CUSTOM,
)
}
private fun accessModeFor(permissions: Int): PublicShareAccessMode {
val canRead = permissions hasPermission RemoteShare.READ_PERMISSION_FLAG
@@ -39,7 +42,8 @@ internal object PublicShareStatusFormatter {
internal data class PublicShareStatus(
val accessMode: PublicShareAccessMode,
val isPasswordProtected: Boolean,
val expirationDateInMillis: Long?
val expirationDateInMillis: Long?,
val isEditableInOcsDialog: Boolean,
)
internal enum class PublicShareAccessMode {
@@ -76,6 +76,21 @@
</RadioGroup>
<TextView
android:id="@+id/shareViaLinkManagedAccessMessage"
android:layout_width="match_parent"
android:layout_height="wrap_content"
android:layout_marginLeft="@dimen/standard_half_margin"
android:layout_marginRight="@dimen/standard_half_margin"
android:drawableStart="@drawable/common_error_grey"
android:drawablePadding="5dp"
android:gravity="center_vertical"
android:padding="@dimen/standard_half_padding"
android:text="@string/share_via_link_managed_access_message"
android:textColor="@color/secondaryTextColor"
android:textSize="13sp"
android:visibility="gone" />
<RelativeLayout
android:id="@+id/shareViaLinkPasswordSection"
android:layout_width="match_parent"
@@ -628,6 +628,7 @@
<string name="share_public_link_status_read_and_write">Скачивание / просмотр / загрузка</string>
<string name="share_public_link_status_upload_only">Только загрузка</string>
<string name="share_public_link_status_custom">Особые права</string>
<string name="share_via_link_managed_access_message">Эта ссылка использует доступ, управляемый сервером: например, доступ только для организации или безопасный просмотр без скачивания. Здесь ее можно скопировать или удалить. Изменяйте ее в веб-приложении, чтобы не изменить защиту.</string>
<string name="share_public_link_status_password_protected">Защищено паролем</string>
<string name="share_public_link_status_no_password">Без пароля</string>
<string name="share_public_link_status_expires">Действует до %1$s</string>
@@ -683,6 +683,7 @@
<string name="share_public_link_status_read_and_write">Download / View / Upload</string>
<string name="share_public_link_status_upload_only">Upload only</string>
<string name="share_public_link_status_custom">Custom access</string>
<string name="share_via_link_managed_access_message">This link uses server-managed access, such as organization-only access or secure view without downloads. You can copy or remove it here. Edit it from the web app to avoid changing its protection.</string>
<string name="share_public_link_status_password_protected">Password protected</string>
<string name="share_public_link_status_no_password">No password</string>
<string name="share_public_link_status_expires">Expires %1$s</string>
@@ -23,6 +23,7 @@ class PublicShareStatusFormatterTest {
assertEquals(PublicShareAccessMode.READ_ONLY, status.accessMode)
assertFalse(status.isPasswordProtected)
assertNull(status.expirationDateInMillis)
assertTrue(status.isEditableInOcsDialog)
}
@Test
@@ -62,5 +63,6 @@ class PublicShareStatusFormatterTest {
val status = PublicShareStatusFormatter.statusFor(share)
assertEquals(PublicShareAccessMode.CUSTOM, status.accessMode)
assertFalse(status.isEditableInOcsDialog)
}
}
+1 -1
View File
@@ -40,6 +40,7 @@ Date: 2026-06-08.
- Android photo/video backup status now shows per-source scan state, missing SAF folder access, and selected-account low-storage warnings in the settings summary. `:qsferaApp:testOriginalDebugUnitTest --tests "eu.qsfera.android.presentation.settings.automaticuploads.AutomaticUploadStatusFormatterTest"` and `:qsferaApp:compileOriginalDebugKotlin` passed on 2026-06-10.
- Android photo/video backup status now also observes automatic-upload transfers live and reports uploading, queued, failed, and paused-by-network/roaming/charging states in the settings summary. `:qsferaApp:testOriginalDebugUnitTest --tests "eu.qsfera.android.presentation.settings.automaticuploads.AutomaticUploadStatusFormatterTest"` and `:qsferaApp:compileOriginalDebugKotlin` passed on 2026-06-10.
- Android public-link rows now show the effective access mode, password state, and expiration state directly in the share list, so users can review link safety without reopening each link. `:qsferaApp:testOriginalDebugUnitTest --tests "eu.qsfera.android.presentation.sharing.shares.PublicShareStatusFormatterTest"` and `:qsferaApp:compileOriginalDebugKotlin` passed on 2026-06-10.
- Android now keeps Graph-style `internal` and `blocksDownload` public links as server-managed custom-access states in the OCS public-link editor: list rows show `Custom access`, the edit dialog explains that the link is managed by the server, and saving is disabled to avoid downgrading organization-only or secure-view protection to a standard OCS link.
- Sharing controls were audited against the Google Drive and Yandex Disk benchmarks in `Server/docs/sharing-controls-production-audit.md`, and `scripts/verify-sharing-controls-coverage.ps1` now checks local Android UI, Graph link types, server link handling, and acceptance-feature coverage for password, expiration, access roles, internal links, secure-view/no-download behavior, and role-based resharing.
- Server `qsfera_full` compose files now require explicit admin, Keycloak, and S3/MinIO secrets instead of demo defaults.
- Server `qsfera_full/env.production.example` provides a tracked production-safe starting point with TLS validation enabled and demo users disabled.
@@ -93,4 +94,3 @@ Date: 2026-06-08.
## Remaining P1
- Configure `QSFERA_ALERT_WEBHOOK_URL` in `/etc/qsfera/rpi-production-check.env` if off-host alert delivery is required; the installed failure service currently logs through `systemd-cat` and journal without an external endpoint.
- Decide and implement Android-facing controls for Graph `internal` links and `blocksDownload` secure-view links, or explicitly keep them server-managed/custom-access states. Server/API coverage is documented in `Server/docs/sharing-controls-production-audit.md`; the Android public-link dialog still exposes only password, expiration, read-only, read/write, and upload-only OCS controls.
@@ -14,8 +14,8 @@ Date: 2026-06-10.
| Public-link password | Android exposes `shareViaLinkPasswordSwitch`; Graph `CreateLink` stores `Password`; acceptance tests create and update password-protected link shares and verify old passwords fail with HTTP `401`. | Covered for Android OCS links and Graph links. |
| Public-link expiration | Android exposes `shareViaLinkExpirationSwitch`; Graph `CreateLink` reads `expirationDateTime`; acceptance tests create, update, and remove expiration dates. | Covered for Android OCS links and Graph links. |
| Link access role | Android exposes read-only, read/write, and upload-only radio options; Graph link types include `view`, `edit`, `upload`, and `createOnly`; acceptance tests cover those roles for files, folders, and project-space links. | Covered, with different Android OCS labels and Graph role names. |
| Disable downloads / secure view | Graph link types include `blocksDownload`; acceptance tests also verify the `Secure Viewer` role cannot download files. Android public-link rows now display non-standard link permissions as `Custom access`. | Server/API coverage exists; Android does not expose a dedicated `blocksDownload` switch. |
| Organization-only access | Graph link types include `internal`; frontend config documents default link permission `0` as an internal/member-only link; server rejects redundant passwords on internal links; acceptance tests create and update internal links. | Server/API coverage exists; Android does not expose a separate organization-only/internal link choice. |
| Disable downloads / secure view | Graph link types include `blocksDownload`; acceptance tests also verify the `Secure Viewer` role cannot download files. Android public-link rows display non-standard link permissions as `Custom access`, and the Android edit dialog treats those links as server-managed so they cannot be downgraded through the OCS dialog. | Server/API coverage exists; Android keeps `blocksDownload` links server-managed until a Graph-link editor is added. |
| Organization-only access | Graph link types include `internal`; frontend config documents default link permission `0` as an internal/member-only link; server rejects redundant passwords on internal links; acceptance tests create and update internal links. Android public-link rows display these non-standard states as `Custom access`, and the Android edit dialog treats them as server-managed. | Server/API coverage exists; Android keeps `internal` links server-managed until a Graph-link editor is added. |
| Role inheritance / resharing | Space sharing acceptance tests verify managers can reshare spaces, editors/viewers cannot, and project-space public-link creation requires manager rights. | Covered by server acceptance scenarios. |
## Repeatable Local Check
@@ -28,6 +28,6 @@ Run from the repository root:
The script is a static coverage gate over Android UI files, Graph link type code, server link creation code, and acceptance feature files. It does not replace a full server acceptance run.
## Remaining Product Gap
## Product Decision
The Android public-link dialog currently exposes the OCS link controls already present in the client: password, expiration, read-only, read/write, and upload-only. It does not expose dedicated Graph `internal` or `blocksDownload` controls. If QSfera wants Android parity with Yandex Disk's organization-only and disable-download controls, the next client/server integration step is to add Android Graph-link creation/editing paths for those two link types or define an explicit product decision that Android continues to show them as server-managed/custom access states.
The Android public-link dialog exposes the OCS link controls already present in the client: password, expiration, read-only, read/write, and upload-only. Dedicated Graph `internal` and `blocksDownload` creation/editing controls remain server-managed on Android until a Graph-link editor is added. The Android list shows those links as `Custom access`, and the Android edit dialog disables saving for them so a user cannot accidentally replace organization-only or secure-view protection with a standard OCS read-only link.
@@ -37,6 +37,12 @@ Assert-FileContains "Android public-link dialog exposes upload-only mode" `
Assert-FileContains "Android public-link rows show safety status" `
"Android/qsferaApp/src/main/java/eu/qsfera/android/presentation/sharing/shares/SharePublicLinkListAdapter.kt" `
"PublicShareStatusFormatter\.statusFor"
Assert-FileContains "Android public-link dialog protects server-managed custom links" `
"Android/qsferaApp/src/main/java/eu/qsfera/android/presentation/sharing/shares/PublicShareDialogFragment.kt" `
"isServerManagedPublicLink"
Assert-FileContains "Android public-link dialog explains managed access" `
"Android/qsferaApp/src/main/res/layout/share_public_dialog.xml" `
"shareViaLinkManagedAccessMessage"
Assert-FileContains "Graph API declares internal link type" `
"Server/vendor/github.com/opencloud-eu/libre-graph-api-go/model_sharing_link_type.go" `