|
| 1 | +<?php |
| 2 | + |
| 3 | +declare(strict_types=1); |
| 4 | + |
| 5 | +/** |
| 6 | + * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors |
| 7 | + * SPDX-License-Identifier: AGPL-3.0-or-later |
| 8 | + */ |
| 9 | + |
| 10 | +namespace OCP\Share\ShareReview\Events; |
| 11 | + |
| 12 | +use OCP\AppFramework\Attribute\Consumable; |
| 13 | +use OCP\EventDispatcher\Event; |
| 14 | + |
| 15 | +/** |
| 16 | + * Authorization gate for deleting an app-managed share through a share-review app. |
| 17 | + * |
| 18 | + * Background: Apps such as Deck or Tables manage their own shares outside of |
| 19 | + * the regular sharing backend ({@see \OCP\Share\IManager}). They can expose |
| 20 | + * those shares to a share-review app — a compliance tool that lets designated |
| 21 | + * operators audit and revoke shares across all apps — by implementing |
| 22 | + * {@see \OCP\Share\ShareReview\IShareReviewSource}. When a share-review |
| 23 | + * operator requests the deletion of such a share, the deletion is executed by |
| 24 | + * the app that owns the share, not by the share-review app. The owning app |
| 25 | + * has no way of knowing whether the acting user is actually authorized to |
| 26 | + * perform share reviews — only the share-review app knows that. This event |
| 27 | + * closes that gap: it lets the owning app ask "may the current user delete |
| 28 | + * this share on behalf of a share review?" before deleting anything. |
| 29 | + * |
| 30 | + * Dispatched by: the app that owns the share, i.e. the |
| 31 | + * {@see \OCP\Share\ShareReview\IShareReviewSource} implementation, at the |
| 32 | + * beginning of its deleteShare() method: |
| 33 | + * |
| 34 | + * public function deleteShare(string $shareId): bool { |
| 35 | + * $event = new ShareReviewAccessCheckEvent('MyApp', $shareId); |
| 36 | + * $this->dispatcher->dispatchTyped($event); |
| 37 | + * if (!$event->isHandled() || !$event->isGranted()) { |
| 38 | + * return false; // default-deny: no listener means no access |
| 39 | + * } |
| 40 | + * // ... actually delete the share ... |
| 41 | + * } |
| 42 | + * |
| 43 | + * Listened to by: the share-review app. Its listener decides whether the |
| 44 | + * current user is an authorized share-review operator (e.g. the app is |
| 45 | + * enabled for the user) and answers with grantAccess() or denyAccess(): |
| 46 | + * |
| 47 | + * public function handle(Event $event): void { |
| 48 | + * if (!$event instanceof ShareReviewAccessCheckEvent) { |
| 49 | + * return; |
| 50 | + * } |
| 51 | + * if ($this->isShareReviewOperator()) { |
| 52 | + * $event->grantAccess(); |
| 53 | + * } else { |
| 54 | + * $event->denyAccess('User is not a share-review operator.'); |
| 55 | + * } |
| 56 | + * } |
| 57 | + * |
| 58 | + * Apps that merely expose shares must not listen to this event; answering it |
| 59 | + * is the responsibility of the share-review app that triggered the deletion. |
| 60 | + * |
| 61 | + * Semantics: |
| 62 | + * - Default-deny: if no listener responds (isHandled() is false, e.g. no |
| 63 | + * share-review app is installed), the dispatcher must not delete the share. |
| 64 | + * - Deny wins: once denyAccess() is called, further grantAccess() calls are |
| 65 | + * ignored and propagation is stopped immediately. |
| 66 | + * - Multiple grants are harmless; the last listener to deny is authoritative. |
| 67 | + * |
| 68 | + * @since 34.0.2 |
| 69 | + */ |
| 70 | +#[Consumable(since: '34.0.2')] |
| 71 | +class ShareReviewAccessCheckEvent extends Event { |
| 72 | + |
| 73 | + private bool $handled = false; |
| 74 | + private bool $granted = false; |
| 75 | + private ?string $reason = null; |
| 76 | + |
| 77 | + /** |
| 78 | + * @param string $sourceName Stable, non-translated identifier for the app |
| 79 | + * registering the share source (e.g. 'Deck', 'Tables'). |
| 80 | + * @param string $shareId App-internal identifier of the share being deleted. |
| 81 | + * |
| 82 | + * @since 34.0.2 |
| 83 | + */ |
| 84 | + public function __construct( |
| 85 | + private readonly string $sourceName, |
| 86 | + private readonly string $shareId, |
| 87 | + ) { |
| 88 | + parent::__construct(); |
| 89 | + } |
| 90 | + |
| 91 | + /** |
| 92 | + * Stable, non-translated identifier of the app that owns this share source. |
| 93 | + * |
| 94 | + * @since 34.0.2 |
| 95 | + */ |
| 96 | + public function getSourceName(): string { |
| 97 | + return $this->sourceName; |
| 98 | + } |
| 99 | + |
| 100 | + /** |
| 101 | + * App-internal identifier of the share being deleted. |
| 102 | + * |
| 103 | + * @since 34.0.2 |
| 104 | + */ |
| 105 | + public function getShareId(): string { |
| 106 | + return $this->shareId; |
| 107 | + } |
| 108 | + |
| 109 | + /** |
| 110 | + * Grant access to delete the share. |
| 111 | + * |
| 112 | + * Has no effect if denyAccess() was already called on this event — deny wins. |
| 113 | + * |
| 114 | + * @since 34.0.2 |
| 115 | + */ |
| 116 | + public function grantAccess(): void { |
| 117 | + if ($this->handled && !$this->granted) { |
| 118 | + return; // deny wins — a prior denyAccess() cannot be escalated to a grant |
| 119 | + } |
| 120 | + $this->handled = true; |
| 121 | + $this->granted = true; |
| 122 | + } |
| 123 | + |
| 124 | + /** |
| 125 | + * Deny access and provide a human-readable reason. |
| 126 | + * |
| 127 | + * Stops event propagation immediately — no further listeners will run. |
| 128 | + * |
| 129 | + * @since 34.0.2 |
| 130 | + */ |
| 131 | + public function denyAccess(string $reason): void { |
| 132 | + $this->handled = true; |
| 133 | + $this->granted = false; |
| 134 | + $this->reason = $reason; |
| 135 | + $this->stopPropagation(); |
| 136 | + } |
| 137 | + |
| 138 | + /** |
| 139 | + * Whether any listener has responded to this event. |
| 140 | + * |
| 141 | + * @since 34.0.2 |
| 142 | + */ |
| 143 | + public function isHandled(): bool { |
| 144 | + return $this->handled; |
| 145 | + } |
| 146 | + |
| 147 | + /** |
| 148 | + * Whether access was granted. |
| 149 | + * |
| 150 | + * @since 34.0.2 |
| 151 | + */ |
| 152 | + public function isGranted(): bool { |
| 153 | + return $this->granted; |
| 154 | + } |
| 155 | + |
| 156 | + /** |
| 157 | + * Human-readable denial reason, or null if access was granted or the event |
| 158 | + * has not been handled yet. |
| 159 | + * |
| 160 | + * @since 34.0.2 |
| 161 | + */ |
| 162 | + public function getReason(): ?string { |
| 163 | + return $this->reason; |
| 164 | + } |
| 165 | +} |
0 commit comments