[WIP] Issue #27: Fix permissions

README.md

@@ -119,23 +119,6 @@ You also must set the viewer for this kind of media.
   _Collabora Online Preview_.
 - Click _Save_.
 
-### User permissions
-
-There are three levels of permissions. _Administrator_,
-_Collaborator_, and _Viewer_, in order of most privileges to the
-least. Each lesser privilege is included in the higher level.
-_Administrator_ includes _Collaborator_, and _Collaborator_ includes
-_Viewer_.
-
-By default, the user role `administrator` is mapped to the Collabora
-Online administrator. This allow accessing the console.
-
-The user role `authenticated` is the default permission for
-collaboration, i.e. edit a document with Collabora Online.
-
-The user role `anonymous` by default disallows editing and is the
-minimal permission for viewing documents in Collabora Online.
-
 ### Other configuration
 
 If you need to change the accepted extensions to upload, go to

collabora_online.module

@@ -9,10 +9,12 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 
-use Drupal\Core\Entity\EntityInterface;
 use Drupal\collabora_online\Cool\CoolUtils;
-use Drupal\file\Entity\File;
-use Drupal\media\Entity\Media;
+use Drupal\Core\Access\AccessResult;
+use Drupal\Core\Access\AccessResultInterface;
+use Drupal\Core\Entity\EntityInterface;
+use Drupal\Core\Session\AccountInterface;
+use Drupal\media\MediaInterface;
 
 /**
  * Implements hook_theme().
@@ -84,10 +86,10 @@ function collabora_online_entity_operation(EntityInterface $entity) {
         return [];
     }
 
+    /** @var \Drupal\media\MediaInterface $media */
     $media = $entity;
 
-    $account = \Drupal::currentUser()->getAccount();
-    if (!$entity->access("view", $account)) {
+    if (!$media->access('preview in collabora')) {
         return [];
     }
 
@@ -106,7 +108,7 @@ function collabora_online_entity_operation(EntityInterface $entity) {
         ]
     ];
 
-    if (CoolUtils::canEdit($file) && $media->access("update", $account)) {
+    if (CoolUtils::canEdit($file) && $media->access('edit in collabora')) {
         $entries['collabora_online_edit'] = [
             'title' => t("Edit in Collabora Online"),
             'weight' => 50,
@@ -116,3 +118,33 @@ function collabora_online_entity_operation(EntityInterface $entity) {
 
     return $entries;
 }
+
+/**
+ * Implements hook_ENTITY_TYPE_access() for 'media'.
+ *
+ * Checks access for the new media operations provided by this module.
+ */
+function collabora_online_media_access(MediaInterface $media, string $operation, AccountInterface $account): AccessResultInterface {
+    $type = $media->bundle();
+    switch ($operation) {
+        case 'preview in collabora':
+            return AccessResult::allowedIfHasPermission($account, "preview $type in collabora");
+
+        case 'edit in collabora':
+            if ($account->hasPermission("edit any $type in collabora")) {
+                return AccessResult::allowed()->cachePerPermissions();
+            }
+            if ($account->hasPermission("edit own $type in collabora")) {
+                // Use '==' because Drupal sometimes loads integers as strings.
+                $is_owner = ($account->id() && $account->id() == $media->getOwnerId());
+                return AccessResult::allowedIf($is_owner)
+                    ->cachePerPermissions()
+                    ->cachePerUser()
+                    ->addCacheableDependency($media);
+            }
+            return AccessResult::neutral()->cachePerPermissions();
+
+        default:
+            return AccessResult::neutral();
+    }
+}

collabora_online.permissions.yml

@@ -0,0 +1,6 @@
+administer collabora instance:
+  title: 'Administer the Collabora instance'
+  restrict access: true
+
+permission_callbacks:
+  - \Drupal\collabora_online\CollaboraMediaPermissions::mediaTypePermissions

collabora_online.routing.yml

@@ -3,6 +3,7 @@ collabora-online.view:
   defaults:
     _controller: '\Drupal\collabora_online\Controller\ViewerController::editor'
     _title: 'Collabora Online'
+    # The controller method has a boolean parameter '$edit'.
     edit: false
   options:
     parameters:
@@ -11,13 +12,15 @@ collabora-online.view:
       edit:
         type: boolean
   requirements:
-    _permission: 'access content'
+    media: \d+
+    _entity_access: 'media.preview in collabora'
 
 collabora-online.edit:
   path: '/cool/edit/{media}'
   defaults:
     _controller: '\Drupal\collabora_online\Controller\ViewerController::editor'
     _title: 'Collabora Online'
+    # The controller method has a boolean parameter '$edit'.
     edit: true
   options:
     parameters:
@@ -26,7 +29,8 @@ collabora-online.edit:
       edit:
         type: boolean
   requirements:
-    _permission: 'access content'
+    media: \d+
+    _entity_access: 'media.edit in collabora'
 
 collabora-online.settings:
   path: '/admin/config/cool/settings'

composer.json

@@ -11,6 +11,7 @@
         }
     ],
     "require": {
+        "php": ">=8.1",
         "drupal/jwt": "^2.0"
     }
 }

config/install/collabora_online.settings.yml

@@ -11,9 +11,3 @@ cool:
   disable_cert_check: false
   # Allow fullscreen - Enabled by default for functionality.
   allowfullscreen: true
-  # The user role for collaborators.
-  viewer_role: anonymous
-  # The user role for collaborators.
-  collaborator_role: authenticated
-  # The user role for adminstrators.
-  administrator_role: administrator

config/schema/collabora_online.schema.yml

@@ -0,0 +1,23 @@
+collabora_online.settings:
+  type: config_object
+  label: 'Settings'
+  mapping:
+    cool:
+      type: config_object
+      label: 'Cool'
+      mapping:
+        server:
+          type: uri
+          label: 'The address of the COOL server.'
+        wopi_base:
+          type: uri
+          label: 'The WOPI base'
+        key_id:
+          type: string
+          label: 'The JWT key id'
+        access_token_ttl:
+          type: integer
+          label: 'Access Token TTL'
+        disable_cert_check:
+          type: boolean
+          label: 'Disable cert checks.'

src/CollaboraMediaPermissions.php

@@ -0,0 +1,90 @@
+<?php
+/*
+ * Copyright the Collabora Online contributors.
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+namespace Drupal\collabora_online;
+
+use Drupal\Core\DependencyInjection\AutowireTrait;
+use Drupal\Core\DependencyInjection\ContainerInjectionInterface;
+use Drupal\Core\Entity\BundlePermissionHandlerTrait;
+use Drupal\Core\Entity\EntityTypeManagerInterface;
+use Drupal\Core\StringTranslation\StringTranslationTrait;
+use Drupal\media\MediaTypeInterface;
+use Symfony\Component\DependencyInjection\ContainerInterface;
+
+/**
+ * Provides permissions for Collabora per media type.
+ *
+ * @see \Drupal\media\MediaPermissions
+ */
+class CollaboraMediaPermissions implements ContainerInjectionInterface {
+
+    use AutowireTrait;
+    use BundlePermissionHandlerTrait;
+    use StringTranslationTrait;
+
+    /**
+     * Constructor.
+     *
+     * @param \Drupal\Core\Entity\EntityTypeManagerInterface $entityTypeManager
+     *   The entity type manager service.
+     */
+    public function __construct(
+        protected readonly EntityTypeManagerInterface $entityTypeManager,
+    ) {}
+
+    /**
+     * {@inheritdoc}
+     */
+    public static function create(ContainerInterface $container) {
+        return new static($container->get('entity_type.manager'));
+    }
+
+    /**
+     * Returns an array of media type permissions.
+     *
+     * @return array
+     *   The media type permissions.
+     *
+     * @see \Drupal\user\PermissionHandlerInterface::getPermissions()
+     */
+    public function mediaTypePermissions(): array {
+        // Generate media permissions for all media types.
+        $media_types = $this->entityTypeManager->getStorage('media_type')->loadMultiple();
+        return $this->generatePermissions($media_types, [$this, 'buildPermissions']);
+    }
+
+    /**
+     * Returns a list of permissions for a given media type.
+     *
+     * @param \Drupal\media\MediaTypeInterface $type
+     *   The media type.
+     *
+     * @return array
+     *   An associative array of permission names and descriptions.
+     */
+    protected function buildPermissions(MediaTypeInterface $type) {
+        $type_id = $type->id();
+        $type_params = ['%type_name' => $type->label()];
+
+        return [
+            "preview $type_id in collabora" => [
+                'title' => $this->t('%type_name: Preview media file in Collabora', $type_params),
+            ],
+            "edit own $type_id in collabora" => [
+                'title' => $this->t('%type_name: Edit own media file in Collabora', $type_params),
+            ],
+            "edit any $type_id in collabora" => [
+                'title' => $this->t('%type_name: Edit any media file in Collabora', $type_params),
+            ],
+        ];
+    }
+
+}

src/Controller/ViewerController.php

@@ -11,14 +11,12 @@
 
 namespace Drupal\collabora_online\Controller;
 
+use Drupal\collabora_online\Cool\CoolUtils;
 use Drupal\Core\Controller\ControllerBase;
 use Drupal\Core\Render\RendererInterface;
-use Drupal\collabora_online\Cool\CoolUtils;
-use Drupal\file\Entity\File;
 use Drupal\media\Entity\Media;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\HttpFoundation\Response;
-use Symfony\Component\HttpFoundation\Request;
 
 /**
  * Provides route responses for the Collabora module.
@@ -55,22 +53,6 @@ public function editor(Media $media, $edit = false) {
             'closebutton' => 'true',
         ];
 
-        $user = \Drupal::currentUser();
-        $permissions = CoolUtils::getUserPermissions($user);
-
-        if (!$permissions['is_viewer']) {
-            $error_msg = 'Authentication failed.';
-            \Drupal::logger('cool')->error($error_msg);
-            return new Response(
-                $error_msg,
-                Response::HTTP_FORBIDDEN,
-                ['content-type' => 'text/plain']
-            );
-        }
-
-        /* Make sure that the user is a collaborator if edit is true */
-        $edit = $edit && $permissions['is_collaborator'];
-
         $render_array = CoolUtils::getViewerRender($media, $edit, $options);
 
         if (!$render_array ||  array_key_exists('error', $render_array)) {

src/Controller/WopiController.php

@@ -11,22 +11,27 @@
 
 namespace Drupal\collabora_online\Controller;
 
+use Drupal\collabora_online\Cool\CoolUtils;
 use Drupal\Core\Controller\ControllerBase;
 use Drupal\Core\File\FileSystemInterface;
-use Drupal\collabora_online\Cool\CoolUtils;
 use Drupal\file\Entity\File;
-use Drupal\media\Entity\Media;
 use Drupal\user\Entity\User;
 use Symfony\Component\HttpFoundation\BinaryFileResponse;
-use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
 
 /**
  * Provides WOPI route responses for the Collabora module.
  */
 class WopiController extends ControllerBase {
 
-    static function permissionDenied() {
+    /**
+     * Creates a failure response that is understood by Collabora.
+     *
+     * @return \Symfony\Component\HttpFoundation\Response
+     *   Response object.
+     */
+    static function permissionDenied(): Response {
         return new Response(
             'Authentication failed.',
             Response::HTTP_FORBIDDEN,
@@ -42,13 +47,20 @@ function wopiCheckFileInfo(string $id, Request $request) {
             return static::permissionDenied();
         }
 
+        /** @var \Drupal\media\MediaInterface|null $media */
+        $media = \Drupal::entityTypeManager()->getStorage('media')->load($id);
+        if (!$media) {
+            return static::permissionDenied();
+        }
+
         $file = CoolUtils::getFileById($id);
         $mtime = date_create_immutable_from_format('U', $file->getChangedTime());
+        // @todo What if the uid in the payload is not set?
+        // @todo What if $user is NULL?
         $user = User::load($jwt_payload->uid);
-        $permissions = CoolUtils::getUserPermissions($user);
         $can_write = $jwt_payload->wri;
 
-        if ($can_write && $can_write != $permissions['is_collaborator']) {
+        if ($can_write && !$media->access('edit in collabora', $user)) {
             \Drupal::logger('cool')->error('Token and user permissions do not match.');
             return static::permissionDenied();
         }
@@ -69,8 +81,8 @@ function wopiCheckFileInfo(string $id, Request $request) {
                 'mail' => $user->getEmail(),
             ],
             'UserCanWrite' => $can_write,
-            'IsAdminUser' => $permissions['is_admin'],
-            'IsAnonymousUser' => $permissions['is_anonymous']
+            'IsAdminUser' => $user->hasPermission('administer collabora instance'),
+            'IsAnonymousUser' => $user->isAnonymous(),
         ];
 
         $jsonPayload = json_encode($payload);