feat(sharing): make SHARE permission in bundled edit configurable

Add config option shareapi_include_share_in_edit to include reshare
permission in "Allow editing" bundle.

Signed-off-by: nfebe <[email protected]>

Author: nfebe

3rdparty

@@ -7,7 +7,7 @@
  */
 namespace OCA\Files_Sharing;
 
-use OC\Core\AppInfo\ConfigLexicon;
+use OCA\Files_Sharing\Config\ConfigLexicon;
 use OCP\App\IAppManager;
 use OCP\Capabilities\ICapability;
 use OCP\Constants;
@@ -77,6 +77,7 @@ public function __construct(
 	 *             },
 	 *         },
 	 *         default_permissions?: int,
+	 *         include_share_in_edit?: bool,
 	 *         federation: array{
 	 *             outgoing: bool,
 	 *             incoming: bool,
@@ -159,6 +160,7 @@ public function getCapabilities() {
 			$res['group']['enabled'] = $this->shareManager->allowGroupSharing();
 			$res['group']['expire_date']['enabled'] = true;
 			$res['default_permissions'] = (int)$this->config->getAppValue('core', 'shareapi_default_permissions', (string)Constants::PERMISSION_ALL);
+			$res['include_share_in_edit'] = $this->appConfig->getValueBool('files_sharing', ConfigLexicon::SHARE_INCLUDE_SHARE_IN_EDIT);
 		}
 
 		//Federated sharing

apps/files_sharing/lib/Capabilities.php

@@ -23,6 +23,7 @@
 class ConfigLexicon implements ILexicon {
 	public const SHOW_FEDERATED_AS_INTERNAL = 'show_federated_shares_as_internal';
 	public const SHOW_FEDERATED_TO_TRUSTED_AS_INTERNAL = 'show_federated_shares_to_trusted_servers_as_internal';
+	public const SHARE_INCLUDE_SHARE_IN_EDIT = 'shareapi_include_share_in_edit';
 
 	public function getStrictness(): Strictness {
 		return Strictness::IGNORE;
@@ -32,6 +33,7 @@ public function getAppConfigs(): array {
 		return [
 			new Entry(self::SHOW_FEDERATED_AS_INTERNAL, ValueType::BOOL, false, 'shows federated shares as internal shares', true),
 			new Entry(self::SHOW_FEDERATED_TO_TRUSTED_AS_INTERNAL, ValueType::BOOL, false, 'shows federated shares to trusted servers as internal shares', true),
+			new Entry(self::SHARE_INCLUDE_SHARE_IN_EDIT, ValueType::BOOL, false, 'Include reshare permission in "Allow editing" bundled permissions'),
 		];
 	}
 

apps/files_sharing/lib/Config/ConfigLexicon.php

@@ -42,6 +42,7 @@ import IconTune from 'vue-material-design-icons/Tune.vue'
 import {
 	ATOMIC_PERMISSIONS,
 	BUNDLED_PERMISSIONS,
+	getBundledPermissions,
 } from '../lib/SharePermissionsToolBox.js'
 import ShareDetails from '../mixins/ShareDetails.js'
 import SharesMixin from '../mixins/SharesMixin.js'
@@ -93,6 +94,10 @@ export default {
 			return t('files_sharing', 'Custom permissions')
 		},
 
+		bundledPermissions() {
+			return getBundledPermissions(this.config.includeShareInEdit)
+		},
+
 		preSelectedOption() {
 			// We remove the share permission for the comparison as it is not relevant for bundled permissions.
 			const permissionsWithoutShare = this.share.permissions & ~ATOMIC_PERMISSIONS.SHARE
@@ -140,14 +145,14 @@ export default {
 		dropDownPermissionValue() {
 			switch (this.selectedOption) {
 				case this.canEditText:
-					return this.isFolder ? BUNDLED_PERMISSIONS.ALL : BUNDLED_PERMISSIONS.ALL_FILE
+					return this.isFolder ? this.bundledPermissions.ALL : this.bundledPermissions.ALL_FILE
 				case this.fileDropText:
-					return BUNDLED_PERMISSIONS.FILE_DROP
+					return this.bundledPermissions.FILE_DROP
 				case this.customPermissionsText:
 					return 'custom'
 				case this.canViewText:
 				default:
-					return BUNDLED_PERMISSIONS.READ_ONLY
+					return this.bundledPermissions.READ_ONLY
 			}
 		},
 	},

apps/files_sharing/src/components/SharingEntryQuickShareSelect.vue

@@ -20,6 +20,23 @@ export const BUNDLED_PERMISSIONS = {
 	ALL_FILE: ATOMIC_PERMISSIONS.UPDATE | ATOMIC_PERMISSIONS.READ,
 }
 
+/**
+ * Get bundled permissions with optional SHARE permission for editing bundles.
+ *
+ * @param {boolean} includeShareInEdit - Whether to include SHARE permission in ALL and ALL_FILE bundles.
+ * @return {object}
+ */
+export function getBundledPermissions(includeShareInEdit = false) {
+	if (includeShareInEdit) {
+		return {
+			...BUNDLED_PERMISSIONS,
+			ALL: BUNDLED_PERMISSIONS.ALL | ATOMIC_PERMISSIONS.SHARE,
+			ALL_FILE: BUNDLED_PERMISSIONS.ALL_FILE | ATOMIC_PERMISSIONS.SHARE,
+		}
+	}
+	return BUNDLED_PERMISSIONS
+}
+
 /**
  * Return whether a given permissions set contains some permissions.
  *

apps/files_sharing/src/lib/SharePermissionsToolBox.js

@@ -8,6 +8,7 @@ import {
 	ATOMIC_PERMISSIONS,
 	BUNDLED_PERMISSIONS,
 	canTogglePermissions,
+	getBundledPermissions,
 	hasPermissions,
 	permissionsSetIsValid,
 	subtractPermissions,
@@ -76,4 +77,75 @@ describe('SharePermissionsToolBox', () => {
 		expect(canTogglePermissions(ATOMIC_PERMISSIONS.READ | ATOMIC_PERMISSIONS.CREATE | ATOMIC_PERMISSIONS.UPDATE, ATOMIC_PERMISSIONS.CREATE)).toBe(true)
 		expect(canTogglePermissions(ATOMIC_PERMISSIONS.READ | ATOMIC_PERMISSIONS.CREATE | ATOMIC_PERMISSIONS.DELETE, ATOMIC_PERMISSIONS.CREATE)).toBe(true)
 	})
+
+	test('Get bundled permissions without SHARE (default)', () => {
+		const permissions = getBundledPermissions(false)
+		expect(permissions.READ_ONLY).toBe(BUNDLED_PERMISSIONS.READ_ONLY)
+		expect(permissions.FILE_DROP).toBe(BUNDLED_PERMISSIONS.FILE_DROP)
+		expect(permissions.UPLOAD_AND_UPDATE).toBe(BUNDLED_PERMISSIONS.UPLOAD_AND_UPDATE)
+		expect(permissions.ALL).toBe(BUNDLED_PERMISSIONS.ALL)
+		expect(permissions.ALL_FILE).toBe(BUNDLED_PERMISSIONS.ALL_FILE)
+		expect(permissions.ALL).toBe(15)
+		expect(permissions.ALL_FILE).toBe(3)
+		expect(hasPermissions(permissions.ALL, ATOMIC_PERMISSIONS.SHARE)).toBe(false)
+		expect(hasPermissions(permissions.ALL_FILE, ATOMIC_PERMISSIONS.SHARE)).toBe(false)
+	})
+
+	test('Get bundled permissions with SHARE included', () => {
+		const permissions = getBundledPermissions(true)
+		expect(permissions.READ_ONLY).toBe(BUNDLED_PERMISSIONS.READ_ONLY)
+		expect(permissions.FILE_DROP).toBe(BUNDLED_PERMISSIONS.FILE_DROP)
+		expect(permissions.UPLOAD_AND_UPDATE).toBe(BUNDLED_PERMISSIONS.UPLOAD_AND_UPDATE)
+		expect(permissions.ALL).toBe(BUNDLED_PERMISSIONS.ALL | ATOMIC_PERMISSIONS.SHARE)
+		expect(permissions.ALL_FILE).toBe(BUNDLED_PERMISSIONS.ALL_FILE | ATOMIC_PERMISSIONS.SHARE)
+		expect(permissions.ALL).toBe(31)
+		expect(permissions.ALL_FILE).toBe(19)
+		expect(hasPermissions(permissions.ALL, ATOMIC_PERMISSIONS.SHARE)).toBe(true)
+		expect(hasPermissions(permissions.ALL_FILE, ATOMIC_PERMISSIONS.SHARE)).toBe(true)
+	})
+
+	test('Get bundled permissions default argument', () => {
+		const permissions = getBundledPermissions()
+		expect(permissions.ALL).toBe(BUNDLED_PERMISSIONS.ALL)
+		expect(permissions.ALL_FILE).toBe(BUNDLED_PERMISSIONS.ALL_FILE)
+		expect(hasPermissions(permissions.ALL, ATOMIC_PERMISSIONS.SHARE)).toBe(false)
+	})
+
+	test('Operations with bundled permissions including SHARE', () => {
+		const permissionsWithShare = getBundledPermissions(true)
+
+		// Adding permissions to ALL with SHARE should preserve SHARE
+		expect(addPermissions(permissionsWithShare.ALL, ATOMIC_PERMISSIONS.READ)).toBe(permissionsWithShare.ALL)
+
+		// Subtracting READ from ALL with SHARE should leave UPDATE | CREATE | DELETE | SHARE
+		expect(subtractPermissions(permissionsWithShare.ALL, ATOMIC_PERMISSIONS.READ))
+			.toBe(ATOMIC_PERMISSIONS.UPDATE | ATOMIC_PERMISSIONS.CREATE | ATOMIC_PERMISSIONS.DELETE | ATOMIC_PERMISSIONS.SHARE)
+
+		// Toggle UPLOAD_AND_UPDATE from ALL with SHARE should leave only SHARE
+		expect(togglePermissions(permissionsWithShare.ALL, BUNDLED_PERMISSIONS.UPLOAD_AND_UPDATE))
+			.toBe(ATOMIC_PERMISSIONS.SHARE)
+
+		// Toggle FILE_DROP from ALL with SHARE
+		expect(togglePermissions(permissionsWithShare.ALL, BUNDLED_PERMISSIONS.FILE_DROP))
+			.toBe(ATOMIC_PERMISSIONS.READ | ATOMIC_PERMISSIONS.UPDATE | ATOMIC_PERMISSIONS.DELETE | ATOMIC_PERMISSIONS.SHARE)
+
+		// Adding SHARE to base ALL should equal ALL with SHARE
+		expect(addPermissions(BUNDLED_PERMISSIONS.ALL, ATOMIC_PERMISSIONS.SHARE)).toBe(permissionsWithShare.ALL)
+
+		// Subtracting SHARE from ALL with SHARE should equal base ALL
+		expect(subtractPermissions(permissionsWithShare.ALL, ATOMIC_PERMISSIONS.SHARE)).toBe(BUNDLED_PERMISSIONS.ALL)
+	})
+
+	test('Operations with bundled permissions for files including SHARE', () => {
+		const permissionsWithShare = getBundledPermissions(true)
+
+		// ALL_FILE with SHARE should be READ | UPDATE | SHARE
+		expect(permissionsWithShare.ALL_FILE).toBe(ATOMIC_PERMISSIONS.READ | ATOMIC_PERMISSIONS.UPDATE | ATOMIC_PERMISSIONS.SHARE)
+
+		// Subtracting SHARE from ALL_FILE with SHARE should equal base ALL_FILE
+		expect(subtractPermissions(permissionsWithShare.ALL_FILE, ATOMIC_PERMISSIONS.SHARE)).toBe(BUNDLED_PERMISSIONS.ALL_FILE)
+
+		// Adding SHARE to base ALL_FILE should equal ALL_FILE with SHARE
+		expect(addPermissions(BUNDLED_PERMISSIONS.ALL_FILE, ATOMIC_PERMISSIONS.SHARE)).toBe(permissionsWithShare.ALL_FILE)
+	})
 })

apps/files_sharing/src/lib/SharePermissionsToolBox.spec.js

@@ -13,6 +13,7 @@ import { fetchNode } from '../../../files/src/services/WebdavClient.ts'
 import {
 	ATOMIC_PERMISSIONS,
 	BUNDLED_PERMISSIONS,
+	getBundledPermissions,
 } from '../lib/SharePermissionsToolBox.js'
 import Share from '../models/Share.ts'
 import Config from '../services/ConfigService.ts'

apps/files_sharing/src/mixins/SharesMixin.js

@@ -53,6 +53,7 @@ type FileSharingCapabilities = {
 		}
 	}
 	default_permissions: number
+	include_share_in_edit: boolean
 	federation: {
 		outgoing: boolean
 		incoming: boolean
@@ -103,6 +104,13 @@ export default class Config {
 		return this._capabilities.files_sharing?.default_permissions
 	}
 
+	/**
+	 * Should SHARE permission be included in "Allow editing" bundled permissions
+	 */
+	get includeShareInEdit(): boolean {
+		return this._capabilities.files_sharing?.include_share_in_edit === true
+	}
+
 	/**
 	 * Is public upload allowed on link shares ?
 	 * This covers File request and Full upload/edit option.

apps/files_sharing/src/services/ConfigService.ts

@@ -332,6 +332,7 @@ import SidebarTabExternalActionLegacy from '../components/SidebarTabExternal/Sid
 import {
 	ATOMIC_PERMISSIONS,
 	BUNDLED_PERMISSIONS,
+	getBundledPermissions,
 	hasPermissions,
 } from '../lib/SharePermissionsToolBox.js'
 import ShareRequests from '../mixins/ShareRequests.js'
@@ -395,7 +396,6 @@ export default {
 			setCustomPermissions: false,
 			passwordError: false,
 			advancedSectionAccordionExpanded: false,
-			bundledPermissions: BUNDLED_PERMISSIONS,
 			isFirstComponentLoad: true,
 			test: false,
 			creating: false,
@@ -443,6 +443,10 @@ export default {
 			}
 		},
 
+		bundledPermissions() {
+			return getBundledPermissions(this.config.includeShareInEdit)
+		},
+
 		allPermissions() {
 			return this.isFolder ? this.bundledPermissions.ALL.toString() : this.bundledPermissions.ALL_FILE.toString()
 		},
@@ -1022,10 +1026,12 @@ export default {
 			if (this.isNewShare) {
 				const defaultPermissions = this.config.defaultPermissions
 				const permissionsWithoutShare = defaultPermissions & ~ATOMIC_PERMISSIONS.SHARE
-				if (permissionsWithoutShare === BUNDLED_PERMISSIONS.READ_ONLY
-					|| permissionsWithoutShare === BUNDLED_PERMISSIONS.ALL
-					|| permissionsWithoutShare === BUNDLED_PERMISSIONS.ALL_FILE) {
-					this.sharingPermission = permissionsWithoutShare.toString()
+				if (permissionsWithoutShare === BUNDLED_PERMISSIONS.READ_ONLY) {
+					this.sharingPermission = this.bundledPermissions.READ_ONLY.toString()
+				} else if (permissionsWithoutShare === BUNDLED_PERMISSIONS.ALL) {
+					this.sharingPermission = this.bundledPermissions.ALL.toString()
+				} else if (permissionsWithoutShare === BUNDLED_PERMISSIONS.ALL_FILE) {
+					this.sharingPermission = this.bundledPermissions.ALL_FILE.toString()
 				} else {
 					this.sharingPermission = 'custom'
 					this.share.permissions = defaultPermissions
@@ -1075,9 +1081,9 @@ export default {
 				this.share.permissions = sharePermissionsSet
 			}
 
-			if (!this.isFolder && this.share.permissions === BUNDLED_PERMISSIONS.ALL) {
+			if (!this.isFolder && this.share.permissions === this.bundledPermissions.ALL) {
 				// It's not possible to create an existing file.
-				this.share.permissions = BUNDLED_PERMISSIONS.ALL_FILE
+				this.share.permissions = this.bundledPermissions.ALL_FILE
 			}
 			if (!this.writeNoteToRecipientIsChecked) {
 				this.share.note = ''

apps/files_sharing/src/views/SharingDetailsTab.vue

@@ -0,0 +1,111 @@
+/*!
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import type { User } from '@nextcloud/e2e-test-server/cypress'
+
+import { openSharingPanel } from './FilesSharingUtils.ts'
+
+describe('files_sharing: Share permissions bundle configuration', () => {
+	let alice: User
+	let bob: User
+
+	before(() => {
+		cy.createRandomUser().then(($user) => {
+			alice = $user
+		})
+		cy.createRandomUser().then(($user) => {
+			bob = $user
+		})
+	})
+
+	beforeEach(() => {
+		cy.runOccCommand('config:app:delete files_sharing shareapi_include_share_in_edit')
+	})
+
+	after(() => {
+		cy.runOccCommand('config:app:delete files_sharing shareapi_include_share_in_edit')
+	})
+
+	/**
+	 * Helper to create a user share and select "Allow editing"
+	 */
+	function createUserShareWithEdit(itemName: string) {
+		openSharingPanel(itemName)
+
+		cy.get('#app-sidebar-vue').within(() => {
+			cy.intercept('GET', '**/apps/files_sharing/api/v1/sharees?*').as('shareeSearch')
+			cy.findByRole('combobox', { name: /Search for internal recipients/i })
+				.type(`{selectAll}${bob.userId}`)
+			cy.wait('@shareeSearch')
+		})
+
+		cy.get(`[user="${bob.userId}"]`).click()
+
+		// Select "Allow editing" permission bundle
+		cy.get('[data-cy-files-sharing-share-permissions-bundle]').should('be.visible')
+		cy.get('[data-cy-files-sharing-share-permissions-bundle="upload-edit"]').click()
+
+		cy.intercept('POST', '**/ocs/v2.php/apps/files_sharing/api/v1/shares').as('createShare')
+		cy.findByRole('button', { name: 'Save share' }).click()
+
+		return cy.wait('@createShare')
+	}
+
+	describe('Default behavior (SHARE not included in edit)', () => {
+		it('Creates user share with "Allow editing" without SHARE permission for folders', () => {
+			const folderName = 'test-folder-no-share'
+			cy.mkdir(alice, `/${folderName}`)
+			cy.login(alice)
+			cy.visit('/apps/files')
+
+			createUserShareWithEdit(folderName).should(({ response }) => {
+				// Verify permission value is 15 (ALL without SHARE: READ=1 + UPDATE=2 + CREATE=4 + DELETE=8)
+				expect(response?.body?.ocs?.data?.permissions).to.equal(15)
+			})
+		})
+
+		it('Creates user share with "Allow editing" without SHARE permission for files', () => {
+			const fileName = 'test-file-no-share.txt'
+			cy.uploadContent(alice, new Blob(['content']), 'text/plain', `/${fileName}`)
+			cy.login(alice)
+			cy.visit('/apps/files')
+
+			createUserShareWithEdit(fileName).should(({ response }) => {
+				// Verify permission value is 3 (ALL_FILE without SHARE: READ=1 + UPDATE=2)
+				expect(response?.body?.ocs?.data?.permissions).to.equal(3)
+			})
+		})
+	})
+
+	describe('With SHARE included in edit (config enabled)', () => {
+		beforeEach(() => {
+			cy.runOccCommand('config:app:set --value yes files_sharing shareapi_include_share_in_edit')
+		})
+
+		it('Creates user share with "Allow editing" with SHARE permission for folders', () => {
+			const folderName = 'test-folder-with-share'
+			cy.mkdir(alice, `/${folderName}`)
+			cy.login(alice)
+			cy.visit('/apps/files')
+
+			createUserShareWithEdit(folderName).should(({ response }) => {
+				// Verify permission value is 31 (ALL with SHARE: READ=1 + UPDATE=2 + CREATE=4 + DELETE=8 + SHARE=16)
+				expect(response?.body?.ocs?.data?.permissions).to.equal(31)
+			})
+		})
+
+		it('Creates user share with "Allow editing" with SHARE permission for files', () => {
+			const fileName = 'test-file-with-share.txt'
+			cy.uploadContent(alice, new Blob(['content']), 'text/plain', `/${fileName}`)
+			cy.login(alice)
+			cy.visit('/apps/files')
+
+			createUserShareWithEdit(fileName).should(({ response }) => {
+				// Verify permission value is 19 (ALL_FILE with SHARE: READ=1 + UPDATE=2 + SHARE=16)
+				expect(response?.body?.ocs?.data?.permissions).to.equal(19)
+			})
+		})
+	})
+})