Skip to content

Fix file being shared with approver group even if the group already has access #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
julien-nc wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Fix file being shared with approver group even if the group already has access #52

julien-nc wants to merge 5 commits into from

Conversation

@julien-nc
Copy link
Member

@julien-nc julien-nc commented Apr 19, 2023

When requesting approval with a rule having a group as "approver", the file is always shared with this group to make sure the group has access.

Two problems:

  1. The group might already have access (via a file share or through a group folder) and we create an unnecessary file share
  2. The group does not have access but some of its members have access. Those users will receive access with the group share we create but they already had access.

This PR kind of fixes 1.
We only create the file share to the group if at least one member of this group does not have access to the file.

Iterating over group members to check if they have access is not ideal performance-wise.
@skjnldsv Is there a more efficient way to check if a group has access to a file (via a group folder, a file share or anything else)?

cc @blizzz

@julien-nc julien-nc added enhancement New feature or request help wanted Extra attention is needed labels Apr 19, 2023
@julien-nc julien-nc requested a review from skjnldsv April 19, 2023 12:49
@skjnldsv
Copy link
Member

skjnldsv commented Apr 19, 2023

@skjnldsv Is there a more efficient way to check if a group has access to a file (via a group folder, a file share or anything else)?

Not sure about most efficient, but this is what is being used in the files app

$uid = $this->userSession->getUser()->getUID();
$baseFolder = $this->rootFolder->getUserFolder($uid);
$files = $baseFolder->getById($fileId);
if (empty($files)) {
	// not access to this fileID
}

@julien-nc
Copy link
Member Author

julien-nc commented Apr 19, 2023

@skjnldsv Thanks for the feedback. That's also how it's done in Approval to check if one user has access to a specific file.

My question is more about how to check if a group has access to a file.

The implementation in this PR iterates on the group members and calls getById on the user folder, just like you mentioned. The concern is that it's pretty costly if the group has a lot of member...

@skjnldsv
Copy link
Member

skjnldsv commented Apr 19, 2023

Sorry, then I'm lacking expertise! 🙈

@pierluigizagaria
Copy link

pierluigizagaria commented Jun 11, 2025

This is needed

@blizzz
Copy link
Member

blizzz commented Jun 12, 2025

Iterating over group members to check if they have access is not ideal performance-wise.

Ack! Maybe @nfebe or @artonge know a better way?

@pierluigizagaria
Copy link

pierluigizagaria commented Jun 12, 2025
edited
Loading

Point 2 is also very important. As now this plugin cannot be used with single-user shared folder. In the moment the plugin asks for approve, the folder is then shared with the entire group selected in the "Who can approve" field. It would probably be better if the plugin checks for the permission without applying it automatically to the file. I should probably dig more in how the plugin works, but my suggestion is only based on my user experience.

@nfebe
Copy link

nfebe commented Jun 12, 2025
edited
Loading

The group might already have access (via a file share or through a group folder) and we create an unnecessary file share

Approach A:

  • Check the list of shares on the file (we can reasonably assume, this is almost always a smaller list than group members) [No share means no access via file sharing at all, early stop]
  • Check for direct group shares (if the group is listed a recipient on one of the shares)
  • Check user shares for group members, filter list by user-shares, and check if any of the existing recipients on the share is in target group. If not, no group share, no user on the share list has access, so group does not have access.

Not though about it long, but I think with this approach we might never have to iterate through the group members.

Approach B (Similar to A but uses iteration as last resort):

  • First, check for direct group shares on the file (fastest check)
  • Then, check group folder access (If the file is in a group folder, check if the group has access to the parent folder)
  • Only as a last resort, fall back to checking individual users

@lukasdotcom lukasdotcom force-pushed the fix/noid/avoid-excessive-group-share-on-request branch from 901eea1 to b52930c Compare June 12, 2025 20:28
@lukasdotcom

This comment was marked as outdated.

Sign in to view
@lukasdotcom lukasdotcom mentioned this pull request Jun 16, 2025
Closed
@lukasdotcom lukasdotcom requested a review from nfebe June 17, 2025 16:24
@lukasdotcom
Copy link
Member

lukasdotcom commented Jun 17, 2025

There are kind of two parts to this where the first part should be pretty fast and just checks if a group share with the correct group exists (groupHasAccessTo function) and if yes no share is needed. The second part actually will find all the users that don't have access to the document by going over all the user and group shares and filtering the list of users. Right now I just put a user cap on that to prevent performance problems.

@DaphneMuller
Copy link

DaphneMuller commented Jun 30, 2025

@nfebe would you be able to provide a review here?

julien-nc and others added 5 commits June 30, 2025 12:34
@julien-nc @lukasdotcom
when requesting with a rule having a group as approver, do not share …
782dc05 
…the file with the group if it already has access

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

# Conflicts:
#	lib/Service/UtilsService.php
@lukasdotcom
Checks for shares first and then checks what members have access
3fdf210 
Signed-off-by: Lukas Schaefer <lukas@lschaefer.xyz>
@lukasdotcom
filters by shares instead of checking for access
f688e38 
Signed-off-by: Lukas Schaefer <lukas@lschaefer.xyz>
@lukasdotcom
add limit to usersNeedShare to prevent large groups
55349ab 
Signed-off-by: Lukas Schaefer <lukas@lschaefer.xyz>
@lukasdotcom
fix psalm
a006d8a 
Signed-off-by: Lukas Schaefer <lukas@lschaefer.xyz>
@lukasdotcom lukasdotcom force-pushed the fix/noid/avoid-excessive-group-share-on-request branch from 20581c2 to a006d8a Compare June 30, 2025 16:34
nfebe
nfebe approved these changes Jun 30, 2025
View reviewed changes
Copy link

@nfebe nfebe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🐘

@lukasdotcom lukasdotcom mentioned this pull request Jul 1, 2025
Merged
@lukasdotcom
Copy link
Member

lukasdotcom commented Jul 1, 2025
edited by julien-nc
Loading

Performant part was moved to #320 which should be merged while this will be kept in case someone else wants to do further work on the slow part (sharing only with part of group when some members have access).

@julien-nc
Copy link
Member Author

julien-nc commented Jul 2, 2025

Edited previous comment: 52 -> 320

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nfebe nfebe nfebe approved these changes

@skjnldsv skjnldsv Awaiting requested review from skjnldsv

Assignees

No one assigned

Labels

enhancement New feature or request help wanted Extra attention is needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@julien-nc @skjnldsv @pierluigizagaria @blizzz @nfebe @lukasdotcom @DaphneMuller