From 1d38291826c5cc798f35313f9c5bb9c566bc527c Mon Sep 17 00:00:00 2001
From: Darshan <itznotabug@gmail.com>
Date: Tue, 13 May 2025 16:53:30 +0530
Subject: [PATCH] updates: remove permissions, allow tokens management only on
 console.

---
 .../Http/Tokens/Buckets/Files/Create.php      |  8 +--
 .../Modules/Tokens/Http/Tokens/Delete.php     |  2 +-
 .../Modules/Tokens/Http/Tokens/Get.php        |  2 +-
 .../Modules/Tokens/Http/Tokens/Update.php     | 52 ++-----------------
 .../Utopia/Response/Model/ResourceToken.php   |  7 ---
 5 files changed, 9 insertions(+), 62 deletions(-)

diff --git a/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Buckets/Files/Create.php b/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Buckets/Files/Create.php
index 5089898d33..0ac9424937 100644
--- a/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Buckets/Files/Create.php
+++ b/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Buckets/Files/Create.php
@@ -15,7 +15,6 @@ use Utopia\Database\Document;
 use Utopia\Database\Helpers\ID;
 use Utopia\Database\Validator\Authorization;
 use Utopia\Database\Validator\Datetime as DatetimeValidator;
-use Utopia\Database\Validator\Permissions;
 use Utopia\Database\Validator\UID;
 use Utopia\Platform\Scope\HTTP;
 use Utopia\Validator\Nullable;
@@ -49,7 +48,7 @@ class Create extends Action
             group: 'files',
             name: 'createFileToken',
             description: <<<EOT
-            Create a new token. A token is linked to a file or a bucket and manages permissions for those file(s). Token can be passed as a header or request get parameter.
+            Create a new token. A token is linked to a file. Token can be passed as a header or request get parameter.
             EOT,
             auth: [AuthType::SESSION, AuthType::KEY, AuthType::JWT],
             responses: [
@@ -63,15 +62,13 @@ class Create extends Action
         ->param('bucketId', '', new UID(), 'Storage bucket unique ID. You can create a new storage bucket using the Storage service [server integration](https://appwrite.io/docs/server/storage#createBucket).')
         ->param('fileId', '', new UID(), 'File unique ID.')
         ->param('expire', null, new Nullable(new DatetimeValidator()), 'Token expiry date', true)
-        ->param('permissions', [], new Permissions(APP_LIMIT_ARRAY_PARAMS_SIZE, [Database::PERMISSION_READ, Database::PERMISSION_UPDATE, Database::PERMISSION_DELETE, Database::PERMISSION_WRITE]), 'An array of permission strings. By default, only the current user is granted all permissions. [Learn more about permissions](https://appwrite.io/docs/permissions).', true)
         ->inject('response')
         ->inject('dbForProject')
-        ->inject('user')
         ->inject('queueForEvents')
         ->callback([$this, 'action']);
     }
 
-    public function action(string $bucketId, string $fileId, ?string $expire, ?array $permissions, Response $response, Database $dbForProject, Document $user, Event $queueForEvents): void
+    public function action(string $bucketId, string $fileId, ?string $expire, Response $response, Database $dbForProject, Event $queueForEvents): void
     {
 
         /**
@@ -100,7 +97,6 @@ class Create extends Action
             'resourceInternalId' => $bucket->getInternalId() . ':' . $file->getInternalId(),
             'resourceType' => TOKENS_RESOURCE_TYPE_FILES,
             'expire' => $expire,
-            '$permissions' => $permissions
         ]));
 
         $queueForEvents
diff --git a/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Delete.php b/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Delete.php
index 31bcd7f580..7a9fc8d712 100644
--- a/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Delete.php
+++ b/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Delete.php
@@ -45,7 +45,7 @@ class Delete extends Action
             description: <<<EOT
             Delete a token by its unique ID.
             EOT,
-            auth: [AuthType::SESSION, AuthType::KEY, AuthType::JWT],
+            auth: [AuthType::ADMIN],
             responses: [
                 new SDKResponse(
                     code: Response::STATUS_CODE_NOCONTENT,
diff --git a/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Get.php b/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Get.php
index 3eb16793a5..17261d5ce3 100644
--- a/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Get.php
+++ b/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Get.php
@@ -38,7 +38,7 @@ class Get extends Action
             description: <<<EOT
             Get a token by its unique ID.
             EOT,
-            auth: [AuthType::SESSION, AuthType::KEY, AuthType::JWT],
+            auth: [AuthType::ADMIN],
             responses: [
                 new SDKResponse(
                     code: Response::STATUS_CODE_OK,
diff --git a/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Update.php b/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Update.php
index 5e7a2df533..3392af69d1 100644
--- a/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Update.php
+++ b/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Update.php
@@ -2,7 +2,6 @@
 
 namespace Appwrite\Platform\Modules\Tokens\Http\Tokens;
 
-use Appwrite\Auth\Auth;
 use Appwrite\Event\Event;
 use Appwrite\Extend\Exception;
 use Appwrite\SDK\AuthType;
@@ -11,11 +10,7 @@ use Appwrite\SDK\Method;
 use Appwrite\SDK\Response as SDKResponse;
 use Appwrite\Utopia\Response;
 use Utopia\Database\Database;
-use Utopia\Database\Helpers\Permission;
-use Utopia\Database\Helpers\Role;
-use Utopia\Database\Validator\Authorization;
 use Utopia\Database\Validator\Datetime as DatetimeValidator;
-use Utopia\Database\Validator\Permissions;
 use Utopia\Database\Validator\UID;
 use Utopia\Platform\Action;
 use Utopia\Platform\Scope\HTTP;
@@ -50,9 +45,9 @@ class Update extends Action
             group: 'tokens',
             name: 'update',
             description: <<<EOT
-            Update a token by its unique ID. Use this endpoint to update a token's expiry date or permissions.
+            Update a token by its unique ID. Use this endpoint to update a token's expiry date.
             EOT,
-            auth: [AuthType::SESSION, AuthType::KEY, AuthType::JWT],
+            auth: [AuthType::ADMIN],
             responses: [
                 new SDKResponse(
                     code: Response::STATUS_CODE_OK,
@@ -63,14 +58,13 @@ class Update extends Action
         ))
         ->param('tokenId', '', new UID(), 'Token unique ID.')
         ->param('expire', null, new Nullable(new DatetimeValidator()), 'File token expiry date', true)
-        ->param('permissions', null, new Permissions(APP_LIMIT_ARRAY_PARAMS_SIZE, [Database::PERMISSION_READ, Database::PERMISSION_UPDATE, Database::PERMISSION_DELETE, Database::PERMISSION_WRITE]), 'An array of permission string. By default, the current permissions are inherited. [Learn more about permissions](https://appwrite.io/docs/permissions).', true)
         ->inject('response')
         ->inject('dbForProject')
         ->inject('queueForEvents')
         ->callback([$this, 'action']);
     }
 
-    public function action(string $tokenId, ?string $expire, ?array $permissions, Response $response, Database $dbForProject, Event $queueForEvents)
+    public function action(string $tokenId, ?string $expire, Response $response, Database $dbForProject, Event $queueForEvents)
     {
         $token = $dbForProject->getDocument('resourceTokens', $tokenId);
 
@@ -78,47 +72,11 @@ class Update extends Action
             throw new Exception(Exception::TOKEN_NOT_FOUND);
         }
 
-        // Map aggregate permissions into the multiple permissions they represent.
-        $permissions = Permission::aggregate($permissions, [
-            Database::PERMISSION_READ,
-            Database::PERMISSION_UPDATE,
-            Database::PERMISSION_DELETE,
-        ]);
-
-        // Users can only manage their own roles, API keys and Admin users can manage any
-        $roles = Authorization::getRoles();
-        if (!Auth::isAppUser($roles) && !Auth::isPrivilegedUser($roles) && !\is_null($permissions)) {
-            foreach (Database::PERMISSIONS as $type) {
-                foreach ($permissions as $permission) {
-                    $permission = Permission::parse($permission);
-                    if ($permission->getPermission() != $type) {
-                        continue;
-                    }
-                    $role = (new Role(
-                        $permission->getRole(),
-                        $permission->getIdentifier(),
-                        $permission->getDimension()
-                    ))->toString();
-                    if (!Authorization::isRole($role)) {
-                        throw new Exception(Exception::USER_UNAUTHORIZED, 'Permissions must be one of: (' . \implode(', ', $roles) . ')');
-                    }
-                }
-            }
-        }
-
-        if (\is_null($permissions)) {
-            $permissions = $token->getPermissions() ?? [];
-        }
-
-        $token
-            ->setAttribute('expire', $expire)
-            ->setAttribute('$permissions', $permissions);
+        $token->setAttribute('expire', $expire);
 
         $token = $dbForProject->updateDocument('resourceTokens', $tokenId, $token);
 
-        $queueForEvents
-            ->setParam('tokenId', $token->getId())
-        ;
+        $queueForEvents->setParam('tokenId', $token->getId());
 
         $response->dynamic($token, Response::MODEL_RESOURCE_TOKEN);
     }
diff --git a/src/Appwrite/Utopia/Response/Model/ResourceToken.php b/src/Appwrite/Utopia/Response/Model/ResourceToken.php
index 87598aadd0..ef186c3d0b 100644
--- a/src/Appwrite/Utopia/Response/Model/ResourceToken.php
+++ b/src/Appwrite/Utopia/Response/Model/ResourceToken.php
@@ -25,13 +25,6 @@ class ResourceToken extends Model
                 'default' => '',
                 'example' => self::TYPE_DATETIME_EXAMPLE,
             ])
-            ->addRule('$permissions', [
-                'type' => self::TYPE_STRING,
-                'description' => 'Token permissions. [Learn more about permissions](https://appwrite.io/docs/permissions).',
-                'default' => '',
-                'example' => ['read("any")'],
-                'array' => true,
-            ])
             ->addRule('resourceId', [
                 'type' => self::TYPE_STRING,
                 'description' => 'Resource ID.',