nextcloud · benjaminfrueh · Apr 14, 2026 · enjeck · Apr 23, 2026 · benjaminfrueh
@@ -53,6 +53,7 @@ Have a good time and manage whatever you want.
 	<repair-steps>
 		<pre-migration>
 			<step>OCA\Tables\Migration\FixContextsDefaults</step>
+            <step>OCA\Tables\Migration\ResetPublicSharePermissions</step>
 		</pre-migration>
 		<post-migration>
 			<step>OCA\Tables\Migration\NewDbStructureRepairStep</step>

@@ -97,6 +97,7 @@
 		['name' => 'share#show', 'url' => '/share/{id}', 'verb' => 'GET'],
 		['name' => 'share#create', 'url' => '/share', 'verb' => 'POST'],
 		['name' => 'share#updatePermission', 'url' => '/share/{id}/permission', 'verb' => 'PUT'],
+		['name' => 'share#updatePermissions', 'url' => '/share/{id}/permissions', 'verb' => 'PUT'],
 		['name' => 'share#updateDisplayMode', 'url' => '/share/{id}/display-mode', 'verb' => 'PUT'],
 		['name' => 'share#destroy', 'url' => '/share/{id}', 'verb' => 'DELETE'],
 

@@ -672,7 +672,7 @@ public function deleteShare(int $shareId): DataResponse {
 	#[OpenAPI(scope: OpenAPI::SCOPE_DEFAULT)]
 	public function updateSharePermissions(int $shareId, string $permissionType, bool $permissionValue): DataResponse {
 		try {
-			return new DataResponse($this->shareService->updatePermission($shareId, $permissionType, $permissionValue)->jsonSerialize());
+			return new DataResponse($this->shareService->updatePermission($shareId, [$permissionType => $permissionValue])->jsonSerialize());
 		} catch (PermissionError $e) {
 			$this->logger->warning('A permission error occurred: ' . $e->getMessage(), ['exception' => $e]);
 			$message = ['message' => $e->getMessage()];

@@ -9,12 +9,14 @@
 namespace OCA\Tables\Controller;
 
 use OCA\Tables\AppInfo\Application;
+use OCA\Tables\Db\Row2Mapper;
 use OCA\Tables\Errors\BadRequestError;
 use OCA\Tables\Errors\InternalError;
 use OCA\Tables\Errors\NotFoundError;
 use OCA\Tables\Errors\PermissionError;
 use OCA\Tables\Helper\ConversionHelper;
 use OCA\Tables\Middleware\Attribute\AssertShareAccessIsAccessible;
+use OCA\Tables\Model\RowDataInput;
 use OCA\Tables\ResponseDefinitions;
 use OCA\Tables\Service\RowService;
 use OCA\Tables\Service\ShareService;
@@ -37,11 +39,13 @@ class PublicRowOCSController extends AOCSController {
 	public function __construct(
 		protected ShareService $shareService,
 		protected RowService $rowService,
+		protected Row2Mapper $row2Mapper,
 		IRequest $request,
 		LoggerInterface $logger,
 		IL10N $l,
 	) {
 		parent::__construct($request, $logger, $l, '');
+		$this->rowService->setPublicContext();
 	}
 
 	/**
@@ -68,6 +72,10 @@ public function getRows(string $token, ?int $limit, ?int $offset): DataResponse
 			$shareToken = new ShareToken($token);
 			$share = $this->shareService->findByToken($shareToken);
 
+			if (!$share->getPermissionRead()) {
+				return $this->handlePermissionError(new PermissionError('No read permission on this share'));
+			}
+
 			$limit = $limit !== null ? max(0, min(500, $limit)) : null;
 			$offset = $offset !== null ? max(0, $offset) : null;
 
@@ -90,4 +98,165 @@ public function getRows(string $token, ?int $limit, ?int $offset): DataResponse
 			return $this->handleBadRequestError($e);
 		}
 	}
+
+	/**
+	 * [api v2] Create a row in a link share
+	 *
+	 * @param string $token The share token
+	 * @param string|array<string, mixed> $data An array containing the column identifiers and their values
+	 * @return DataResponse<Http::STATUS_OK, TablesPublicRow, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_BAD_REQUEST|Http::STATUS_NOT_FOUND|Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
+	 *
+	 * 200: Row created
+	 * 400: Invalid request parameters
+	 * 403: No permissions
+	 * 404: Not found
+	 * 500: Internal error
+	 */
+	#[PublicPage]
+	#[AssertShareAccessIsAccessible]
+	#[ApiRoute(verb: 'POST', url: '/api/2/public/{token}/rows', requirements: ['token' => '[a-zA-Z0-9]{16}'])]
+	#[OpenAPI]
+	#[AnonRateLimit(limit: 20, period: 30)]
+	public function createRow(string $token, mixed $data): DataResponse {
+		try {
+			$shareToken = new ShareToken($token);
+			$share = $this->shareService->findByToken($shareToken);
+			$this->row2Mapper->setUserId('public-' . $token);
+
+			if (!$share->getPermissionCreate()) {
+				return $this->handlePermissionError(new PermissionError('No create permission on this share'));
+			}
+
+			if (is_string($data)) {
+				$data = json_decode($data, true);
+			}
+			if (!is_array($data)) {
+				return $this->handleBadRequestError(new BadRequestError('Invalid data input'));
+			}
+
+			$newRowData = new RowDataInput();
+			foreach ($data as $key => $value) {
+				$newRowData->add((int)$key, $value);
+			}
+
+			$tableId = $share->getNodeType() === 'table' ? $share->getNodeId() : null;
+			$viewId = $share->getNodeType() === 'view' ? $share->getNodeId() : null;
+
+			if ($viewId === null && $tableId === null) {
+				throw new InternalError('Cannot create row without table or view provided');
+			}
+
+			$row = $this->rowService->create($tableId, $viewId, $newRowData);
+			return new DataResponse($this->rowService->formatRowsForPublicShare([$row])[0]);
+		} catch (PermissionError $e) {
+			return $this->handlePermissionError($e);
+		} catch (NotFoundError $e) {
+			return $this->handleNotFoundError($e);
+		} catch (BadRequestError $e) {
+			return $this->handleBadRequestError($e);
+		} catch (InternalError|\Exception $e) {
+			return $this->handleError($e);
+		}
+	}
+
+	/**
+	 * [api v2] Update a row in a link share
+	 *
+	 * @param string $token The share token
+	 * @param int $rowId The row identifier
+	 * @param string|array<string, mixed> $data An array containing the column identifiers and their values
+	 * @return DataResponse<Http::STATUS_OK, TablesPublicRow, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_BAD_REQUEST|Http::STATUS_NOT_FOUND|Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
+	 *
+	 * 200: Row updated
+	 * 400: Invalid request parameters
+	 * 403: No permissions
+	 * 404: Not found
+	 * 500: Internal error
+	 */
+	#[PublicPage]
+	#[AssertShareAccessIsAccessible]
+	#[ApiRoute(verb: 'PUT', url: '/api/2/public/{token}/rows/{rowId}', requirements: ['token' => '[a-zA-Z0-9]{16}', 'rowId' => '\d+'])]
+	#[OpenAPI]
+	#[AnonRateLimit(limit: 20, period: 30)]
+	public function updateRow(string $token, int $rowId, mixed $data): DataResponse {
+		try {
+			$shareToken = new ShareToken($token);
+			$share = $this->shareService->findByToken($shareToken);
+			$this->row2Mapper->setUserId('public-' . $token);
+
+			if (!$share->getPermissionUpdate()) {
+				return $this->handlePermissionError(new PermissionError('No update permission on this share'));
+			}
+
+			if (is_string($data)) {
+				$data = json_decode($data, true);
+			}
+			if (!is_array($data)) {
+				return $this->handleBadRequestError(new BadRequestError('Invalid data input'));
+			}
+
+			$viewId = $share->getNodeType() === 'view' ? $share->getNodeId() : null;
+			$tableId = $share->getNodeType() === 'table' ? $share->getNodeId() : null;
+
+			if ($viewId === null && $tableId === null) {
+				throw new InternalError('Cannot update row without table or view provided');
+			}
+
+			$row = $this->rowService->updateSet($rowId, $viewId, $data, '', $tableId);
+			return new DataResponse($this->rowService->formatRowsForPublicShare([$row])[0]);
+		} catch (PermissionError $e) {
+			return $this->handlePermissionError($e);
+		} catch (NotFoundError $e) {
+			return $this->handleNotFoundError($e);
+		} catch (BadRequestError $e) {
+			return $this->handleBadRequestError($e);
+		} catch (InternalError|\Exception $e) {
+			return $this->handleError($e);
+		}
+	}
+
+	/**
+	 * [api v2] Delete a row in a link share
+	 *
+	 * @param string $token The share token
+	 * @param int $rowId The row identifier
+	 * @return DataResponse<Http::STATUS_OK, TablesPublicRow, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_NOT_FOUND|Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
+	 *
+	 * 200: Row deleted
+	 * 403: No permissions
+	 * 404: Not found
+	 * 500: Internal error
+	 */
+	#[PublicPage]
+	#[AssertShareAccessIsAccessible]
+	#[ApiRoute(verb: 'DELETE', url: '/api/2/public/{token}/rows/{rowId}', requirements: ['token' => '[a-zA-Z0-9]{16}', 'rowId' => '\d+'])]
+	#[OpenAPI]
+	#[AnonRateLimit(limit: 20, period: 30)]
+	public function deleteRow(string $token, int $rowId): DataResponse {
+		try {
+			$shareToken = new ShareToken($token);
+			$share = $this->shareService->findByToken($shareToken);
+			$this->row2Mapper->setUserId('public-' . $token);
+
+			if (!$share->getPermissionDelete()) {
+				return $this->handlePermissionError(new PermissionError('No delete permission on this share'));
+			}
+
+			$viewId = $share->getNodeType() === 'view' ? $share->getNodeId() : null;
+			$tableId = $share->getNodeType() === 'table' ? $share->getNodeId() : null;
+
+			if ($viewId === null && $tableId === null) {
+				throw new InternalError('Cannot delete row without table or view provided');
+			}
+
+			$row = $this->rowService->delete($rowId, $viewId, '', $tableId);
+			return new DataResponse($this->rowService->formatRowsForPublicShare([$row])[0]);
+		} catch (PermissionError $e) {
+			return $this->handlePermissionError($e);
+		} catch (NotFoundError $e) {
+			return $this->handleNotFoundError($e);
+		} catch (InternalError|\Exception $e) {
+			return $this->handleError($e);
+		}
+	}
 }
@@ -71,6 +71,12 @@ public function showShare(): TemplateResponse {
 		$this->initialState->provideInitialState('shareToken', (string)$this->shareToken);
 		$this->initialState->provideInitialState('nodeType', $this->share->getNodeType());
 		$this->initialState->provideInitialState('nodeData', $nodeData);
+		$this->initialState->provideInitialState('sharePermissions', [
+			'read' => $this->share->getPermissionRead(),
+			'create' => $this->share->getPermissionCreate(),
+			'update' => $this->share->getPermissionUpdate(),
+			'delete' => $this->share->getPermissionDelete(),
+		]);
 
 		if (class_exists(LoadEditor::class)) {
 			$this->eventDispatcher->dispatchTyped(new LoadEditor());

@@ -85,7 +85,25 @@ public function create(
 	#[NoAdminRequired]
 	public function updatePermission(int $id, string $permission, bool $value): DataResponse {
 		return $this->handleError(function () use ($id, $permission, $value) {
-			return $this->service->updatePermission($id, $permission, $value);
+			return $this->service->updatePermission($id, [$permission => $value]);
+		});
+	}
+
+	#[NoAdminRequired]
+	public function updatePermissions(
+		int $id,
+		bool $permissionRead = false,
+		bool $permissionCreate = false,
+		bool $permissionUpdate = false,
+		bool $permissionDelete = false,
+	): DataResponse {
+		return $this->handleError(function () use ($id, $permissionRead, $permissionCreate, $permissionUpdate, $permissionDelete) {
+			return $this->service->updatePermission($id, [
+				'read' => $permissionRead,
+				'create' => $permissionCreate,
+				'update' => $permissionUpdate && $permissionRead,
+				'delete' => $permissionDelete && $permissionRead,
+			]);
 		});
 	}
 

@@ -122,6 +122,10 @@ public function getTableIdForRow(int $rowId): ?int {
 		return $rowSleeve->getTableId();
 	}
 
+	public function setUserId(string $userId): void {
+		$this->userId = $userId;
+	}
+
 	/**
 	 * @return int[]
 	 * @throws InternalError

@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Tables\Migration;
+
+use OCA\Tables\AppInfo\Application;
+use OCA\Tables\Constants\ShareReceiverType;
+use OCP\DB\QueryBuilder\IQueryBuilder;
+use OCP\IConfig;
+use OCP\IDBConnection;
+use OCP\Migration\IOutput;
+use OCP\Migration\IRepairStep;
+
+class ResetPublicSharePermissions implements IRepairStep {
+
+	public function __construct(
+		protected IConfig $config,
+		protected IDBConnection $dbc,
+	) {
+	}
+
+	public function getName(): string {
+		return 'Reset public link share permissions to read-only for versions before 2.0.2';
+	}
+
+	public function run(IOutput $output): void {
+		$appVersion = $this->config->getAppValue(Application::APP_ID, 'installed_version', '0.0');
+		if (\version_compare($appVersion, '2.0.2', '>=')) {
+			$output->info('Not applicable, skipping.');
+			return;
+		}
+
+		$qb = $this->dbc->getQueryBuilder();
+		$qb->update('tables_shares')
+			->set('permission_read', $qb->createNamedParameter(1, IQueryBuilder::PARAM_INT))
+			->set('permission_create', $qb->createNamedParameter(0, IQueryBuilder::PARAM_INT))
+			->set('permission_update', $qb->createNamedParameter(0, IQueryBuilder::PARAM_INT))
+			->set('permission_delete', $qb->createNamedParameter(0, IQueryBuilder::PARAM_INT))
+			->set('permission_manage', $qb->createNamedParameter(0, IQueryBuilder::PARAM_INT))
+			->where($qb->expr()->eq('receiver_type', $qb->createNamedParameter(ShareReceiverType::LINK, IQueryBuilder::PARAM_STR)))
+			->executeStatement();
+
+		$output->info('Reset public link share permissions to read-only.');
+	}
+}
@@ -45,6 +45,8 @@ class PermissionsService {
 
 	protected bool $isCli = false;
 
+	private bool $isPublicContext = false;
+
 	private ContextMapper $contextMapper;
 
 	public function __construct(
@@ -549,6 +551,11 @@ public function getPermissionArrayForNodeFromContexts(int $nodeId, string $nodeT
 		);
 	}
 
+	public function setPublicContext(): void {
+		$this->userId = '';
+		$this->isPublicContext = true;
+	}
+
 	private function hasPermission(int $existingPermissions, string $permissionName): bool {
 		$constantName = 'PERMISSION_' . strtoupper($permissionName);
 		try {
@@ -634,7 +641,7 @@ private function basisCheck(Table|View|Context $element, string $nodeType, ?stri
 		}
 
 		if ($userId === '') {
-			return true;
+			return $this->isCli || $this->isPublicContext;
 		}
 
 		if ($this->userIsElementOwner($element, $userId, $nodeType)) {

@@ -178,7 +178,7 @@ public function find(int $rowId): Row2 {
 	 * @throws InternalError
 	 */
 	public function create(?int $tableId, ?int $viewId, RowDataInput|array $data): Row2 {
-		if ($this->userId === null || $this->userId === '') {
+		if ($this->userId === null) {
 			$e = new \Exception('No user id in context, but needed.');
 			$this->logger->error($e->getMessage(), ['exception' => $e]);
 			throw new InternalError(get_class($this) . ' - ' . __FUNCTION__ . ': ' . $e->getMessage());
@@ -685,7 +685,7 @@ public function updateSet(
 	 * @throws PermissionError
 	 * @noinspection DuplicatedCode
 	 */
-	public function delete(int $id, ?int $viewId, string $userId): Row2 {
+	public function delete(int $id, ?int $viewId, string $userId, ?int $tableId = null): Row2 {
 		try {
 			$item = $this->getRowById($id);
 		} catch (InternalError $e) {
@@ -720,6 +720,12 @@ public function delete(int $id, ?int $viewId, string $userId): Row2 {
 				throw new InternalError(get_class($this) . ' - ' . __FUNCTION__ . ': ' . $e->getMessage());
 			}
 		} else {
+			if ($tableId !== null && $tableId !== $item->getTableId()) {
+				$e = new \Exception('Row does not belong to table with id ' . $tableId);
+				$this->logger->error($e->getMessage(), ['exception' => $e]);
+				throw new InternalError(get_class($this) . ' - ' . __FUNCTION__ . ': ' . $e->getMessage());
+			}
+
 			// security
 			if (!$this->permissionsService->canReadRowsByElementId($item->getTableId(), 'table', $userId)) {
 				$e = new \Exception('Row not found.');