feat(permissions): Split chat and reaction permissions

docs/capabilities.md

@@ -205,3 +205,8 @@
 * `scheduled-messages` (local) - Whether a user can schedule messages
 * `config => call => live-translation` - Whether live translation is supported in calls
 * `config => call => live-transcription-target-language-id` (local) - User defined string value with the id of the target language to use for live translations
+
+## 24
+* `react-permission` - When permission 256 is required to add reactions (previously handled by the chat permission)
+* `config => permissions => max-default` - Maximum value for default permissions (510 with react-permission, 254 without)
+* `config => permissions => max-custom` - Maximum value for custom permissions (511 with react-permission, 255 without)

docs/constants.md

@@ -110,7 +110,8 @@
 * `16` Can publish audio stream
 * `32` Can publish video stream
 * `64` Can publish screen sharing stream
-* `128` Can post chat message, share items and do reactions
+* `128` Can post chat message and share items
+* `256` Can add reactions (New in Nextcloud 34, previously handled by the chat permission)
 
 ### Attendee permission modifications
 * `set` - Setting this permission set.

docs/react-permission-integration.md

@@ -0,0 +1,56 @@
+# React Permission Integration Guide
+
+This document describes the changes needed for frontend clients to support the new separate reaction permission introduced in Talk 24 (Nextcloud 34).
+
+## Background
+
+Previously, the CHAT permission (128) controlled both posting messages and adding reactions. This has been split into two separate permissions:
+
+- **CHAT (128)**: Post messages and share items
+- **REACT (256)**: Add/remove reactions
+
+## New Capability
+
+A new capability `react-permission` indicates server support for the separate reaction permission.
+
+```
+features: [..., "react-permission", ...]
+```
+
+## Permission Constants
+
+```
+PERMISSIONS_REACT = 256
+PERMISSIONS_MAX_DEFAULT = 510  // was 254
+PERMISSIONS_MAX_CUSTOM = 511   // was 255
+```
+
+## Implementation
+
+### Checking if user can react
+
+```javascript
+const hasReactPermissionCapability = capabilities.features.includes('react-permission')
+
+const permissionToCheck = hasReactPermissionCapability
+    ? PERMISSIONS_REACT   // 256
+    : PERMISSIONS_CHAT    // 128 (fallback for older servers)
+
+const canReact = (participant.permissions & permissionToCheck) !== 0
+```
+
+### Why the fallback is needed
+
+When federating with older Nextcloud servers or when the desktop client connects to an older server, the `react-permission` capability won't be present. In this case, clients should fall back to checking the CHAT permission, as that's what controlled reactions before this change.
+
+## Migration
+
+The backend migration automatically grants the REACT permission to all users who previously had the CHAT permission, ensuring backward compatibility.
+
+## UI Changes
+
+The permissions editor should show two separate checkboxes:
+- "Can post messages" (CHAT - 128)
+- "Can add reactions" (REACT - 256)
+
+Instead of the previous combined "Can post messages and reactions" checkbox.

docs/reaction.md

@@ -19,6 +19,7 @@ Base endpoint is: `/ocs/v2.php/apps/spreed/api/v1`: since Nextcloud 24
         + `200 OK` Reaction already exists
         + `201 Created` User reacted with a new reaction
         + `400 Bad Request` In case of no reaction support, message out of reactions context or any other error
+        + `403 Forbidden` When the participant does not have the required permission to react (see attendee permission `256`)
         + `404 Not Found` When the conversation or message to react could not be found for the participant
 
     - Data:
@@ -45,8 +46,9 @@ Base endpoint is: `/ocs/v2.php/apps/spreed/api/v1`: since Nextcloud 24
 
 * Response:
     - Status code:
-        + `201 Created`
+        + `200 OK`
         + `400 Bad Request` In case of no reaction support, message out of reactions context or any other error
+        + `403 Forbidden` When the participant does not have the required permission to react (see attendee permission `256`)
         + `404 Not Found` When the conversation or message to react or reaction could not be found for the participant
 
     - Data:

l10n/hr.js

@@ -608,6 +608,7 @@ OC.L10N.register(
     "A TURN server is used to proxy the traffic from participants behind a firewall. If individual participants cannot connect to others a TURN server is most likely required. See {linkstart}this documentation{linkend} for setup instructions." : "Poslužitelj TURN upotrebljava se za usmjeravanje prometa sudionika iza vatrozida. Ako se pojedini sudionici ne mogu povezati s drugim sudionicima, vjerojatno je potreban poslužitelj TURN. Upute za postavljanje poslužitelja možete pronaći u {linkstart}ovoj dokumentaciji{linkend}.",
     "TURN servers" : "Poslužitelji TURN",
     "OK" : "U redu",
+    "Federated user" : "Federirani korisnik",
     "Confirm" : "Potvrdi",
     "Reset" : "Resetiraj",
     "Cancel" : "Odustani",
@@ -622,6 +623,7 @@ OC.L10N.register(
     "Save" : "Spremi",
     "Search participants" : "Pretraži sudionike",
     "No results" : "Nema rezultata",
+    "Done" : "Gotovo",
     "Raise hand" : "Podigni ruku",
     "Raise hand (R)" : "Podigni ruku (R)",
     "Lower hand" : "Spusti ruku",
@@ -670,6 +672,7 @@ OC.L10N.register(
     "Post message" : "Objavi poruku",
     "Favorite" : "Favorit",
     "Date:" : "Datum:",
+    "Note:" : "Napomena:",
     "Hide details" : "Sakrij pojedinosti",
     "Show details" : "Prikaži pojedinosti",
     "Error while updating conversation description" : "Pogreška pri ažuriranju opisa razgovora",
@@ -768,6 +771,7 @@ OC.L10N.register(
     "No microphone available" : "Nema dostupnih mikrofona",
     "Select camera" : "Odaberi kameru",
     "No camera available" : "Nema dostupnih kamera",
+    "Select a device" : "Odaberi uređaj",
     "Test" : "Ispitivanje",
     "Devices" : "Uređaji",
     "No audio" : "Nema zvuka",
@@ -778,16 +782,19 @@ OC.L10N.register(
     "Error while accessing microphone" : "Došlo je do pogreške pri pristupanju mikrofonu",
     "Access to camera is only possible with HTTPS" : "Pristup kameri moguć je samo putem HTTPS-a",
     "Invalid path selected" : "Odabran nevažeći put",
+    "Blur" : "Zamućenje",
     "Upload" : "Otpremi",
     "Files" : "Datoteke",
     "24 hours" : "24 sata",
     "Reply" : "Odgovori",
     "More actions" : "Dodatne radnje",
+    "Set reminder" : "Postavi podsjetnik",
     "Reply privately" : "Odgovori privatno",
     "Copy message link" : "Kopiraj poveznicu poruke",
     "Go to file" : "Idi na datoteku",
     "Forward message" : "Proslijedi poruku",
     "Translate" : "Prevedi",
+    "Set custom reminder" : "Postavi prilagođeni podsjetnik",
     "Choose a conversation to forward the selected message." : "Odaberite razgovor u koji ćete proslijediti odabranu poruku.",
     "Error while forwarding message" : "Pogreška pri prosljeđivanju poruke",
     "The message has been forwarded to {selectedConversationName}" : "Poruka je proslijeđena u {selectedConversationName}",
@@ -1057,6 +1064,10 @@ OC.L10N.register(
     "Join »%s«" : "Pridruži se »%s«",
     "Always show the device preview screen before joining a call in this conversation." : "Uvijek prikažite zaslon za pretpregled uređaja prije pridruživanja pozivu u ovom razgovoru.",
     "Talk settings" : "Postavke razgovora",
+    "Set reminder for later today" : "Postavi podsjetnik za kasnije danas",
+    "Set reminder for tomorrow" : "Postavi podsjetnik za sutra",
+    "Set reminder for this weekend" : "Postavi podsjetnik za ovaj vikend",
+    "Set reminder for next week" : "Postavi podsjetnik na sljedeći tjedan",
     "Today" : "Danas",
     "Yesterday" : "Jučer",
     "_%n day ago_::_%n days ago_" : ["Prije %n dana","Prije %n dana","Prije %n dana"],

l10n/hr.json

@@ -606,6 +606,7 @@
     "A TURN server is used to proxy the traffic from participants behind a firewall. If individual participants cannot connect to others a TURN server is most likely required. See {linkstart}this documentation{linkend} for setup instructions." : "Poslužitelj TURN upotrebljava se za usmjeravanje prometa sudionika iza vatrozida. Ako se pojedini sudionici ne mogu povezati s drugim sudionicima, vjerojatno je potreban poslužitelj TURN. Upute za postavljanje poslužitelja možete pronaći u {linkstart}ovoj dokumentaciji{linkend}.",
     "TURN servers" : "Poslužitelji TURN",
     "OK" : "U redu",
+    "Federated user" : "Federirani korisnik",
     "Confirm" : "Potvrdi",
     "Reset" : "Resetiraj",
     "Cancel" : "Odustani",
@@ -620,6 +621,7 @@
     "Save" : "Spremi",
     "Search participants" : "Pretraži sudionike",
     "No results" : "Nema rezultata",
+    "Done" : "Gotovo",
     "Raise hand" : "Podigni ruku",
     "Raise hand (R)" : "Podigni ruku (R)",
     "Lower hand" : "Spusti ruku",
@@ -668,6 +670,7 @@
     "Post message" : "Objavi poruku",
     "Favorite" : "Favorit",
     "Date:" : "Datum:",
+    "Note:" : "Napomena:",
     "Hide details" : "Sakrij pojedinosti",
     "Show details" : "Prikaži pojedinosti",
     "Error while updating conversation description" : "Pogreška pri ažuriranju opisa razgovora",
@@ -766,6 +769,7 @@
     "No microphone available" : "Nema dostupnih mikrofona",
     "Select camera" : "Odaberi kameru",
     "No camera available" : "Nema dostupnih kamera",
+    "Select a device" : "Odaberi uređaj",
     "Test" : "Ispitivanje",
     "Devices" : "Uređaji",
     "No audio" : "Nema zvuka",
@@ -776,16 +780,19 @@
     "Error while accessing microphone" : "Došlo je do pogreške pri pristupanju mikrofonu",
     "Access to camera is only possible with HTTPS" : "Pristup kameri moguć je samo putem HTTPS-a",
     "Invalid path selected" : "Odabran nevažeći put",
+    "Blur" : "Zamućenje",
     "Upload" : "Otpremi",
     "Files" : "Datoteke",
     "24 hours" : "24 sata",
     "Reply" : "Odgovori",
     "More actions" : "Dodatne radnje",
+    "Set reminder" : "Postavi podsjetnik",
     "Reply privately" : "Odgovori privatno",
     "Copy message link" : "Kopiraj poveznicu poruke",
     "Go to file" : "Idi na datoteku",
     "Forward message" : "Proslijedi poruku",
     "Translate" : "Prevedi",
+    "Set custom reminder" : "Postavi prilagođeni podsjetnik",
     "Choose a conversation to forward the selected message." : "Odaberite razgovor u koji ćete proslijediti odabranu poruku.",
     "Error while forwarding message" : "Pogreška pri prosljeđivanju poruke",
     "The message has been forwarded to {selectedConversationName}" : "Poruka je proslijeđena u {selectedConversationName}",
@@ -1055,6 +1062,10 @@
     "Join »%s«" : "Pridruži se »%s«",
     "Always show the device preview screen before joining a call in this conversation." : "Uvijek prikažite zaslon za pretpregled uređaja prije pridruživanja pozivu u ovom razgovoru.",
     "Talk settings" : "Postavke razgovora",
+    "Set reminder for later today" : "Postavi podsjetnik za kasnije danas",
+    "Set reminder for tomorrow" : "Postavi podsjetnik za sutra",
+    "Set reminder for this weekend" : "Postavi podsjetnik za ovaj vikend",
+    "Set reminder for next week" : "Postavi podsjetnik na sljedeći tjedan",
     "Today" : "Danas",
     "Yesterday" : "Jučer",
     "_%n day ago_::_%n days ago_" : ["Prije %n dana","Prije %n dana","Prije %n dana"],

lib/Capabilities.php

@@ -9,6 +9,7 @@
 namespace OCA\Talk;
 
 use OCA\Talk\Chat\ChatManager;
+use OCA\Talk\Model\Attendee;
 use OCA\Talk\Service\LiveTranscriptionService;
 use OCP\App\IAppManager;
 use OCP\AppFramework\Services\IAppConfig;
@@ -78,6 +79,7 @@ class Capabilities implements IPublicCapability {
 		'rich-object-delete',
 		'unified-search',
 		'chat-permission',
+		'react-permission',
 		'silent-send',
 		'silent-call',
 		'send-call-notification',
@@ -202,6 +204,8 @@ class Capabilities implements IPublicCapability {
 		'experiments' => [
 			'enabled',
 		],
+		'permissions' => [
+		],
 	];
 
 	protected ICache $talkCache;
@@ -294,6 +298,10 @@ public function getCapabilities(): array {
 				'experiments' => [
 					'enabled' => max(0, $this->appConfig->getAppValueInt($user instanceof IUser ? 'experiments_users' : 'experiments_guests')),
 				],
+				'permissions' => [
+					'max-default' => Attendee::PERMISSIONS_MAX_DEFAULT,
+					'max-custom' => Attendee::PERMISSIONS_MAX_CUSTOM,
+				],
 			],
 			'config-local' => self::LOCAL_CONFIGS,
 			'version' => $this->appManager->getAppVersion('spreed'),

lib/Config.php

@@ -281,7 +281,7 @@ public function isNotAllowedToCreateConversations(IUser $user): bool {
 	}
 
 	/**
-	 * @return int<0, 255>
+	 * @return int<0, 511>
 	 * @psalm-return int-mask-of<Attendee::PERMISSIONS_*>
 	 */
 	public function getDefaultPermissions(): int {

lib/Controller/ReactionController.php

@@ -56,7 +56,7 @@ public function __construct(
 	#[PublicPage]
 	#[RequireModeratorOrNoLobby]
 	#[RequireParticipant]
-	#[RequirePermission(permission: RequirePermission::CHAT)]
+	#[RequirePermission(permission: RequirePermission::REACT)]
 	#[RequireReadWriteConversation]
 	#[RequestHeader(name: 'x-nextcloud-federation', description: 'Set to 1 when the request is performed by another Nextcloud Server to indicate a federation request', indirect: true)]
 	#[ApiRoute(verb: 'POST', url: '/api/{apiVersion}/reaction/{token}/{messageId}', requirements: [
@@ -108,7 +108,7 @@ public function react(int $messageId, string $reaction): DataResponse {
 	#[PublicPage]
 	#[RequireModeratorOrNoLobby]
 	#[RequireParticipant]
-	#[RequirePermission(permission: RequirePermission::CHAT)]
+	#[RequirePermission(permission: RequirePermission::REACT)]
 	#[RequireReadWriteConversation]
 	#[RequestHeader(name: 'x-nextcloud-federation', description: 'Set to 1 when the request is performed by another Nextcloud Server to indicate a federation request', indirect: true)]
 	#[ApiRoute(verb: 'DELETE', url: '/api/{apiVersion}/reaction/{token}/{messageId}', requirements: [

lib/Controller/RoomController.php

@@ -610,7 +610,7 @@ protected function formatRoom(
 	 * @psalm-param non-negative-int|null $lobbyTimer
 	 * @param 0|1|2 $sipEnabled Whether SIP dial-in shall be enabled (only available with `conversation-creation-all` capability)
 	 * @psalm-param Webinary::SIP_* $sipEnabled
-	 * @param int<0, 255> $permissions Default permissions for participants (only available with `conversation-creation-all` capability)
+	 * @param int<0, 511> $permissions Default permissions for participants (only available with `conversation-creation-all` capability)
 	 * @psalm-param int-mask-of<Attendee::PERMISSIONS_*> $permissions
 	 * @param 0|1 $recordingConsent Whether participants need to agree to a recording before joining a call (only available with `conversation-creation-all` capability)
 	 * @psalm-param RecordingService::CONSENT_REQUIRED_NO|RecordingService::CONSENT_REQUIRED_YES $recordingConsent
@@ -2665,7 +2665,7 @@ protected function changeParticipantType(int $attendeeId, bool $promote): DataRe
 	 * Update the permissions of a room
 	 *
 	 * @param 'call'|'default' $mode Level of the permissions ('call' (removed in Talk 20), 'default')
-	 * @param int<0, 255> $permissions New permissions
+	 * @param int<0, 511> $permissions New permissions
 	 * @psalm-param int-mask-of<Attendee::PERMISSIONS_*> $permissions
 	 * @return DataResponse<Http::STATUS_OK, TalkRoom, array{}>|DataResponse<Http::STATUS_BAD_REQUEST, array{error: 'breakout-room'|'mode'|'type'|'value'}, array{}>
 	 *
@@ -2699,7 +2699,7 @@ public function setPermissions(string $mode, int $permissions): DataResponse {
 	 * @param int $attendeeId ID of the attendee
 	 * @psalm-param non-negative-int $attendeeId
 	 * @param 'set'|'remove'|'add' $method Method of updating permissions ('set', 'remove', 'add')
-	 * @param int<0, 255> $permissions New permissions
+	 * @param int<0, 511> $permissions New permissions
 	 * @psalm-param int-mask-of<Attendee::PERMISSIONS_*> $permissions
 	 * @return DataResponse<Http::STATUS_OK, list<TalkParticipant>, array{X-Nextcloud-Has-User-Statuses?: true}>|DataResponse<Http::STATUS_BAD_REQUEST|Http::STATUS_FORBIDDEN|Http::STATUS_NOT_FOUND, array{error: 'participant'|'method'|'moderator'|'room-type'|'type'|'value'}, array{}>
 	 *
@@ -2738,7 +2738,7 @@ public function setAttendeePermissions(int $attendeeId, string $method, int $per
 	 *
 	 * @param 'set'|'remove'|'add' $method Method of updating permissions ('set', 'remove', 'add')
 	 * @psalm-param Attendee::PERMISSIONS_MODIFY_* $method
-	 * @param int<0, 255> $permissions New permissions
+	 * @param int<0, 511> $permissions New permissions
 	 * @psalm-param int-mask-of<Attendee::PERMISSIONS_*> $permissions
 	 * @return DataResponse<Http::STATUS_OK, TalkRoom, array{}>|DataResponse<Http::STATUS_BAD_REQUEST, null, array{}>
 	 * @deprecated Call permissions have been removed

lib/Middleware/Attribute/RequirePermission.php

@@ -19,6 +19,7 @@
 class RequirePermission {
 
 	public const CHAT = 'chat';
+	public const REACT = 'react';
 	public const START_CALL = 'call-start';
 
 	public function __construct(

lib/Middleware/InjectionMiddleware.php

@@ -346,6 +346,9 @@ protected function checkPermission(AEnvironmentAwareOCSController $controller, s
 		if ($permission === RequirePermission::CHAT && !($participant->getPermissions() & Attendee::PERMISSIONS_CHAT)) {
 			throw new PermissionsException();
 		}
+		if ($permission === RequirePermission::REACT && !($participant->getPermissions() & Attendee::PERMISSIONS_REACT)) {
+			throw new PermissionsException();
+		}
 		if ($permission === RequirePermission::START_CALL && !($participant->getPermissions() & Attendee::PERMISSIONS_CALL_START)) {
 			throw new PermissionsException();
 		}