Describe the bug
Currently everybody with the userrole "Space Admin" is able to List and Update all Personal Spaces. I believe the intention of the "Space Admin" role was to provide access only to the Project Spaces. We need to clarify that and adjust the code accordingly
Steps to reproduce
- List all Spaces. User "margaret" is a Space Admin:
curl -kv -u margaret:demo 'https://localhost:9200/graph/v1.0/drives/' | jq .
.
.
.
{
"driveAlias": "personal/mary",
"driveType": "personal",
"id": "a391c07a-82b9-4b10-a2c6-467edf7060e3$d591e739-d1c5-4f51-b8f9-59fbd807a237",
"lastModifiedDateTime": "2026-06-19T09:28:57.725538965Z",
"name": "Mary Kenneth Keller",
"owner": {
"user": {
"displayName": "",
"id": "056fc874-dd7f-11ef-ba84-af6fca4b7289"
}
},
"quota": {
"remaining": 9223372036854775807,
"state": "normal",
"total": 0,
"used": 0
},
"root": {
"eTag": "\"4515f9c5ca27472e4aaf2c9d9cdf448e\"",
"id": "a391c07a-82b9-4b10-a2c6-467edf7060e3$d591e739-d1c5-4f51-b8f9-59fbd807a237",
"webDavUrl": "https://localhost:9200/dav/spaces/a391c07a-82b9-4b10-a2c6-467edf7060e3$d591e739-d1c5-4f51-b8f9-59fbd807a237"
},
"webUrl": "https://localhost:9200/f/a391c07a-82b9-4b10-a2c6-467edf7060e3$d591e739-d1c5-4f51-b8f9-59fbd807a237"
},
{
"driveAlias": "project/new-space",
"driveType": "project",
"id": "a391c07a-82b9-4b10-a2c6-467edf7060e3$e66050af-86bc-409e-a8a7-a74bf68b70f6",
"lastModifiedDateTime": "2026-06-19T09:12:44.841050855Z",
"name": "New space",
"owner": {
"user": {
"displayName": "",
"id": "e66050af-86bc-409e-a8a7-a74bf68b70f6"
}
},
"quota": {
"remaining": 999989033,
"state": "normal",
"total": 1000000000,
"used": 10967
},
"root": {
"eTag": "\"2440e65b2667da3ef45402bde37287c3\"",
"id": "a391c07a-82b9-4b10-a2c6-467edf7060e3$e66050af-86bc-409e-a8a7-a74bf68b70f6",
"webDavUrl": "https://localhost:9200/dav/spaces/a391c07a-82b9-4b10-a2c6-467edf7060e3$e66050af-86bc-409e-a8a7-a74bf68b70f6"
},
"webUrl": "https://localhost:9200/f/a391c07a-82b9-4b10-a2c6-467edf7060e3$e66050af-86bc-409e-a8a7-a74bf68b70f6"
}
]
}
- Update as Personal Space "name" or "descrption":
curl -kv -u margaret:demo 'https://localhost:9200/graph/v1.0/drives/a391c07a-82b9-4b10-a2c6-467edf7060e3$d591e739-d1c5-4f51-b8f9-59fbd807a237' -X PATCH --data '{"name": "oops"}' | jq .
{
"driveAlias": "personal/mary",
"driveType": "personal",
"id": "a391c07a-82b9-4b10-a2c6-467edf7060e3$d591e739-d1c5-4f51-b8f9-59fbd807a237",
"lastModifiedDateTime": "2026-06-19T09:30:29.561177105Z",
"name": "oops",
"owner": {
"user": {
"displayName": "",
"id": "056fc874-dd7f-11ef-ba84-af6fca4b7289"
}
},
"quota": {
"remaining": 9223372036854775807,
"state": "normal",
"total": 0,
"used": 0
},
"root": {
"eTag": "\"b0d7b4a0953a02f23bd20a88760ee180\"",
"id": "a391c07a-82b9-4b10-a2c6-467edf7060e3$d591e739-d1c5-4f51-b8f9-59fbd807a237",
"webDavUrl": "https://localhost:9200/dav/spaces/a391c07a-82b9-4b10-a2c6-467edf7060e3$d591e739-d1c5-4f51-b8f9-59fbd807a237"
},
"webUrl": "https://localhost:9200/f/a391c07a-82b9-4b10-a2c6-467edf7060e3$d591e739-d1c5-4f51-b8f9-59fbd807a237"
}
- Luckily updating the quota is not allowed:
curl -kv -u margaret:demo 'https://localhost:9200/graph/v1.0/drives/a391c07a-82b9-4b10-a2c6-467edf7060e3$d591e739-d1c5-4f51-b8f9-59fbd807a237' -X PATCH --data '{"quota": {"total": 1000} }' | jq .
{
"error": {
"code": "notAllowed",
"innererror": {
"date": "2026-06-19T09:31:38Z",
"request-id": "510a2d98d06e/nGYHzGNHLf-000440"
},
"message": "user is not allowed to set the space quota"
}
}
Describe the bug
Currently everybody with the userrole "Space Admin" is able to List and Update all Personal Spaces. I believe the intention of the "Space Admin" role was to provide access only to the Project Spaces. We need to clarify that and adjust the code accordingly
Steps to reproduce