From c87b1964080b8eacf25e2e728653c6d24379987b Mon Sep 17 00:00:00 2001
From: Ruben van der Linde <rubenvdlinde@gmail.com>
Date: Tue, 24 Mar 2026 10:42:26 +0100
Subject: [PATCH 1/3] fix: Bypass RBAC and multitenancy checks in CLI context
 (#973)

When running from CLI (occ commands, repair steps, cron jobs),
there is no user session or active organisation. The RBAC check
in hasRbacPermission() returned false in both cases, blocking
app configuration imports via repair steps.

Now checks OC::$CLI and allows access when running from the
command line, since these are trusted system operations.

Fixes #973
---
 lib/Db/MultiTenancyTrait.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lib/Db/MultiTenancyTrait.php b/lib/Db/MultiTenancyTrait.php
index c8a537f73..0ed1afdb5 100644
--- a/lib/Db/MultiTenancyTrait.php
+++ b/lib/Db/MultiTenancyTrait.php
@@ -693,6 +693,11 @@ protected function hasRbacPermission(string $action, string $entityType): bool
 
         $activeOrg = $this->organisationService->getActiveOrganisation();
         if ($activeOrg === null) {
+            // CLI context — no active organisation is expected. Allow access.
+            if (\OC::$CLI === true) {
+                return true;
+            }
+
             // No active organisation, deny access.
             return false;
         }
@@ -717,6 +722,12 @@ protected function hasRbacPermission(string $action, string $entityType): bool
 
         $user = $this->userSession->getUser();
         if ($user === null) {
+            // CLI context (occ commands, repair steps, cron jobs) — no user session exists.
+            // These are trusted system operations that must always succeed.
+            if (\OC::$CLI === true) {
+                return true;
+            }
+
             return false;
         }
 

From c719e7c4cd7608dae002f03690198f2f6c6533ba Mon Sep 17 00:00:00 2001
From: Ruben van der Linde <rubenvdlinde@gmail.com>
Date: Tue, 24 Mar 2026 11:01:34 +0100
Subject: [PATCH 2/3] refactor: Use PHP_SAPI instead of \OC::$CLI for CLI
 detection

\OC::$CLI is a legacy Nextcloud accessor that may be deprecated.
PHP_SAPI === 'cli' is a pure PHP constant with no framework
dependency, making it future-proof.
---
 lib/Db/MultiTenancyTrait.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/Db/MultiTenancyTrait.php b/lib/Db/MultiTenancyTrait.php
index 0ed1afdb5..33f43b5ff 100644
--- a/lib/Db/MultiTenancyTrait.php
+++ b/lib/Db/MultiTenancyTrait.php
@@ -694,7 +694,7 @@ protected function hasRbacPermission(string $action, string $entityType): bool
         $activeOrg = $this->organisationService->getActiveOrganisation();
         if ($activeOrg === null) {
             // CLI context — no active organisation is expected. Allow access.
-            if (\OC::$CLI === true) {
+            if (PHP_SAPI === 'cli') {
                 return true;
             }
 
@@ -724,7 +724,7 @@ protected function hasRbacPermission(string $action, string $entityType): bool
         if ($user === null) {
             // CLI context (occ commands, repair steps, cron jobs) — no user session exists.
             // These are trusted system operations that must always succeed.
-            if (\OC::$CLI === true) {
+            if (PHP_SAPI === 'cli') {
                 return true;
             }
 

From ad3b25732a0ca81dba5df3586eb050bf692b1097 Mon Sep 17 00:00:00 2001
From: Ruben van der Linde <rubenvdlinde@gmail.com>
Date: Wed, 25 Mar 2026 16:50:07 +0100
Subject: [PATCH 3/3] chore: retrigger checks