diff --git a/apps/files_external/lib/Controller/AjaxController.php b/apps/files_external/lib/Controller/AjaxController.php index 5cee642253010..68a6007890c3e 100644 --- a/apps/files_external/lib/Controller/AjaxController.php +++ b/apps/files_external/lib/Controller/AjaxController.php @@ -7,10 +7,13 @@ */ namespace OCA\Files_External\Controller; +use OC\Settings\AuthorizedGroupMapper; use OCA\Files_External\Lib\Auth\Password\GlobalAuth; use OCA\Files_External\Lib\Auth\PublicKey\RSA; +use OCA\Files_External\Settings\Admin; use OCP\AppFramework\Controller; use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\AuthorizedAdminSetting; use OCP\AppFramework\Http\Attribute\NoAdminRequired; use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired; use OCP\AppFramework\Http\JSONResponse; @@ -36,6 +39,7 @@ public function __construct( private IUserSession $userSession, private IGroupManager $groupManager, private IL10N $l10n, + private AuthorizedGroupMapper $authorizedGroupMapper, ) { parent::__construct($appName, $request); } @@ -86,10 +90,14 @@ public function saveGlobalCredentials($uid, $user, $password): JSONResponse { ], Http::STATUS_UNAUTHORIZED); } - // Non-admins can only edit their own credentials - // Admin can edit global credentials + // Non-admins can only edit their own credentials. + // Admin or delegated admin can edit global credentials (uid === ''). + // Cannot use #[AuthorizedAdminSetting] here because this endpoint is + // #[NoAdminRequired] and must also allow users to edit their own (uid !== '') + // credentials — the two paths share one method. $allowedToEdit = $uid === '' ? $this->groupManager->isAdmin($currentUser->getUID()) + || in_array(Admin::class, $this->authorizedGroupMapper->findAllClassesForUser($currentUser), true) : $currentUser->getUID() === $uid; if ($allowedToEdit) { diff --git a/apps/files_external/lib/Controller/GlobalStoragesController.php b/apps/files_external/lib/Controller/GlobalStoragesController.php index e7274c9cfb64c..1a3ce7011dea7 100644 --- a/apps/files_external/lib/Controller/GlobalStoragesController.php +++ b/apps/files_external/lib/Controller/GlobalStoragesController.php @@ -9,7 +9,9 @@ use OCA\Files_External\NotFoundException; use OCA\Files_External\Service\GlobalStoragesService; +use OCA\Files_External\Settings\Admin; use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\AuthorizedAdminSetting; use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired; use OCP\AppFramework\Http\DataResponse; use OCP\IConfig; @@ -71,6 +73,7 @@ public function __construct( * * @return DataResponse */ + #[AuthorizedAdminSetting(settings: Admin::class)] #[PasswordConfirmationRequired(strict: true)] public function create( $mountPoint, @@ -136,6 +139,7 @@ public function create( * * @return DataResponse */ + #[AuthorizedAdminSetting(settings: Admin::class)] #[PasswordConfirmationRequired(strict: true)] public function update( $id, @@ -186,4 +190,22 @@ public function update( Http::STATUS_OK ); } + + // PHP attributes are not inherited, so these methods override the parent + // solely to attach #[AuthorizedAdminSetting] and expose them to delegated admins. + #[AuthorizedAdminSetting(settings: Admin::class)] + public function index() { + return parent::index(); + } + + #[AuthorizedAdminSetting(settings: Admin::class)] + public function show(int $id, $testOnly = true) { + return parent::show($id, $testOnly); + } + + #[AuthorizedAdminSetting(settings: Admin::class)] + #[PasswordConfirmationRequired(strict: true)] + public function destroy(int $id) { + return parent::destroy($id); + } } diff --git a/apps/files_external/lib/Settings/Admin.php b/apps/files_external/lib/Settings/Admin.php index 9af0f3c61c16b..402ae8da2ab37 100644 --- a/apps/files_external/lib/Settings/Admin.php +++ b/apps/files_external/lib/Settings/Admin.php @@ -60,4 +60,13 @@ public function getSection() { public function getPriority() { return 40; } + + public function getName(): string { + return $this->l10n->t('External storage'); + } + + public function getAuthorizedAppConfig(): array { + // No app config keys require delegation for external storage. + return []; + } } diff --git a/apps/files_external/tests/Controller/AjaxControllerTest.php b/apps/files_external/tests/Controller/AjaxControllerTest.php index b1ea7a2b1b1b6..196d26bfbf0c8 100644 --- a/apps/files_external/tests/Controller/AjaxControllerTest.php +++ b/apps/files_external/tests/Controller/AjaxControllerTest.php @@ -7,10 +7,13 @@ */ namespace OCA\Files_External\Tests\Controller; +use OC\Settings\AuthorizedGroupMapper; use OCA\Files_External\Controller\AjaxController; use OCA\Files_External\Lib\Auth\Password\GlobalAuth; use OCA\Files_External\Lib\Auth\PublicKey\RSA; +use OCA\Files_External\Settings\Admin; use OCP\AppFramework\Http\JSONResponse; +use OCP\IGroup; use OCP\IGroupManager; use OCP\IL10N; use OCP\IRequest; @@ -26,6 +29,7 @@ class AjaxControllerTest extends TestCase { private IUserSession&MockObject $userSession; private IGroupManager&MockObject $groupManager; private IL10N&MockObject $l10n; + private AuthorizedGroupMapper&MockObject $authorizedGroupMapper; private AjaxController $ajaxController; protected function setUp(): void { @@ -35,6 +39,7 @@ protected function setUp(): void { $this->userSession = $this->createMock(IUserSession::class); $this->groupManager = $this->createMock(IGroupManager::class); $this->l10n = $this->createMock(IL10N::class); + $this->authorizedGroupMapper = $this->createMock(AuthorizedGroupMapper::class); $this->ajaxController = new AjaxController( 'files_external', @@ -44,6 +49,7 @@ protected function setUp(): void { $this->userSession, $this->groupManager, $this->l10n, + $this->authorizedGroupMapper, ); $this->l10n->expects($this->any()) @@ -58,6 +64,50 @@ protected function setUp(): void { parent::setUp(); } + public function testGetApplicableEntitiesReturnsGroupsAndUsers(): void { + $group = $this->createMock(IGroup::class); + $group->method('getGID')->willReturn('group1'); + $group->method('getDisplayName')->willReturn('Group One'); + + $user = $this->createMock(IUser::class); + $user->method('getUID')->willReturn('user1'); + $user->method('getDisplayName')->willReturn('User One'); + + $this->groupManager + ->expects($this->once()) + ->method('search') + ->with('test', 10, 0) + ->willReturn([$group]); + $this->userManager + ->expects($this->once()) + ->method('searchDisplayName') + ->with('test', 10, 0) + ->willReturn([$user]); + + $response = $this->ajaxController->getApplicableEntities('test', 10, 0); + $this->assertSame(200, $response->getStatus()); + $this->assertSame(['group1' => 'Group One'], $response->getData()['groups']); + $this->assertSame(['user1' => 'User One'], $response->getData()['users']); + } + + public function testGetApplicableEntitiesWithNoResults(): void { + $this->groupManager + ->expects($this->once()) + ->method('search') + ->with('', null, null) + ->willReturn([]); + $this->userManager + ->expects($this->once()) + ->method('searchDisplayName') + ->with('', null, null) + ->willReturn([]); + + $response = $this->ajaxController->getApplicableEntities(); + $this->assertSame(200, $response->getStatus()); + $this->assertSame([], $response->getData()['groups']); + $this->assertSame([], $response->getData()['users']); + } + public function testGetSshKeys(): void { $this->rsa ->expects($this->once()) @@ -149,4 +199,91 @@ public function testSaveGlobalCredentialsAsNormalUserForAnotherUser(): void { $this->assertSame($response->getStatus(), 403); $this->assertSame('Permission denied', $response->getData()['message']); } + + public function testSaveGlobalCredentialsAsAdminForGlobal(): void { + $user = $this->createMock(IUser::class); + $user->method('getUID')->willReturn('MyAdminUid'); + $this->userSession->method('getUser')->willReturn($user); + $this->groupManager + ->expects($this->once()) + ->method('isAdmin') + ->with('MyAdminUid') + ->willReturn(true); + $this->authorizedGroupMapper + ->expects($this->never()) + ->method('findAllClassesForUser'); + $this->globalAuth + ->expects($this->once()) + ->method('saveAuth') + ->with('', 'test', 'password'); + + $response = $this->ajaxController->saveGlobalCredentials('', 'test', 'password'); + $this->assertSame(200, $response->getStatus()); + } + + public function testSaveGlobalCredentialsAsDelegatedAdminForGlobal(): void { + $user = $this->createMock(IUser::class); + $user->method('getUID')->willReturn('DelegatedUid'); + $this->userSession->method('getUser')->willReturn($user); + $this->groupManager + ->expects($this->once()) + ->method('isAdmin') + ->with('DelegatedUid') + ->willReturn(false); + $this->authorizedGroupMapper + ->expects($this->once()) + ->method('findAllClassesForUser') + ->with($user) + ->willReturn([Admin::class]); + $this->globalAuth + ->expects($this->once()) + ->method('saveAuth') + ->with('', 'test', 'password'); + + $response = $this->ajaxController->saveGlobalCredentials('', 'test', 'password'); + $this->assertSame(200, $response->getStatus()); + } + + public function testSaveGlobalCredentialsAsDelegatedAdminForAnotherUser(): void { + // Delegated admins may only set global (uid='') credentials, not impersonate other users. + $user = $this->createMock(IUser::class); + $user->method('getUID')->willReturn('DelegatedUid'); + $this->userSession->method('getUser')->willReturn($user); + $this->groupManager + ->expects($this->never()) + ->method('isAdmin'); + $this->authorizedGroupMapper + ->expects($this->never()) + ->method('findAllClassesForUser'); + $this->globalAuth + ->expects($this->never()) + ->method('saveAuth'); + + $response = $this->ajaxController->saveGlobalCredentials('OtherUserUid', 'test', 'password'); + $this->assertSame(403, $response->getStatus()); + $this->assertSame('Permission denied', $response->getData()['message']); + } + + public function testSaveGlobalCredentialsAsNormalUserForGlobal(): void { + $user = $this->createMock(IUser::class); + $user->method('getUID')->willReturn('NormalUid'); + $this->userSession->method('getUser')->willReturn($user); + $this->groupManager + ->expects($this->once()) + ->method('isAdmin') + ->with('NormalUid') + ->willReturn(false); + $this->authorizedGroupMapper + ->expects($this->once()) + ->method('findAllClassesForUser') + ->with($user) + ->willReturn([]); + $this->globalAuth + ->expects($this->never()) + ->method('saveAuth'); + + $response = $this->ajaxController->saveGlobalCredentials('', 'test', 'password'); + $this->assertSame(403, $response->getStatus()); + $this->assertSame('Permission denied', $response->getData()['message']); + } } diff --git a/apps/files_external/tests/Settings/AdminTest.php b/apps/files_external/tests/Settings/AdminTest.php index fd4a1949760c0..4889f8ea67fc9 100644 --- a/apps/files_external/tests/Settings/AdminTest.php +++ b/apps/files_external/tests/Settings/AdminTest.php @@ -91,4 +91,22 @@ public function testGetSection(): void { public function testGetPriority(): void { $this->assertSame(40, $this->admin->getPriority()); } + + public function testGetName(): void { + $this->l10n->expects($this->once()) + ->method('t') + ->with('External storage') + ->willReturn('External storage'); + + $this->assertSame('External storage', $this->admin->getName()); + } + + public function testGetAuthorizedAppConfig(): void { + $this->assertSame([], $this->admin->getAuthorizedAppConfig()); + } + + public function testImplementsIDelegatedSettings(): void { + $this->assertInstanceOf(\OCP\Settings\IDelegatedSettings::class, $this->admin); + $this->assertInstanceOf(\OCP\Settings\ISettings::class, $this->admin); + } }