Only expose storage location to admins

author Vincent Petry <vincent@nextcloud.com>

Wed, 11 Jan 2023 14:34:07 +0000 (15:34 +0100)

committer backportbot-nextcloud[bot] <backportbot-nextcloud[bot]@users.noreply.github.com>

Mon, 23 Jan 2023 15:52:14 +0000 (15:52 +0000)
author Vincent Petry <vincent@nextcloud.com>
Wed, 11 Jan 2023 14:34:07 +0000 (15:34 +0100)
committer backportbot-nextcloud[bot] <backportbot-nextcloud[bot]@users.noreply.github.com>
Mon, 23 Jan 2023 15:52:14 +0000 (15:52 +0000)
diff --git a/apps/provisioning_api/lib/Controller/AUserData.php b/apps/provisioning_api/lib/Controller/AUserData.php

index d0fce7e532d1527bef0e9bae3fac680b5878c5f7..48f2d79734eff159b9da65f39c13efdfec07ece2 100644 (file)
--- a/apps/provisioning_api/lib/Controller/AUserData.php
+++ b/apps/provisioning_api/lib/Controller/AUserData.php
@@ -104,6 +104,7 @@ abstract class AUserData extends OCSController {
          */
         protected function getUserData(string $userId, bool $includeScopes = false): array {
                 $currentLoggedInUser = $this->userSession->getUser();
+               assert($currentLoggedInUser !== null, 'No user logged in');
  
                 $data = [];
  
@@ -113,8 +114,8 @@ abstract class AUserData extends OCSController {
                         throw new OCSNotFoundException('User does not exist');
                 }
  
-               // Should be at least Admin Or SubAdmin!
-               if ($this->groupManager->isAdmin($currentLoggedInUser->getUID())
+               $isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID());
+               if ($isAdmin
                         || $this->groupManager->getSubAdmin()->isUserAccessible($currentLoggedInUser, $targetUserObject)) {
                         $data['enabled'] = $this->config->getUserValue($targetUserObject->getUID(), 'core', 'enabled', 'true') === 'true';
                 } else {
@@ -132,13 +133,15 @@ abstract class AUserData extends OCSController {
                         $gids[] = $group->getGID();
                 }
  
-               try {
-                       # might be thrown by LDAP due to handling of users disappears
-                       # from the external source (reasons unknown to us)
-                       # cf. https://github.com/nextcloud/server/issues/12991
-                       $data['storageLocation'] = $targetUserObject->getHome();
-               } catch (NoUserException $e) {
-                       throw new OCSNotFoundException($e->getMessage(), $e);
+               if ($isAdmin) {
+                       try {
+                               # might be thrown by LDAP due to handling of users disappears
+                               # from the external source (reasons unknown to us)
+                               # cf. https://github.com/nextcloud/server/issues/12991
+                               $data['storageLocation'] = $targetUserObject->getHome();
+                       } catch (NoUserException $e) {
+                               throw new OCSNotFoundException($e->getMessage(), $e);
+                       }
                 }
  
                 // Find the data
diff --git a/apps/provisioning_api/tests/Controller/UsersControllerTest.php b/apps/provisioning_api/tests/Controller/UsersControllerTest.php

index 09a7eeb1a115c4626df5b65c7b671eb18287813d..5b2a5857f212fd2d011e19b2afa19ae1ca893af6 100644 (file)
--- a/apps/provisioning_api/tests/Controller/UsersControllerTest.php
+++ b/apps/provisioning_api/tests/Controller/UsersControllerTest.php
@@ -1163,9 +1163,8 @@ class UsersControllerTest extends TestCase {
                         ->method('getDisplayName')
                         ->willReturn('Demo User');
                 $targetUser
-                       ->expects($this->once())
-                       ->method('getHome')
-                       ->willReturn('/var/www/newtcloud/data/UID');
+                       ->expects($this->never())
+                       ->method('getHome');
                 $targetUser
                         ->expects($this->once())
                         ->method('getLastLogin')
@@ -1203,7 +1202,6 @@ class UsersControllerTest extends TestCase {
                 $expected = [
                         'id' => 'UID',
                         'enabled' => true,
-                       'storageLocation' => '/var/www/newtcloud/data/UID',
                         'lastLogin' => 1521191471000,
                         'backend' => 'Database',
                         'subadmin' => [],
@@ -1345,9 +1343,8 @@ class UsersControllerTest extends TestCase {
                         ->method('getUID')
                         ->willReturn('UID');
                 $targetUser
-                       ->expects($this->once())
-                       ->method('getHome')
-                       ->willReturn('/var/www/newtcloud/data/UID');
+                       ->expects($this->never())
+                       ->method('getHome');
                 $targetUser
                         ->expects($this->once())
                         ->method('getLastLogin')
@@ -1380,7 +1377,6 @@ class UsersControllerTest extends TestCase {
  
                 $expected = [
                         'id' => 'UID',
-                       'storageLocation' => '/var/www/newtcloud/data/UID',
                         'lastLogin' => 1521191471000,
                         'backend' => 'Database',
                         'subadmin' => [],
author	Vincent Petry <vincent@nextcloud.com>
	Wed, 11 Jan 2023 14:34:07 +0000 (15:34 +0100)
committer	backportbot-nextcloud[bot] <backportbot-nextcloud[bot]@users.noreply.github.com>
	Mon, 23 Jan 2023 15:52:14 +0000 (15:52 +0000)
apps/provisioning_api/lib/Controller/AUserData.php		patch \| blob \| history
apps/provisioning_api/tests/Controller/UsersControllerTest.php		patch \| blob \| history