From 81e775f7102a50ff85513ff8d62fdd0a43c78690 Mon Sep 17 00:00:00 2001 From: Vincent Petry Date: Wed, 11 Jan 2023 15:34:07 +0100 Subject: [PATCH] Only expose storage location to admins MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com> Signed-off-by: Vincent Petry --- .../lib/Controller/AUserData.php | 21 +++++++++++-------- .../tests/Controller/UsersControllerTest.php | 12 ++++------- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/apps/provisioning_api/lib/Controller/AUserData.php b/apps/provisioning_api/lib/Controller/AUserData.php index d0fce7e532d..48f2d79734e 100644 --- a/apps/provisioning_api/lib/Controller/AUserData.php +++ b/apps/provisioning_api/lib/Controller/AUserData.php @@ -104,6 +104,7 @@ abstract class AUserData extends OCSController { */ protected function getUserData(string $userId, bool $includeScopes = false): array { $currentLoggedInUser = $this->userSession->getUser(); + assert($currentLoggedInUser !== null, 'No user logged in'); $data = []; @@ -113,8 +114,8 @@ abstract class AUserData extends OCSController { throw new OCSNotFoundException('User does not exist'); } - // Should be at least Admin Or SubAdmin! - if ($this->groupManager->isAdmin($currentLoggedInUser->getUID()) + $isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID()); + if ($isAdmin || $this->groupManager->getSubAdmin()->isUserAccessible($currentLoggedInUser, $targetUserObject)) { $data['enabled'] = $this->config->getUserValue($targetUserObject->getUID(), 'core', 'enabled', 'true') === 'true'; } else { @@ -132,13 +133,15 @@ abstract class AUserData extends OCSController { $gids[] = $group->getGID(); } - try { - # might be thrown by LDAP due to handling of users disappears - # from the external source (reasons unknown to us) - # cf. https://github.com/nextcloud/server/issues/12991 - $data['storageLocation'] = $targetUserObject->getHome(); - } catch (NoUserException $e) { - throw new OCSNotFoundException($e->getMessage(), $e); + if ($isAdmin) { + try { + # might be thrown by LDAP due to handling of users disappears + # from the external source (reasons unknown to us) + # cf. https://github.com/nextcloud/server/issues/12991 + $data['storageLocation'] = $targetUserObject->getHome(); + } catch (NoUserException $e) { + throw new OCSNotFoundException($e->getMessage(), $e); + } } // Find the data diff --git a/apps/provisioning_api/tests/Controller/UsersControllerTest.php b/apps/provisioning_api/tests/Controller/UsersControllerTest.php index 09a7eeb1a11..5b2a5857f21 100644 --- a/apps/provisioning_api/tests/Controller/UsersControllerTest.php +++ b/apps/provisioning_api/tests/Controller/UsersControllerTest.php @@ -1163,9 +1163,8 @@ class UsersControllerTest extends TestCase { ->method('getDisplayName') ->willReturn('Demo User'); $targetUser - ->expects($this->once()) - ->method('getHome') - ->willReturn('/var/www/newtcloud/data/UID'); + ->expects($this->never()) + ->method('getHome'); $targetUser ->expects($this->once()) ->method('getLastLogin') @@ -1203,7 +1202,6 @@ class UsersControllerTest extends TestCase { $expected = [ 'id' => 'UID', 'enabled' => true, - 'storageLocation' => '/var/www/newtcloud/data/UID', 'lastLogin' => 1521191471000, 'backend' => 'Database', 'subadmin' => [], @@ -1345,9 +1343,8 @@ class UsersControllerTest extends TestCase { ->method('getUID') ->willReturn('UID'); $targetUser - ->expects($this->once()) - ->method('getHome') - ->willReturn('/var/www/newtcloud/data/UID'); + ->expects($this->never()) + ->method('getHome'); $targetUser ->expects($this->once()) ->method('getLastLogin') @@ -1380,7 +1377,6 @@ class UsersControllerTest extends TestCase { $expected = [ 'id' => 'UID', - 'storageLocation' => '/var/www/newtcloud/data/UID', 'lastLogin' => 1521191471000, 'backend' => 'Database', 'subadmin' => [], -- 2.39.5