nextcloud/settings/ajax/togglegroups.php

<?php
/**
 * @copyright Copyright (c) 2016, ownCloud, Inc.
 *
 * @author Bart Visscher <bartv@thisnet.nl>
 * @author Christopher Schäpers <kondou@ts.unde.re>
 * @author Georg Ehrke <georg@owncloud.com>
 * @author Jakob Sack <mail@jakobsack.de>
 * @author Lukas Reschke <lukas@statuscode.ch>
 * @author Robin Appelman <robin@icewind.nl>
 * @author Thomas Müller <thomas.mueller@tmit.eu>
 *
 * @license AGPL-3.0
 *
 * This code is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License, version 3,
 * as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License, version 3,
 * along with this program.  If not, see <http://www.gnu.org/licenses/>
 *
 */
OC_JSON::checkSubAdminUser();
OCP\JSON::callCheck();

$lastConfirm = (int) \OC::$server->getSession()->get('last-password-confirm');
if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay
	$l = \OC::$server->getL10N('core');
	OC_JSON::error(array( 'data' => array( 'message' => $l->t('Password confirmation is required'))));
	exit();
}

$success = true;
$username = (string)$_POST['username'];
$group = (string)$_POST['group'];

if($username === OC_User::getUser() && $group === "admin" &&  OC_User::isAdminUser($username)) {
	$l = \OC::$server->getL10N('core');
	OC_JSON::error(array( 'data' => array( 'message' => $l->t('Admins can\'t remove themself from the admin group'))));
	exit();
}

$isUserAccessible = false;
$isGroupAccessible = false;
$currentUserObject = \OC::$server->getUserSession()->getUser();
$targetUserObject = \OC::$server->getUserManager()->get($username);
$targetGroupObject = \OC::$server->getGroupManager()->get($group);
if($targetUserObject !== null && $currentUserObject !== null && $targetGroupObject !== null) {
	$isUserAccessible = \OC::$server->getGroupManager()->getSubAdmin()->isUserAccessible($currentUserObject, $targetUserObject);
	$isGroupAccessible = \OC::$server->getGroupManager()->getSubAdmin()->isSubAdminofGroup($currentUserObject, $targetGroupObject);
}

if(!OC_User::isAdminUser(OC_User::getUser())
	&& (!$isUserAccessible
		|| !$isGroupAccessible)) {
	$l = \OC::$server->getL10N('core');
	OC_JSON::error(array( 'data' => array( 'message' => $l->t('Authentication error') )));
	exit();
}

if(!OC_Group::groupExists($group)) {
	OC_Group::createGroup($group);
}

$l = \OC::$server->getL10N('settings');

$error = $l->t("Unable to add user to group %s", $group);
$action = "add";

// Toggle group
if( OC_Group::inGroup( $username, $group )) {
	$action = "remove";
	$error = $l->t("Unable to remove user from group %s", $group);
	$success = OC_Group::removeFromGroup( $username, $group );
	$usersInGroup=OC_Group::usersInGroup($group);
}
else{
	$success = OC_Group::addToGroup( $username, $group );
}

// Return Success story
if( $success ) {
	OC_JSON::success(array("data" => array( "username" => $username, "action" => $action, "groupname" => $group )));
}
else{
	OC_JSON::error(array("data" => array( "message" => $error )));
}
User manager still not perfect but the aim is reachable! 2011-04-17 13:15:55 +02:00			`<?php`
Update license headers 2015-03-26 11:44:34 +01:00			`/**`
Fix others 2016-07-21 17:07:57 +02:00			`* @copyright Copyright (c) 2016, ownCloud, Inc.`
			`*`
Update license headers 2015-03-26 11:44:34 +01:00			`* @author Bart Visscher <bartv@thisnet.nl>`
			`* @author Christopher Schäpers <kondou@ts.unde.re>`
			`* @author Georg Ehrke <georg@owncloud.com>`
			`* @author Jakob Sack <mail@jakobsack.de>`
Update license headers 2016-05-26 19:56:05 +02:00			`* @author Lukas Reschke <lukas@statuscode.ch>`
Update with robin 2016-07-21 18:13:36 +02:00			`* @author Robin Appelman <robin@icewind.nl>`
Update license headers 2015-03-26 11:44:34 +01:00			`* @author Thomas Müller <thomas.mueller@tmit.eu>`
			`*`
			`* @license AGPL-3.0`
			`*`
			`* This code is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License, version 3,`
			`* as published by the Free Software Foundation.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU Affero General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public License, version 3,`
			`* along with this program. If not, see <http://www.gnu.org/licenses/>`
			`*`
			`*/`
fix tooglegroup for subadmins 2012-07-20 15:13:51 +02:00			`OC_JSON::checkSubAdminUser();`
CSRF check in the settings 2012-07-07 15:27:04 +02:00			`OCP\JSON::callCheck();`
User manager still not perfect but the aim is reachable! 2011-04-17 13:15:55 +02:00
Require password confirmation for user management Signed-off-by: Joas Schilling <coding@schilljs.com> 2016-10-25 13:05:13 +02:00			`$lastConfirm = (int) \OC::$server->getSession()->get('last-password-confirm');`
			`if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay`
			`$l = \OC::$server->getL10N('core');`
			`OC_JSON::error(array( 'data' => array( 'message' => $l->t('Password confirmation is required'))));`
			`exit();`
			`}`

User management works good enough for now. Need to do something else ... 2011-04-17 18:05:49 +02:00			`$success = true;`
Manually type-case all AJAX files This enforces proper types on POST and GET arguments where I considered it sensible. I didn't update some as I don't know what kind of values they would support :see_no_evil: Fixes https://github.com/owncloud/core/issues/14196 for core 2015-02-13 13:33:20 +01:00			`$username = (string)$_POST['username'];`
			`$group = (string)$_POST['group'];`
User management works good enough for now. Need to do something else ... 2011-04-17 18:05:49 +02:00
Use !== and === in settings. 2013-04-17 15:32:03 +02:00			`if($username === OC_User::getUser() && $group === "admin" && OC_User::isAdminUser($username)) {`
Use public api for getting l10n 2014-08-31 10:05:59 +02:00			`$l = \OC::$server->getL10N('core');`
make some checks server-side 2012-11-28 17:57:31 +01:00			`OC_JSON::error(array( 'data' => array( 'message' => $l->t('Admins can\'t remove themself from the admin group'))));`
			`exit();`
			`}`

Drop OC_SubAdmin and replace usages 2015-10-27 14:09:45 +01:00			`$isUserAccessible = false;`
			`$isGroupAccessible = false;`
			`$currentUserObject = \OC::$server->getUserSession()->getUser();`
			`$targetUserObject = \OC::$server->getUserManager()->get($username);`
			`$targetGroupObject = \OC::$server->getGroupManager()->get($group);`
			`if($targetUserObject !== null && $currentUserObject !== null && $targetGroupObject !== null) {`
			`$isUserAccessible = \OC::$server->getGroupManager()->getSubAdmin()->isUserAccessible($currentUserObject, $targetUserObject);`
			`$isGroupAccessible = \OC::$server->getGroupManager()->getSubAdmin()->isSubAdminofGroup($currentUserObject, $targetGroupObject);`
			`}`

Style cleanup settings 2013-02-14 23:29:51 +01:00			`if(!OC_User::isAdminUser(OC_User::getUser())`
Drop OC_SubAdmin and replace usages 2015-10-27 14:09:45 +01:00			`&& (!$isUserAccessible`
			`\|\| !$isGroupAccessible)) {`
Use public api for getting l10n 2014-08-31 10:05:59 +02:00			`$l = \OC::$server->getL10N('core');`
fix tooglegroup for subadmins 2012-07-20 15:13:51 +02:00			`OC_JSON::error(array( 'data' => array( 'message' => $l->t('Authentication error') )));`
			`exit();`
			`}`

Update settings/ajax/togglegroups.php respect coding style 2012-09-04 11:58:07 +02:00			`if(!OC_Group::groupExists($group)) {`
work on user management 2011-08-10 20:51:35 +02:00			`OC_Group::createGroup($group);`
			`}`

Use public api for getting l10n 2014-08-31 10:05:59 +02:00			`$l = \OC::$server->getL10N('settings');`
Adding missing translation 2012-09-04 20:47:15 +02:00
			`$error = $l->t("Unable to add user to group %s", $group);`
			`$action = "add";`

User management works good enough for now. Need to do something else ... 2011-04-17 18:05:49 +02:00			`// Toggle group`
Update settings/ajax/togglegroups.php respect coding style 2012-09-04 11:58:07 +02:00			`if( OC_Group::inGroup( $username, $group )) {`
More error checking in user management 2011-04-18 12:39:28 +02:00			`$action = "remove";`
Spaces to tabs 2013-01-14 20:30:28 +01:00			`$error = $l->t("Unable to remove user from group %s", $group);`
			`$success = OC_Group::removeFromGroup( $username, $group );`
remove groups if there are no users in them 2011-08-11 10:12:03 +02:00			`$usersInGroup=OC_Group::usersInGroup($group);`
User management works good enough for now. Need to do something else ... 2011-04-17 18:05:49 +02:00			`}`
			`else{`
Renaming classes :-) 2011-07-29 21:36:03 +02:00			`$success = OC_Group::addToGroup( $username, $group );`
User management works good enough for now. Need to do something else ... 2011-04-17 18:05:49 +02:00			`}`
User manager still not perfect but the aim is reachable! 2011-04-17 13:15:55 +02:00
			`// Return Success story`
Update settings/ajax/togglegroups.php respect coding style 2012-09-04 11:58:07 +02:00			`if( $success ) {`
Use OC_JSON for json responses Create OC_JSON class, for single point of creating json responses. No real logic change, this just cleans up the code a bit. 2011-09-23 22:22:59 +02:00			`OC_JSON::success(array("data" => array( "username" => $username, "action" => $action, "groupname" => $group )));`
User manager still not perfect but the aim is reachable! 2011-04-17 13:15:55 +02:00			`}`
			`else{`
Adding missing translation 2012-09-04 20:47:15 +02:00			`OC_JSON::error(array("data" => array( "message" => $error )));`
User manager still not perfect but the aim is reachable! 2011-04-17 13:15:55 +02:00			`}`