Check if user has permission to create such a tag

Fixes https://github.com/owncloud/core/issues/22512

apps/dav/lib/server.php

@@ -93,7 +93,11 @@ class Server {
 		$this->server->addPlugin(new \OCA\DAV\CardDAV\Plugin());
 
 		// system tags plugins
-		$this->server->addPlugin(new \OCA\DAV\SystemTag\SystemTagPlugin(\OC::$server->getSystemTagManager()));
+		$this->server->addPlugin(new \OCA\DAV\SystemTag\SystemTagPlugin(
+			\OC::$server->getSystemTagManager(),
+			\OC::$server->getGroupManager(),
+			\OC::$server->getUserSession()
+		));
 
 		// comments plugin
 		$this->server->addPlugin(new \OCA\DAV\Comments\CommentsPlugin(

apps/dav/lib/systemtag/systemtagnode.php

@@ -103,6 +103,7 @@ class SystemTagNode implements \Sabre\DAV\INode {
 	 * @param bool $userVisible user visible
 	 * @param bool $userAssignable user assignable
 	 * @throws NotFound whenever the given tag id does not exist
+	 * @throws Forbidden whenever there is no permission to update said tag
 	 * @throws Conflict whenever a tag already exists with the given attributes
 	 */
 	public function update($name, $userVisible, $userAssignable) {

apps/dav/lib/systemtag/systemtagplugin.php

@@ -21,6 +21,8 @@
  */
 namespace OCA\DAV\SystemTag;
 
+use OCP\IGroupManager;
+use OCP\IUserSession;
 use Sabre\DAV\Exception\NotFound;
 use Sabre\DAV\PropFind;
 use Sabre\DAV\PropPatch;
@@ -61,12 +63,26 @@ class SystemTagPlugin extends \Sabre\DAV\ServerPlugin {
 	protected $tagManager;
 
 	/**
-	 * System tags plugin
-	 *
+	 * @var IUserSession
+	 */
+	protected $userSession;
+
+	/**
+	 * @var IGroupManager
+	 */
+	protected $groupManager;
+
+	/**
 	 * @param ISystemTagManager $tagManager tag manager
+	 * @param IGroupManager $groupManager
+	 * @param IUserSession $userSession
 	 */
-	public function __construct(ISystemTagManager $tagManager) {
+	public function __construct(ISystemTagManager $tagManager,
+								IGroupManager $groupManager,
+								IUserSession $userSession) {
 		$this->tagManager = $tagManager;
+		$this->userSession = $userSession;
+		$this->groupManager = $groupManager;
 	}
 
 	/**
@@ -163,6 +179,13 @@ class SystemTagPlugin extends \Sabre\DAV\ServerPlugin {
 		if (isset($data['userAssignable'])) {
 			$userAssignable = (bool)$data['userAssignable'];
 		}
+
+		if($userVisible === false || $userAssignable === false) {
+			if(!$this->userSession->isLoggedIn() || !$this->groupManager->isAdmin($this->userSession->getUser()->getUID())) {
+				throw new BadRequest('Not sufficient permissions');
+			}
+		}
+
 		try {
 			return $this->tagManager->createTag($tagName, $userVisible, $userAssignable);
 		} catch (TagAlreadyExistsException $e) {

apps/dav/tests/unit/systemtag/systemtagplugin.php

@@ -22,6 +22,8 @@
 namespace OCA\DAV\Tests\Unit\SystemTag;
 
 use OC\SystemTag\SystemTag;
+use OCP\IGroupManager;
+use OCP\IUserSession;
 use OCP\SystemTag\TagAlreadyExistsException;
 
 class SystemTagPlugin extends \Test\TestCase {
@@ -46,6 +48,16 @@ class SystemTagPlugin extends \Test\TestCase {
 	 */
 	private $tagManager;
 
+	/**
+	 * @var IGroupManager
+	 */
+	private $groupManager;
+
+	/**
+	 * @var IUserSession
+	 */
+	private $userSession;
+
 	/**
 	 * @var \OCA\DAV\SystemTag\SystemTagPlugin
 	 */
@@ -60,8 +72,14 @@ class SystemTagPlugin extends \Test\TestCase {
 		$this->server = new \Sabre\DAV\Server($this->tree);
 
 		$this->tagManager = $this->getMock('\OCP\SystemTag\ISystemTagManager');
+		$this->groupManager = $this->getMock('\OCP\IGroupManager');
+		$this->userSession = $this->getMock('\OCP\IUserSession');
 
-		$this->plugin = new \OCA\DAV\SystemTag\SystemTagPlugin($this->tagManager);
+		$this->plugin = new \OCA\DAV\SystemTag\SystemTagPlugin(
+			$this->tagManager,
+			$this->groupManager,
+			$this->userSession
+		);
 		$this->plugin->initialize($this->server);
 	}
 
@@ -153,7 +171,204 @@ class SystemTagPlugin extends \Test\TestCase {
 		$this->assertEquals(200, $result[self::USERVISIBLE_PROPERTYNAME]);
 	}
 
+	/**
+	 * @expectedException \Sabre\DAV\Exception\BadRequest
+	 * @expectedExceptionMessage Not sufficient permissions
+	 */
+	public function testCreateNotAssignableTagAsRegularUser() {
+		$user = $this->getMock('\OCP\IUser');
+		$user->expects($this->once())
+			->method('getUID')
+			->willReturn('admin');
+		$this->userSession
+			->expects($this->once())
+			->method('isLoggedIn')
+			->willReturn(true);
+		$this->userSession
+			->expects($this->once())
+			->method('getUser')
+			->willReturn($user);
+		$this->groupManager
+			->expects($this->once())
+			->method('isAdmin')
+			->with('admin')
+			->willReturn(false);
+
+		$requestData = json_encode([
+			'name' => 'Test',
+			'userVisible' => true,
+			'userAssignable' => false,
+		]);
+
+		$node = $this->getMockBuilder('\OCA\DAV\SystemTag\SystemTagsByIdCollection')
+			->disableOriginalConstructor()
+			->getMock();
+		$this->tagManager->expects($this->never())
+			->method('createTag');
+
+		$this->tree->expects($this->any())
+			->method('getNodeForPath')
+			->with('/systemtags')
+			->will($this->returnValue($node));
+
+		$request = $this->getMockBuilder('Sabre\HTTP\RequestInterface')
+			->disableOriginalConstructor()
+			->getMock();
+		$response = $this->getMockBuilder('Sabre\HTTP\ResponseInterface')
+			->disableOriginalConstructor()
+			->getMock();
+
+		$request->expects($this->once())
+			->method('getPath')
+			->will($this->returnValue('/systemtags'));
+
+		$request->expects($this->once())
+			->method('getBodyAsString')
+			->will($this->returnValue($requestData));
+
+		$request->expects($this->once())
+			->method('getHeader')
+			->with('Content-Type')
+			->will($this->returnValue('application/json'));
+
+		$this->plugin->httpPost($request, $response);
+	}
+
+	/**
+	 * @expectedException \Sabre\DAV\Exception\BadRequest
+	 * @expectedExceptionMessage Not sufficient permissions
+	 */
+	public function testCreateInvisibleTagAsRegularUser() {
+		$user = $this->getMock('\OCP\IUser');
+		$user->expects($this->once())
+			->method('getUID')
+			->willReturn('admin');
+		$this->userSession
+			->expects($this->once())
+			->method('isLoggedIn')
+			->willReturn(true);
+		$this->userSession
+			->expects($this->once())
+			->method('getUser')
+			->willReturn($user);
+		$this->groupManager
+			->expects($this->once())
+			->method('isAdmin')
+			->with('admin')
+			->willReturn(false);
+
+		$requestData = json_encode([
+			'name' => 'Test',
+			'userVisible' => false,
+			'userAssignable' => true,
+		]);
+
+		$node = $this->getMockBuilder('\OCA\DAV\SystemTag\SystemTagsByIdCollection')
+			->disableOriginalConstructor()
+			->getMock();
+		$this->tagManager->expects($this->never())
+			->method('createTag');
+
+		$this->tree->expects($this->any())
+			->method('getNodeForPath')
+			->with('/systemtags')
+			->will($this->returnValue($node));
+
+		$request = $this->getMockBuilder('Sabre\HTTP\RequestInterface')
+			->disableOriginalConstructor()
+			->getMock();
+		$response = $this->getMockBuilder('Sabre\HTTP\ResponseInterface')
+			->disableOriginalConstructor()
+			->getMock();
+
+		$request->expects($this->once())
+			->method('getPath')
+			->will($this->returnValue('/systemtags'));
+
+		$request->expects($this->once())
+			->method('getBodyAsString')
+			->will($this->returnValue($requestData));
+
+		$request->expects($this->once())
+			->method('getHeader')
+			->with('Content-Type')
+			->will($this->returnValue('application/json'));
+
+		$this->plugin->httpPost($request, $response);
+	}
+
+	public function testCreateTagInByIdCollectionAsRegularUser() {
+		$systemTag = new SystemTag(1, 'Test', true, false);
+
+		$requestData = json_encode([
+			'name' => 'Test',
+			'userVisible' => true,
+			'userAssignable' => true,
+		]);
+
+		$node = $this->getMockBuilder('\OCA\DAV\SystemTag\SystemTagsByIdCollection')
+			->disableOriginalConstructor()
+			->getMock();
+		$this->tagManager->expects($this->once())
+			->method('createTag')
+			->with('Test', true, true)
+			->will($this->returnValue($systemTag));
+
+		$this->tree->expects($this->any())
+			->method('getNodeForPath')
+			->with('/systemtags')
+			->will($this->returnValue($node));
+
+		$request = $this->getMockBuilder('Sabre\HTTP\RequestInterface')
+			->disableOriginalConstructor()
+			->getMock();
+		$response = $this->getMockBuilder('Sabre\HTTP\ResponseInterface')
+			->disableOriginalConstructor()
+			->getMock();
+
+		$request->expects($this->once())
+			->method('getPath')
+			->will($this->returnValue('/systemtags'));
+
+		$request->expects($this->once())
+			->method('getBodyAsString')
+			->will($this->returnValue($requestData));
+
+		$request->expects($this->once())
+			->method('getHeader')
+			->with('Content-Type')
+			->will($this->returnValue('application/json'));
+
+		$request->expects($this->once())
+			->method('getUrl')
+			->will($this->returnValue('http://example.com/dav/systemtags'));
+
+		$response->expects($this->once())
+			->method('setHeader')
+			->with('Content-Location', 'http://example.com/dav/systemtags/1');
+
+		$this->plugin->httpPost($request, $response);
+	}
+
 	public function testCreateTagInByIdCollection() {
+		$user = $this->getMock('\OCP\IUser');
+		$user->expects($this->once())
+			->method('getUID')
+			->willReturn('admin');
+		$this->userSession
+			->expects($this->once())
+			->method('isLoggedIn')
+			->willReturn(true);
+		$this->userSession
+			->expects($this->once())
+			->method('getUser')
+			->willReturn($user);
+		$this->groupManager
+			->expects($this->once())
+			->method('isAdmin')
+			->with('admin')
+			->willReturn(true);
+
 		$systemTag = new SystemTag(1, 'Test', true, false);
 
 		$requestData = json_encode([
@@ -214,6 +429,24 @@ class SystemTagPlugin extends \Test\TestCase {
 	}
 
 	public function testCreateTagInMappingCollection() {
+		$user = $this->getMock('\OCP\IUser');
+		$user->expects($this->once())
+			->method('getUID')
+			->willReturn('admin');
+		$this->userSession
+			->expects($this->once())
+			->method('isLoggedIn')
+			->willReturn(true);
+		$this->userSession
+			->expects($this->once())
+			->method('getUser')
+			->willReturn($user);
+		$this->groupManager
+			->expects($this->once())
+			->method('isAdmin')
+			->with('admin')
+			->willReturn(true);
+
 		$systemTag = new SystemTag(1, 'Test', true, false);
 
 		$requestData = json_encode([
@@ -307,9 +540,27 @@ class SystemTagPlugin extends \Test\TestCase {
 
 	/**
 	 * @dataProvider nodeClassProvider
-	 * @expectedException Sabre\DAV\Exception\Conflict
+	 * @expectedException \Sabre\DAV\Exception\Conflict
 	 */
 	public function testCreateTagConflict($nodeClass) {
+		$user = $this->getMock('\OCP\IUser');
+		$user->expects($this->once())
+			->method('getUID')
+			->willReturn('admin');
+		$this->userSession
+			->expects($this->once())
+			->method('isLoggedIn')
+			->willReturn(true);
+		$this->userSession
+			->expects($this->once())
+			->method('getUser')
+			->willReturn($user);
+		$this->groupManager
+			->expects($this->once())
+			->method('isAdmin')
+			->with('admin')
+			->willReturn(true);
+
 		$requestData = json_encode([
 			'name' => 'Test',
 			'userVisible' => true,