fix(provisioning_api): Correct limit for `editUser`

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
author: Ferdinand Thiessen <opensource@fthiessen.de> 2025-02-05 23:46:28 +0100
committer: Ferdinand Thiessen <opensource@fthiessen.de> 2025-02-06 11:58:24 +0100
commit: 2a0f81da53149ebd57f14cf1d697aded1481ef24 (patch)
tree: 1a985d7d860148e677b576fb2f471a8382f02f4d
parent: 729cdf6818198e9ca68f6e4f51b90ae62c8567e7 (diff)
download: nextcloud-server-2a0f81da53149ebd57f14cf1d697aded1481ef24.tar.gz
nextcloud-server-2a0f81da53149ebd57f14cf1d697aded1481ef24.zip
5 files changed, 22 insertions, 2 deletions
diff --git a/apps/provisioning_api/lib/Controller/UsersController.php b/apps/provisioning_api/lib/Controller/UsersController.php
index 301ee47c0a6..69bd5548d68 100644
--- a/apps/provisioning_api/lib/Controller/UsersController.php
+++ b/apps/provisioning_api/lib/Controller/UsersController.php
@@ -894,7 +894,7 @@ class UsersController extends AUserDataOCSController {
 	 */
 	#[PasswordConfirmationRequired]
 	#[NoAdminRequired]
-	#[UserRateLimit(limit: 50, period: 60)]
+	#[UserRateLimit(limit: 50, period: 600)]
 	public function editUser(string $userId, string $key, string $value): DataResponse {
 		$currentLoggedInUser = $this->userSession->getUser();
 
diff --git a/apps/settings/lib/Controller/UsersController.php b/apps/settings/lib/Controller/UsersController.php
index 5af16878e8e..13f1f9249bc 100644
--- a/apps/settings/lib/Controller/UsersController.php
+++ b/apps/settings/lib/Controller/UsersController.php
@@ -32,6 +32,7 @@ use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
+use OCP\AppFramework\Http\Attribute\UserRateLimit;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Http\TemplateResponse;
@@ -314,6 +315,7 @@ class UsersController extends Controller {
 	 */
 	#[NoAdminRequired]
 	#[PasswordConfirmationRequired]
+	#[UserRateLimit(limit: 5, period: 60)]
 	public function setUserSettings(?string $avatarScope = null,
 		?string $displayname = null,
 		?string $displaynameScope = null,
diff --git a/build/integration/features/bootstrap/BasicStructure.php b/build/integration/features/bootstrap/BasicStructure.php
index 60926e65f5c..57d18757212 100644
--- a/build/integration/features/bootstrap/BasicStructure.php
+++ b/build/integration/features/bootstrap/BasicStructure.php
@@ -121,7 +121,11 @@ trait BasicStructure {
 	 * @return string
 	 */
 	public function getOCSResponse($response) {
-		return simplexml_load_string($response->getBody())->meta[0]->statuscode;
+		$body = simplexml_load_string((string)$response->getBody());
+		if ($body === false) {
+			throw new \RuntimeException('Could not parse OCS response, body is not valid XML');
+		}
+		return $body->meta[0]->statuscode;
 	}
 
 	/**
diff --git a/build/integration/features/bootstrap/FeatureContext.php b/build/integration/features/bootstrap/FeatureContext.php
index 59f1d0068dd..c91c5e7cfa3 100644
--- a/build/integration/features/bootstrap/FeatureContext.php
+++ b/build/integration/features/bootstrap/FeatureContext.php
@@ -13,9 +13,16 @@ require __DIR__ . '/../../vendor/autoload.php';
  * Features context.
  */
 class FeatureContext implements Context, SnippetAcceptingContext {
+	use AppConfiguration;
 	use ContactsMenu;
 	use ExternalStorage;
 	use Search;
 	use WebDav;
 	use Trashbin;
+
+	protected function resetAppConfigs(): void {
+		$this->deleteServerConfig('bruteForce', 'whitelist_0');
+		$this->deleteServerConfig('bruteForce', 'whitelist_1');
+		$this->deleteServerConfig('bruteforcesettings', 'apply_allowlist_to_ratelimit');
+	}
 }
diff --git a/build/integration/features/provisioning-v1.feature b/build/integration/features/provisioning-v1.feature
index 12498bedd7f..32dfebb5c7d 100644
--- a/build/integration/features/provisioning-v1.feature
+++ b/build/integration/features/provisioning-v1.feature
@@ -4,6 +4,9 @@
 Feature: provisioning
   Background:
     Given using api version "1"
+    Given parameter "whitelist_0" of app "bruteForce" is set to "127.0.0.1"
+    Given parameter "whitelist_1" of app "bruteForce" is set to "::1"
+    Given parameter "apply_allowlist_to_ratelimit" of app "bruteforcesettings" is set to "true"
 
   Scenario: Getting an not existing user
     Given As an "admin"
@@ -604,6 +607,7 @@ Feature: provisioning
       | settings |
       | sharebymail |
       | systemtags |
+      | testing |
       | theming |
       | twofactor_backupcodes |
       | updatenotification |
@@ -629,6 +633,7 @@ Feature: provisioning
     And the HTTP status code should be "200"
 
   Scenario: enable an app
+    Given invoking occ with "app:disable testing"
     Given As an "admin"
     And app "testing" is disabled
     When sending "POST" to "/cloud/apps/testing"
@@ -643,12 +648,14 @@ Feature: provisioning
     And the HTTP status code should be "200"
 
   Scenario: disable an app
+    Given invoking occ with "app:enable testing"
     Given As an "admin"
     And app "testing" is enabled
     When sending "DELETE" to "/cloud/apps/testing"
     Then the OCS status code should be "100"
     And the HTTP status code should be "200"
     And app "testing" is disabled
+    Given invoking occ with "app:enable testing"
 
   Scenario: disable an user
     Given As an "admin"
author	Ferdinand Thiessen <opensource@fthiessen.de>	2025-02-05 23:46:28 +0100
committer	Ferdinand Thiessen <opensource@fthiessen.de>	2025-02-06 11:58:24 +0100
commit	2a0f81da53149ebd57f14cf1d697aded1481ef24 (patch)
tree	1a985d7d860148e677b576fb2f471a8382f02f4d
parent	729cdf6818198e9ca68f6e4f51b90ae62c8567e7 (diff)
download	nextcloud-server-2a0f81da53149ebd57f14cf1d697aded1481ef24.tar.gz nextcloud-server-2a0f81da53149ebd57f14cf1d697aded1481ef24.zip