Merge pull request #31102 from nextcloud/backport/30926/stable23

[stable23] Allow sub-admins to access delegated settings.

1 files changed, 11 insertions, 14 deletions

diff --git a/lib/private/Settings/Manager.php b/lib/private/Settings/Manager.php
index ebda3fe021d..84fbf9426b0 100644
--- a/lib/private/Settings/Manager.php
+++ b/lib/private/Settings/Manager.php
@@ -335,23 +335,20 @@ class Manager implements IManager {
 
 	public function getAllowedAdminSettings(string $section, IUser $user): array {
 		$isAdmin = $this->groupManager->isAdmin($user->getUID());
-		$isSubAdmin = $this->subAdmin->isSubAdmin($user);
-		$subAdminOnly = !$isAdmin && $isSubAdmin;
-
-		if ($subAdminOnly) {
-			// not an admin => look if the user is still authorized to access some
-			// settings
-			$subAdminSettingsFilter = function (ISettings $settings) {
-				return $settings instanceof ISubAdminSettings;
-			};
-			$appSettings = $this->getSettings('admin', $section, $subAdminSettingsFilter);
-		} elseif ($isAdmin) {
+		if ($isAdmin) {
 			$appSettings = $this->getSettings('admin', $section);
 		} else {
 			$authorizedSettingsClasses = $this->mapper->findAllClassesForUser($user);
-			$authorizedGroupFilter = function (ISettings $settings) use ($authorizedSettingsClasses) {
-				return in_array(get_class($settings), $authorizedSettingsClasses) === true;
-			};
+			if ($this->subAdmin->isSubAdmin($user)) {
+				$authorizedGroupFilter = function (ISettings $settings) use ($authorizedSettingsClasses) {
+					return $settings instanceof ISubAdminSettings
+						|| in_array(get_class($settings), $authorizedSettingsClasses) === true;
+				};
+			} else {
+				$authorizedGroupFilter = function (ISettings $settings) use ($authorizedSettingsClasses) {
+					return in_array(get_class($settings), $authorizedSettingsClasses) === true;
+				};
+			}
 			$appSettings = $this->getSettings('admin', $section, $authorizedGroupFilter);
 		}