diff options
| author | Joas Schilling <coding@schilljs.com> | 2021-04-21 08:58:35 +0200 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2021-05-12 08:16:07 +0200 |
| commit | b6c6527705695a343b055f89bdde5ec497914ff1 (patch) | |
| tree | b52adc3a0b203add9a971cd1e2bf0ef9666af23a /apps/provisioning_api/lib | |
| parent | 0599a8060ceb6518bb3981c88fc14f215d80f562 (diff) | |
| download | nextcloud-server-b6c6527705695a343b055f89bdde5ec497914ff1.tar.gz nextcloud-server-b6c6527705695a343b055f89bdde5ec497914ff1.zip | |
Fix unauthorized OCS status in provisioning
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'apps/provisioning_api/lib')
3 files changed, 24 insertions, 16 deletions
diff --git a/apps/provisioning_api/lib/Controller/GroupsController.php b/apps/provisioning_api/lib/Controller/GroupsController.php index b031c405046..e9b74a2723f 100644 --- a/apps/provisioning_api/lib/Controller/GroupsController.php +++ b/apps/provisioning_api/lib/Controller/GroupsController.php @@ -225,7 +225,7 @@ class GroupsController extends AUserData { return new DataResponse(['users' => $usersDetails]); } - throw new OCSException('User does not have access to specified group', OCSController::RESPOND_UNAUTHORISED); + throw new OCSException('The requested group could not be found', OCSController::RESPOND_NOT_FOUND); } /** @@ -271,7 +271,7 @@ class GroupsController extends AUserData { throw new OCSException('Not supported by backend', 101); } else { - throw new OCSException('', OCSController::RESPOND_UNAUTHORISED); + throw new OCSException('', OCSController::RESPOND_UNKNOWN_ERROR); } } diff --git a/apps/provisioning_api/lib/Controller/UsersController.php b/apps/provisioning_api/lib/Controller/UsersController.php index 115b955354b..0bc9f25eeb1 100644 --- a/apps/provisioning_api/lib/Controller/UsersController.php +++ b/apps/provisioning_api/lib/Controller/UsersController.php @@ -509,7 +509,7 @@ class UsersController extends AUserData { $data = $this->getUserData($userId, $includeScopes); // getUserData returns empty array if not enough permissions if (empty($data)) { - throw new OCSException('', OCSController::RESPOND_UNAUTHORISED); + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } return new DataResponse($data); } @@ -602,7 +602,7 @@ class UsersController extends AUserData { $targetUser = $this->userManager->get($userId); if ($targetUser === null) { - throw new OCSException('', OCSController::RESPOND_UNAUTHORISED); + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } $permittedFields = []; @@ -668,12 +668,12 @@ class UsersController extends AUserData { $permittedFields[] = 'quota'; } else { // No rights - throw new OCSException('', OCSController::RESPOND_UNAUTHORISED); + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } } // Check if permitted to edit this field if (!in_array($key, $permittedFields)) { - throw new OCSException('', OCSController::RESPOND_UNAUTHORISED); + throw new OCSException('', 103); } // Process the edit switch ($key) { @@ -690,7 +690,7 @@ class UsersController extends AUserData { $quota = \OCP\Util::computerFileSize($quota); } if ($quota === false) { - throw new OCSException('Invalid quota value '.$value, 103); + throw new OCSException('Invalid quota value '.$value, 102); } if ($quota === -1) { $quota = 'none'; @@ -788,14 +788,18 @@ class UsersController extends AUserData { $targetUser = $this->userManager->get($userId); - if ($targetUser === null || $targetUser->getUID() === $currentLoggedInUser->getUID()) { + if ($targetUser === null) { + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); + } + + if ($targetUser->getUID() === $currentLoggedInUser->getUID()) { throw new OCSException('', 101); } // If not permitted $subAdminManager = $this->groupManager->getSubAdmin(); if (!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) { - throw new OCSException('', OCSController::RESPOND_UNAUTHORISED); + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } $this->remoteWipe->markAllTokensForWipe($targetUser); @@ -816,14 +820,18 @@ class UsersController extends AUserData { $targetUser = $this->userManager->get($userId); - if ($targetUser === null || $targetUser->getUID() === $currentLoggedInUser->getUID()) { + if ($targetUser === null) { + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); + } + + if ($targetUser->getUID() === $currentLoggedInUser->getUID()) { throw new OCSException('', 101); } // If not permitted $subAdminManager = $this->groupManager->getSubAdmin(); if (!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) { - throw new OCSException('', OCSController::RESPOND_UNAUTHORISED); + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } // Go ahead with the delete @@ -877,7 +885,7 @@ class UsersController extends AUserData { // If not permitted $subAdminManager = $this->groupManager->getSubAdmin(); if (!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) { - throw new OCSException('', OCSController::RESPOND_UNAUTHORISED); + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } // enable/disable the user now @@ -924,7 +932,7 @@ class UsersController extends AUserData { return new DataResponse(['groups' => $groups]); } else { // Not permitted - throw new OCSException('', OCSController::RESPOND_UNAUTHORISED); + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } } } @@ -1132,7 +1140,7 @@ class UsersController extends AUserData { if (!$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser) && !$this->groupManager->isAdmin($currentLoggedInUser->getUID())) { // No rights - throw new OCSException('', OCSController::RESPOND_UNAUTHORISED); + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } $email = $targetUser->getEMailAddress(); diff --git a/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php b/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php index a8bb8140060..cf51a148bba 100644 --- a/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php +++ b/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php @@ -30,10 +30,10 @@ namespace OCA\Provisioning_API\Middleware; use OCA\Provisioning_API\Middleware\Exceptions\NotSubAdminException; use OCP\AppFramework\Controller; +use OCP\AppFramework\Http; use OCP\AppFramework\Http\Response; use OCP\AppFramework\Middleware; use OCP\AppFramework\OCS\OCSException; -use OCP\AppFramework\OCSController; use OCP\AppFramework\Utility\IControllerMethodReflector; class ProvisioningApiMiddleware extends Middleware { @@ -84,7 +84,7 @@ class ProvisioningApiMiddleware extends Middleware { */ public function afterException($controller, $methodName, \Exception $exception) { if ($exception instanceof NotSubAdminException) { - throw new OCSException($exception->getMessage(), OCSController::RESPOND_UNAUTHORISED); + throw new OCSException($exception->getMessage(), Http::STATUS_FORBIDDEN); } throw $exception; |