Allow user creation with subadmins and quota

Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
author: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com> 2018-04-06 15:07:04 +0200
committer: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com> 2018-04-06 15:30:41 +0200
commit: 18ec4ddd2b2c0a559b99963e3536a8487e999ab3 (patch)
tree: e0da9afe49f2c49009f6f72fbf61ef48ffd5bfff /apps/provisioning_api/lib
parent: 4a6e31c91dcbdc2cfd2cae44bf64243c5005fa13 (diff)
download: nextcloud-server-18ec4ddd2b2c0a559b99963e3536a8487e999ab3.tar.gz
nextcloud-server-18ec4ddd2b2c0a559b99963e3536a8487e999ab3.zip
1 files changed, 77 insertions, 43 deletions
diff --git a/apps/provisioning_api/lib/Controller/UsersController.php b/apps/provisioning_api/lib/Controller/UsersController.php
index 1a710b592d2..420c09dfecb 100644
--- a/apps/provisioning_api/lib/Controller/UsersController.php
+++ b/apps/provisioning_api/lib/Controller/UsersController.php
@@ -126,7 +126,7 @@ class UsersController extends AUserData {
 		// Admin? Or SubAdmin?
 		$uid = $user->getUID();
 		$subAdminManager = $this->groupManager->getSubAdmin();
-		if($this->groupManager->isAdmin($uid)){
+		if ($this->groupManager->isAdmin($uid)){
 			$users = $this->userManager->search($search, $limit, $offset);
 		} else if ($subAdminManager->isSubAdmin($user)) {
 			$subAdminOfGroups = $subAdminManager->getSubAdminsGroups($user);
@@ -159,7 +159,7 @@ class UsersController extends AUserData {
 		// Admin? Or SubAdmin?
 		$uid = $user->getUID();
 		$subAdminManager = $this->groupManager->getSubAdmin();
-		if($this->groupManager->isAdmin($uid)){
+		if ($this->groupManager->isAdmin($uid)){
 			$users = $this->userManager->search($search, $limit, $offset);
 		} else if ($subAdminManager->isSubAdmin($user)) {
 			$subAdminOfGroups = $subAdminManager->getSubAdminsGroups($user);
@@ -178,7 +178,7 @@ class UsersController extends AUserData {
 		foreach ($users as $key => $userId) {
 			$userData = $this->getUserData($userId);
 			// Do not insert empty entry
-			if(!empty($userData)) {
+			if (!empty($userData)) {
 				$usersDetails[$userId] = $userData;
 			}
 		}
@@ -196,34 +196,61 @@ class UsersController extends AUserData {
 	 * @param string $password
 	 * @param string $email
 	 * @param array $groups
+	 * @param array $subadmins
+	 * @param string $quota
 	 * @return DataResponse
 	 * @throws OCSException
 	 */
-	public function addUser(string $userid, string $password = '', string $email='', array $groups = []): DataResponse {
+	public function addUser(string $userid,
+							string $password = '',
+							string $email = '',
+							array $groups = [],
+							array $subadmin = [],
+							string $quota = ''): DataResponse {
 		$user = $this->userSession->getUser();
 		$isAdmin = $this->groupManager->isAdmin($user->getUID());
 		$subAdminManager = $this->groupManager->getSubAdmin();
 
-		if($this->userManager->userExists($userid)) {
+		if ($this->userManager->userExists($userid)) {
 			$this->logger->error('Failed addUser attempt: User already exists.', ['app' => 'ocs_api']);
 			throw new OCSException('User already exists', 102);
 		}
 
-		if($groups !== []) {
+		if ($groups !== []) {
 			foreach ($groups as $group) {
-				if(!$this->groupManager->groupExists($group)) {
+				if (!$this->groupManager->groupExists($group)) {
 					throw new OCSException('group '.$group.' does not exist', 104);
 				}
-				if(!$isAdmin && !$subAdminManager->isSubAdminOfGroup($user, $this->groupManager->get($group))) {
+				if (!$isAdmin && !$subAdminManager->isSubAdminOfGroup($user, $this->groupManager->get($group))) {
 					throw new OCSException('insufficient privileges for group '. $group, 105);
 				}
 			}
 		} else {
-			if(!$isAdmin) {
+			if (!$isAdmin) {
 				throw new OCSException('no group specified (required for subadmins)', 106);
 			}
 		}
 
+		$subadminGroups = [];
+		if ($subadmin !== []) {
+			foreach ($subadmin as $groupid) {
+				$group = $this->groupManager->get($groupid);
+				// Check if group exists
+				if ($group === null) {
+					throw new OCSException('Subadmin group does not exist',  102);
+				}
+				// Check if trying to make subadmin of admin group
+				if ($group->getGID() === 'admin') {
+					throw new OCSException('Cannot create subadmins for admin group', 103);
+				}
+				// Check if has permission to promote subadmins
+				if (!$subAdminManager->isSubAdminOfGroup($user, $group) && !$isAdmin) {
+					throw new OCSForbiddenException('No permissions to promote subadmins');
+				}
+				$subadminGroups[] = $group;
+			}
+		}
+
 		$generatePasswordResetToken = false;
 		if ($password === '') {
 			if ($email === '') {
@@ -244,6 +271,13 @@ class UsersController extends AUserData {
 				$this->groupManager->get($group)->addUser($newUser);
 				$this->logger->info('Added userid ' . $userid . ' to group ' . $group, ['app' => 'ocs_api']);
 			}
+			foreach ($subadminGroups as $group) {
+				$subAdminManager->createSubAdmin($newUser, $group);
+			}
+
+			if ($quota !== '') {
+				$this->editUser($userid, 'quota', $quota);
+			}
 
 			// Send new user mail only if a mail is set
 			if ($email !== '') {
@@ -293,7 +327,7 @@ class UsersController extends AUserData {
 	public function getUser(string $userId): DataResponse {
 		$data = $this->getUserData($userId);
 		// getUserData returns empty array if not enough permissions
-		if(empty($data)) {
+		if (empty($data)) {
 			throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
 		}
 		return new DataResponse($data);
@@ -367,12 +401,12 @@ class UsersController extends AUserData {
 		$currentLoggedInUser = $this->userSession->getUser();
 
 		$targetUser = $this->userManager->get($userId);
-		if($targetUser === null) {
+		if ($targetUser === null) {
 			throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
 		}
 
 		$permittedFields = [];
-		if($targetUser->getUID() === $currentLoggedInUser->getUID()) {
+		if ($targetUser->getUID() === $currentLoggedInUser->getUID()) {
 			// Editing self (display, email)
 			if ($this->config->getSystemValue('allow_user_to_change_display_name', true) !== false) {
 				$permittedFields[] = 'display';
@@ -398,13 +432,13 @@ class UsersController extends AUserData {
 			}
 
 			// If admin they can edit their own quota
-			if($this->groupManager->isAdmin($currentLoggedInUser->getUID())) {
+			if ($this->groupManager->isAdmin($currentLoggedInUser->getUID())) {
 				$permittedFields[] = 'quota';
 			}
 		} else {
 			// Check if admin / subadmin
 			$subAdminManager = $this->groupManager->getSubAdmin();
-			if($subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)
+			if ($subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)
 			|| $this->groupManager->isAdmin($currentLoggedInUser->getUID())) {
 				// They have permissions over the user
 				$permittedFields[] = 'display';
@@ -423,7 +457,7 @@ class UsersController extends AUserData {
 			}
 		}
 		// Check if permitted to edit this field
-		if(!in_array($key, $permittedFields)) {
+		if (!in_array($key, $permittedFields)) {
 			throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
 		}
 		// Process the edit
@@ -434,7 +468,7 @@ class UsersController extends AUserData {
 				break;
 			case 'quota':
 				$quota = $value;
-				if($quota !== 'none' && $quota !== 'default') {
+				if ($quota !== 'none' && $quota !== 'default') {
 					if (is_numeric($quota)) {
 						$quota = (float) $quota;
 					} else {
@@ -443,9 +477,9 @@ class UsersController extends AUserData {
 					if ($quota === false) {
 						throw new OCSException('Invalid quota value '.$value, 103);
 					}
-					if($quota === 0) {
+					if ($quota === 0) {
 						$quota = 'default';
-					}else if($quota === -1) {
+					}else if ($quota === -1) {
 						$quota = 'none';
 					} else {
 						$quota = \OCP\Util::humanFileSize($quota);
@@ -464,7 +498,7 @@ class UsersController extends AUserData {
 				$this->config->setUserValue($targetUser->getUID(), 'core', 'lang', $value);
 				break;
 			case AccountManager::PROPERTY_EMAIL:
-				if(filter_var($value, FILTER_VALIDATE_EMAIL) || $value === '') {
+				if (filter_var($value, FILTER_VALIDATE_EMAIL) || $value === '') {
 					$targetUser->setEMailAddress($value);
 				} else {
 					throw new OCSException('', 102);
@@ -499,18 +533,18 @@ class UsersController extends AUserData {
 
 		$targetUser = $this->userManager->get($userId);
 
-		if($targetUser === null || $targetUser->getUID() === $currentLoggedInUser->getUID()) {
+		if ($targetUser === null || $targetUser->getUID() === $currentLoggedInUser->getUID()) {
 			throw new OCSException('', 101);
 		}
 
 		// If not permitted
 		$subAdminManager = $this->groupManager->getSubAdmin();
-		if(!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) {
+		if (!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) {
 			throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
 		}
 
 		// Go ahead with the delete
-		if($targetUser->delete()) {
+		if ($targetUser->delete()) {
 			return new DataResponse();
 		} else {
 			throw new OCSException('', 101);
@@ -553,13 +587,13 @@ class UsersController extends AUserData {
 		$currentLoggedInUser = $this->userSession->getUser();
 
 		$targetUser = $this->userManager->get($userId);
-		if($targetUser === null || $targetUser->getUID() === $currentLoggedInUser->getUID()) {
+		if ($targetUser === null || $targetUser->getUID() === $currentLoggedInUser->getUID()) {
 			throw new OCSException('', 101);
 		}
 
 		// If not permitted
 		$subAdminManager = $this->groupManager->getSubAdmin();
-		if(!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) {
+		if (!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) {
 			throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
 		}
 
@@ -580,11 +614,11 @@ class UsersController extends AUserData {
 		$loggedInUser = $this->userSession->getUser();
 
 		$targetUser = $this->userManager->get($userId);
-		if($targetUser === null) {
+		if ($targetUser === null) {
 			throw new OCSException('', \OCP\API::RESPOND_NOT_FOUND);
 		}
 
-		if($targetUser->getUID() === $loggedInUser->getUID() || $this->groupManager->isAdmin($loggedInUser->getUID())) {
+		if ($targetUser->getUID() === $loggedInUser->getUID() || $this->groupManager->isAdmin($loggedInUser->getUID())) {
 			// Self lookup or admin lookup
 			return new DataResponse([
 				'groups' => $this->groupManager->getUserGroupIds($targetUser)
@@ -593,7 +627,7 @@ class UsersController extends AUserData {
 			$subAdminManager = $this->groupManager->getSubAdmin();
 
 			// Looking up someone else
-			if($subAdminManager->isUserAccessible($loggedInUser, $targetUser)) {
+			if ($subAdminManager->isUserAccessible($loggedInUser, $targetUser)) {
 				// Return the group that the method caller is subadmin of for the user in question
 				/** @var IGroup[] $getSubAdminsGroups */
 				$getSubAdminsGroups = $subAdminManager->getSubAdminsGroups($loggedInUser);
@@ -623,16 +657,16 @@ class UsersController extends AUserData {
 	 * @throws OCSException
 	 */
 	public function addToGroup(string $userId, string $groupid = ''): DataResponse {
-		if($groupid === '') {
+		if ($groupid === '') {
 			throw new OCSException('', 101);
 		}
 
 		$group = $this->groupManager->get($groupid);
 		$targetUser = $this->userManager->get($userId);
-		if($group === null) {
+		if ($group === null) {
 			throw new OCSException('', 102);
 		}
-		if($targetUser === null) {
+		if ($targetUser === null) {
 			throw new OCSException('', 103);
 		}
 
@@ -660,17 +694,17 @@ class UsersController extends AUserData {
 	public function removeFromGroup(string $userId, string $groupid): DataResponse {
 		$loggedInUser = $this->userSession->getUser();
 
-		if($groupid === null || trim($groupid) === '') {
+		if ($groupid === null || trim($groupid) === '') {
 			throw new OCSException('', 101);
 		}
 
 		$group = $this->groupManager->get($groupid);
-		if($group === null) {
+		if ($group === null) {
 			throw new OCSException('', 102);
 		}
 
 		$targetUser = $this->userManager->get($userId);
-		if($targetUser === null) {
+		if ($targetUser === null) {
 			throw new OCSException('', 103);
 		}
 
@@ -726,15 +760,15 @@ class UsersController extends AUserData {
 		$user = $this->userManager->get($userId);
 
 		// Check if the user exists
-		if($user === null) {
+		if ($user === null) {
 			throw new OCSException('User does not exist', 101);
 		}
 		// Check if group exists
-		if($group === null) {
+		if ($group === null) {
 			throw new OCSException('Group does not exist',  102);
 		}
 		// Check if trying to make subadmin of admin group
-		if($group->getGID() === 'admin') {
+		if ($group->getGID() === 'admin') {
 			throw new OCSException('Cannot create subadmins for admin group', 103);
 		}
 
@@ -745,7 +779,7 @@ class UsersController extends AUserData {
 			return new DataResponse();
 		}
 		// Go
-		if($subAdminManager->createSubAdmin($user, $group)) {
+		if ($subAdminManager->createSubAdmin($user, $group)) {
 			return new DataResponse();
 		} else {
 			throw new OCSException('Unknown error occurred', 103);
@@ -768,20 +802,20 @@ class UsersController extends AUserData {
 		$subAdminManager = $this->groupManager->getSubAdmin();
 
 		// Check if the user exists
-		if($user === null) {
+		if ($user === null) {
 			throw new OCSException('User does not exist', 101);
 		}
 		// Check if the group exists
-		if($group === null) {
+		if ($group === null) {
 			throw new OCSException('Group does not exist', 101);
 		}
 		// Check if they are a subadmin of this said group
-		if(!$subAdminManager->isSubAdminOfGroup($user, $group)) {
+		if (!$subAdminManager->isSubAdminOfGroup($user, $group)) {
 			throw new OCSException('User is not a subadmin of this group', 102);
 		}
 
 		// Go
-		if($subAdminManager->deleteSubAdmin($user, $group)) {
+		if ($subAdminManager->deleteSubAdmin($user, $group)) {
 			return new DataResponse();
 		} else {
 			throw new OCSException('Unknown error occurred', 103);
@@ -814,13 +848,13 @@ class UsersController extends AUserData {
 		$currentLoggedInUser = $this->userSession->getUser();
 
 		$targetUser = $this->userManager->get($userId);
-		if($targetUser === null) {
+		if ($targetUser === null) {
 			throw new OCSException('', \OCP\API::RESPOND_NOT_FOUND);
 		}
 
 		// Check if admin / subadmin
 		$subAdminManager = $this->groupManager->getSubAdmin();
-		if(!$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)
+		if (!$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)
 			&& !$this->groupManager->isAdmin($currentLoggedInUser->getUID())) {
 			// No rights
 			throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
author	John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>	2018-04-06 15:07:04 +0200
committer	John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>	2018-04-06 15:30:41 +0200
commit	18ec4ddd2b2c0a559b99963e3536a8487e999ab3 (patch)
tree	e0da9afe49f2c49009f6f72fbf61ef48ffd5bfff /apps/provisioning_api/lib
parent	4a6e31c91dcbdc2cfd2cae44bf64243c5005fa13 (diff)
download	nextcloud-server-18ec4ddd2b2c0a559b99963e3536a8487e999ab3.tar.gz nextcloud-server-18ec4ddd2b2c0a559b99963e3536a8487e999ab3.zip