diff options
| author | Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com> | 2024-07-12 16:25:49 +0200 |
|---|---|---|
| committer | Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com> | 2024-07-19 16:28:03 +0200 |
| commit | 202e5b1e957a7692165a313710e38406ca4f6ff3 (patch) | |
| tree | f1dd40c0e4399ebc0c9ca8df02e3168b7e4f7ae2 /lib/private/Group | |
| parent | 8f975cda34b4b4f181646a54c15f7c511d6e8491 (diff) | |
| download | nextcloud-server-202e5b1e957a7692165a313710e38406ca4f6ff3.tar.gz nextcloud-server-202e5b1e957a7692165a313710e38406ca4f6ff3.zip | |
feat(security): restrict admin actions to IP ranges
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
Diffstat (limited to 'lib/private/Group')
| -rw-r--r-- | lib/private/Group/Manager.php | 24 |
1 files changed, 12 insertions, 12 deletions
diff --git a/lib/private/Group/Manager.php b/lib/private/Group/Manager.php index 0ab64907c8b..67d6f8cbe9c 100644 --- a/lib/private/Group/Manager.php +++ b/lib/private/Group/Manager.php @@ -8,6 +8,7 @@ namespace OC\Group; use OC\Hooks\PublicEmitter; +use OC\Security\RemoteIpAddress; use OCP\EventDispatcher\IEventDispatcher; use OCP\Group\Backend\IBatchMethodsBackend; use OCP\Group\Backend\ICreateNamedGroupBackend; @@ -41,11 +42,6 @@ class Manager extends PublicEmitter implements IGroupManager { /** @var GroupInterface[] */ private $backends = []; - /** @var \OC\User\Manager */ - private $userManager; - private IEventDispatcher $dispatcher; - private LoggerInterface $logger; - /** @var array<string, IGroup> */ private $cachedGroups = []; @@ -59,13 +55,13 @@ class Manager extends PublicEmitter implements IGroupManager { private const MAX_GROUP_LENGTH = 255; - public function __construct(\OC\User\Manager $userManager, - IEventDispatcher $dispatcher, - LoggerInterface $logger, - ICacheFactory $cacheFactory) { - $this->userManager = $userManager; - $this->dispatcher = $dispatcher; - $this->logger = $logger; + public function __construct( + private \OC\User\Manager $userManager, + private IEventDispatcher $dispatcher, + private LoggerInterface $logger, + ICacheFactory $cacheFactory, + private RemoteIpAddress $remoteIpAddress, + ) { $this->displayNameCache = new DisplayNameCache($cacheFactory, $this); $this->listen('\OC\Group', 'postDelete', function (IGroup $group): void { @@ -325,6 +321,10 @@ class Manager extends PublicEmitter implements IGroupManager { * @return bool if admin */ public function isAdmin($userId) { + if (!$this->remoteIpAddress->allowsAdminActions()) { + return false; + } + foreach ($this->backends as $backend) { if (is_string($userId) && $backend->implementsActions(Backend::IS_ADMIN) && $backend->isAdmin($userId)) { return true; |