Add admin privilege delegation for admin settings

This makes it possible for selected groups to access some settings
pages.

Signed-off-by: Carl Schwan <carl@carlschwan.eu>

2 files changed, 78 insertions, 5 deletions

diff --git a/lib/public/Settings/IDelegatedSettings.php b/lib/public/Settings/IDelegatedSettings.php
new file mode 100644
index 00000000000..f9bf98668fb
--- /dev/null
+++ b/lib/public/Settings/IDelegatedSettings.php
@@ -0,0 +1,54 @@
+<?php
+/**
+ * @copyright Copyright (c) Nextcloud GmbH
+ *
+ * @author Carl Schwan <carl@carlschwan.eu>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+namespace OCP\Settings;
+
+/**
+ * Special cases of settings that can be allowed to use by member of special
+ * groups.
+ * @since 23.0.0
+ */
+interface IDelegatedSettings extends ISettings {
+	/**
+	 * Get the name of the settings to differentiate settings inside a section or
+	 * null if only the section name should be displayed.
+	 * @since 23.0.0
+	 */
+	public function getName(): ?string;
+
+	/**
+	 * Get a list of authorized app config that this setting is allowed to modify.
+	 * The format of the array is the following:
+	 * ```php
+	 * <?php
+	 * [
+	 * 		'app_name' => [
+	 * 			'/simple_key/', # value
+	 * 			'/s[a-z]*ldap/', # regex
+	 * 		],
+	 * 		'another_app_name => [ ... ],
+	 * ]
+	 * ```
+	 * @since 23.0.0
+	 */
+	public function getAuthorizedAppConfig(): array;
+}
diff --git a/lib/public/Settings/IManager.php b/lib/public/Settings/IManager.php
index 0d475092704..2ec3fb0fd21 100644
--- a/lib/public/Settings/IManager.php
+++ b/lib/public/Settings/IManager.php
@@ -23,8 +23,11 @@
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  *
  */
+
 namespace OCP\Settings;
 
+use OCP\IUser;
+
 /**
  * @since 9.1
  */
@@ -50,7 +53,7 @@ interface IManager {
 	public const KEY_PERSONAL_SECTION = 'personal-section';
 
 	/**
-	 * @param string $type 'admin' or 'personal'
+	 * @param string $type 'admin-section' or 'personal-section'
 	 * @param string $section Class must implement OCP\Settings\ISection
 	 * @since 14.0.0
 	 */
@@ -58,7 +61,7 @@ interface IManager {
 
 	/**
 	 * @param string $type 'admin' or 'personal'
-	 * @param string $setting Class must implement OCP\Settings\ISetting
+	 * @param string $setting Class must implement OCP\Settings\ISettings
 	 * @since 14.0.0
 	 */
 	public function registerSetting(string $type, string $setting);
@@ -66,7 +69,7 @@ interface IManager {
 	/**
 	 * returns a list of the admin sections
 	 *
-	 * @return array array of ISection[] where key is the priority
+	 * @return array<int, array<int, IIconSection>> array from IConSection[] where key is the priority
 	 * @since 9.1.0
 	 */
 	public function getAdminSections(): array;
@@ -84,16 +87,32 @@ interface IManager {
 	 *
 	 * @param string $section the section id for which to load the settings
 	 * @param bool $subAdminOnly only return settings sub admins are supposed to see (since 17.0.0)
-	 * @return array array of IAdmin[] where key is the priority
+	 * @return array<int, array<int, ISettings>> array of ISettings[] where key is the priority
 	 * @since 9.1.0
 	 */
 	public function getAdminSettings($section, bool $subAdminOnly = false): array;
 
 	/**
+	 * Returns a list of admin settings that the given user can use for the give section
+	 *
+	 * @return array<int, list<ISettings>> The array of admin settings there admin delegation is allowed.
+	 * @since 23.0.0
+	 */
+	public function getAllowedAdminSettings(string $section, IUser $user): array;
+
+	/**
+	 * Returns a list of admin settings that the given user can use.
+	 *
+	 * @return array<int, list<ISettings>> The array of admin settings there admin delegation is allowed.
+	 * @since 23.0.0
+	 */
+	public function getAllAllowedAdminSettings(IUser $user): array;
+
+	/**
 	 * returns a list of the personal  settings
 	 *
 	 * @param string $section the section id for which to load the settings
-	 * @return array array of IPersonal[] where key is the priority
+	 * @return array array of ISettings[] where key is the priority
 	 * @since 13.0.0
 	 */
 	public function getPersonalSettings($section): array;