Merge pull request #31194 from nextcloud/feat/allow-to-exclude-groups-from-password-enforcement

Allow to disable password policy enforcement for selected groups

4 files changed, 25 insertions, 8 deletions

diff --git a/lib/private/Share20/Manager.php b/lib/private/Share20/Manager.php
index 2a76ddafb25..3fca9e3fe14 100644
--- a/lib/private/Share20/Manager.php
+++ b/lib/private/Share20/Manager.php
@@ -1783,9 +1783,21 @@ class Manager implements IManager {
 	/**
 	 * Is password on public link requires
 	 *
+	 * @param bool Check group membership exclusion
 	 * @return bool
 	 */
-	public function shareApiLinkEnforcePassword() {
+	public function shareApiLinkEnforcePassword(bool $checkGroupMembership = true) {
+		$excludedGroups = $this->config->getAppValue('core', 'shareapi_enforce_links_password_excluded_groups', '');
+		if ($excludedGroups !== '' && $checkGroupMembership) {
+			$excludedGroups = json_decode($excludedGroups);
+			$user = $this->userSession->getUser();
+			if ($user) {
+				$userGroups = $this->groupManager->getUserGroupIds($user);
+				if ((bool)array_intersect($excludedGroups, $userGroups)) {
+					return false;
+				}
+			}
+		}
 		return $this->config->getAppValue('core', 'shareapi_enforce_links_password', 'no') === 'yes';
 	}
 
diff --git a/lib/private/legacy/OC_Util.php b/lib/private/legacy/OC_Util.php
index ceed79bc9d5..edee23995f1 100644
--- a/lib/private/legacy/OC_Util.php
+++ b/lib/private/legacy/OC_Util.php
@@ -116,15 +116,16 @@ class OC_Util {
 	}
 
 	/**
-	 * check if a password is required for each public link
+	 * Check if a password is required for each public link
 	 *
+	 * @param bool $checkGroupMembership Check group membership exclusion
 	 * @return boolean
 	 * @suppress PhanDeprecatedFunction
 	 */
-	public static function isPublicLinkPasswordRequired() {
+	public static function isPublicLinkPasswordRequired(bool $checkGroupMembership = true) {
 		/** @var IManager $shareManager */
 		$shareManager = \OC::$server->get(IManager::class);
-		return $shareManager->shareApiLinkEnforcePassword();
+		return $shareManager->shareApiLinkEnforcePassword($checkGroupMembership);
 	}
 
 	/**
diff --git a/lib/public/Share/IManager.php b/lib/public/Share/IManager.php
index ff4b6af19e0..f6b74c4de4a 100644
--- a/lib/public/Share/IManager.php
+++ b/lib/public/Share/IManager.php
@@ -321,10 +321,12 @@ interface IManager {
 	/**
 	 * Is password on public link requires
 	 *
+	 * @param bool $checkGroupMembership Check group membership exclusion
 	 * @return bool
 	 * @since 9.0.0
+	 * @since 24.0.0 Added optional $checkGroupMembership parameter
 	 */
-	public function shareApiLinkEnforcePassword();
+	public function shareApiLinkEnforcePassword(bool $checkGroupMembership = true);
 
 	/**
 	 * Is default expire date enabled
diff --git a/lib/public/Util.php b/lib/public/Util.php
index cd6f5f34a69..c8b55bb10e2 100644
--- a/lib/public/Util.php
+++ b/lib/public/Util.php
@@ -547,12 +547,14 @@ class Util {
 	}
 
 	/**
-	 * check if a password is required for each public link
+	 * Check if a password is required for each public link
+	 *
+	 * @param bool $checkGroupMembership Check group membership exclusion
 	 * @return boolean
 	 * @since 7.0.0
 	 */
-	public static function isPublicLinkPasswordRequired() {
-		return \OC_Util::isPublicLinkPasswordRequired();
+	public static function isPublicLinkPasswordRequired(bool $checkGroupMembership = true) {
+		return \OC_Util::isPublicLinkPasswordRequired($checkGroupMembership);
 	}
 
 	/**