3 files changed, 69 insertions, 3 deletions
diff --git a/apps/provisioning_api/lib/Controller/AppConfigController.php b/apps/provisioning_api/lib/Controller/AppConfigController.php
index cd8dba9e5b8..12b6a7d1370 100644
--- a/apps/provisioning_api/lib/Controller/AppConfigController.php
+++ b/apps/provisioning_api/lib/Controller/AppConfigController.php
@@ -26,12 +26,19 @@ declare(strict_types=1);
  */
 namespace OCA\Provisioning_API\Controller;
 
+use OC\AppFramework\Middleware\Security\Exceptions\NotAdminException;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCSController;
 use OCP\IAppConfig;
 use OCP\IConfig;
+use OCP\IGroupManager;
+use OCP\IL10N;
 use OCP\IRequest;
+use OCP\IUser;
+use OCP\IUserSession;
+use OCP\Settings\IDelegatedSettings;
+use OCP\Settings\IManager;
 
 class AppConfigController extends OCSController {
 
@@ -41,6 +48,18 @@ class AppConfigController extends OCSController {
 	/** @var IAppConfig */
 	protected $appConfig;
 
+	/** @var IUserSession */
+	private $userSession;
+
+	/** @var IL10N */
+	private $l10n;
+
+	/** @var IGroupManager */
+	private $groupManager;
+
+	/** @var IManager */
+	private $settingManager;
+
 	/**
 	 * @param string $appName
 	 * @param IRequest $request
@@ -50,10 +69,18 @@ class AppConfigController extends OCSController {
 	public function __construct(string $appName,
 								IRequest $request,
 								IConfig $config,
-								IAppConfig $appConfig) {
+								IAppConfig $appConfig,
+								IUserSession $userSession,
+								IL10N $l10n,
+								IGroupManager $groupManager,
+								IManager $settingManager) {
 		parent::__construct($appName, $request);
 		$this->config = $config;
 		$this->appConfig = $appConfig;
+		$this->userSession = $userSession;
+		$this->l10n = $l10n;
+		$this->groupManager = $groupManager;
+		$this->settingManager = $settingManager;
 	}
 
 	/**
@@ -99,12 +126,23 @@ class AppConfigController extends OCSController {
 
 	/**
 	 * @PasswordConfirmationRequired
+	 * @NoSubAdminRequired
+	 * @NoAdminRequired
 	 * @param string $app
 	 * @param string $key
 	 * @param string $value
 	 * @return DataResponse
 	 */
 	public function setValue(string $app, string $key, string $value): DataResponse {
+		$user = $this->userSession->getUser();
+		if ($user === null) {
+			throw new \Exception("User is not logged in."); // Should not happen, since method is guarded by middleware
+		}
+
+		if (!$this->isAllowedToChangedKey($user, $app, $key)) {
+			throw new NotAdminException($this->l10n->t('Logged in user must be an admin or have authorization to edit this setting.'));
+		}
+
 		try {
 			$this->verifyAppId($app);
 			$this->verifyConfigKey($app, $key, $value);
@@ -170,4 +208,30 @@ class AppConfigController extends OCSController {
 			throw new \InvalidArgumentException('The given key can not be set, unlimited quota is forbidden on this instance');
 		}
 	}
+
+	private function isAllowedToChangedKey(IUser $user, string $app, string $key): bool {
+		// Admin right verification
+		$isAdmin = $this->groupManager->isAdmin($user->getUID());
+		if ($isAdmin) {
+			return true;
+		}
+
+		$settings = $this->settingManager->getAllAllowedAdminSettings($user);
+		foreach ($settings as $setting) {
+			if (!($setting instanceof IDelegatedSettings)) {
+				continue;
+			}
+			$allowedKeys = $setting->getAuthorizedAppConfig();
+			if (!array_key_exists($app, $allowedKeys)) {
+				continue;
+			}
+			foreach ($allowedKeys[$app] as $regex) {
+				if ($regex === $key
+					|| (str_starts_with($regex, '/') && preg_match($regex, $key) === 1)) {
+					return true;
+				}
+			}
+		}
+		return false;
+	}
 }
diff --git a/apps/provisioning_api/lib/Controller/GroupsController.php b/apps/provisioning_api/lib/Controller/GroupsController.php
index 7b6e5319c2a..e7e2a666b7b 100644
--- a/apps/provisioning_api/lib/Controller/GroupsController.php
+++ b/apps/provisioning_api/lib/Controller/GroupsController.php
@@ -96,9 +96,10 @@ class GroupsController extends AUserData {
 	}
 
 	/**
-	 * returns a list of groups details with ids and displaynames
+	 * Returns a list of groups details with ids and displaynames
 	 *
 	 * @NoAdminRequired
+	 * @AuthorizedAdminSetting(settings=OCA\Settings\Settings\Admin\Sharing)
 	 *
 	 * @param string $search
 	 * @param int $limit
diff --git a/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php b/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php
index 8dbee85360b..02fd0469513 100644
--- a/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php
+++ b/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php
@@ -70,7 +70,8 @@ class ProvisioningApiMiddleware extends Middleware {
 	 * @throws NotSubAdminException
 	 */
 	public function beforeController($controller, $methodName) {
-		if (!$this->isAdmin && !$this->reflector->hasAnnotation('NoSubAdminRequired') && !$this->isSubAdmin) {
+		// If AuthorizedAdminSetting, the check will be done in the SecurityMiddleware
+		if (!$this->isAdmin && !$this->reflector->hasAnnotation('NoSubAdminRequired') && !$this->isSubAdmin && !$this->reflector->hasAnnotation('AuthorizedAdminSetting')) {
 			throw new NotSubAdminException();
 		}
 	}