diff options
Diffstat (limited to 'apps/provisioning_api/lib')
15 files changed, 2374 insertions, 947 deletions
diff --git a/apps/provisioning_api/lib/AppInfo/Application.php b/apps/provisioning_api/lib/AppInfo/Application.php index 9e386e99064..57de9dad416 100644 --- a/apps/provisioning_api/lib/AppInfo/Application.php +++ b/apps/provisioning_api/lib/AppInfo/Application.php @@ -1,83 +1,79 @@ <?php + /** - * - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Daniel Kesselberg <mail@danielkesselberg.de> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author zulan <git@zulan.net> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\Provisioning_API\AppInfo; -use OC\AppFramework\Utility\SimpleContainer; -use OC\AppFramework\Utility\TimeFactory; use OC\Group\Manager as GroupManager; +use OCA\Provisioning_API\Capabilities; +use OCA\Provisioning_API\Listener\UserDeletedListener; use OCA\Provisioning_API\Middleware\ProvisioningApiMiddleware; use OCA\Settings\Mailer\NewUserMailHelper; use OCP\AppFramework\App; +use OCP\AppFramework\Bootstrap\IBootContext; +use OCP\AppFramework\Bootstrap\IBootstrap; +use OCP\AppFramework\Bootstrap\IRegistrationContext; use OCP\AppFramework\Utility\IControllerMethodReflector; +use OCP\AppFramework\Utility\ITimeFactory; use OCP\Defaults; +use OCP\IConfig; use OCP\IGroupManager; +use OCP\IURLGenerator; use OCP\IUser; +use OCP\IUserManager; +use OCP\L10N\IFactory; +use OCP\Mail\IMailer; +use OCP\Security\ICrypto; +use OCP\Security\ISecureRandom; +use OCP\User\Events\UserDeletedEvent; use OCP\Util; +use Psr\Container\ContainerInterface; -class Application extends App { +class Application extends App implements IBootstrap { public function __construct(array $urlParams = []) { parent::__construct('provisioning_api', $urlParams); + } - $container = $this->getContainer(); - $server = $container->getServer(); + public function register(IRegistrationContext $context): void { + $context->registerEventListener(UserDeletedEvent::class, UserDeletedListener::class); - $container->registerService(NewUserMailHelper::class, function (SimpleContainer $c) use ($server) { + $context->registerService(NewUserMailHelper::class, function (ContainerInterface $c) { return new NewUserMailHelper( - $server->query(Defaults::class), - $server->getURLGenerator(), - $server->getL10NFactory(), - $server->getMailer(), - $server->getSecureRandom(), - new TimeFactory(), - $server->getConfig(), - $server->getCrypto(), + $c->get(Defaults::class), + $c->get(IURLGenerator::class), + $c->get(IFactory::class), + $c->get(IMailer::class), + $c->get(ISecureRandom::class), + $c->get(ITimeFactory::class), + $c->get(IConfig::class), + $c->get(ICrypto::class), Util::getDefaultEmailAddress('no-reply') ); }); - $container->registerService('ProvisioningApiMiddleware', function (SimpleContainer $c) use ($server) { - $user = $server->getUserManager()->get($c['UserId']); + $context->registerService(ProvisioningApiMiddleware::class, function (ContainerInterface $c) { + $user = $c->get(IUserManager::class)->get($c->get('UserId')); $isAdmin = false; $isSubAdmin = false; if ($user instanceof IUser) { - $groupManager = $server->get(IGroupManager::class); + $groupManager = $c->get(IGroupManager::class); assert($groupManager instanceof GroupManager); $isAdmin = $groupManager->isAdmin($user->getUID()); $isSubAdmin = $groupManager->getSubAdmin()->isSubAdmin($user); } return new ProvisioningApiMiddleware( - $c->query(IControllerMethodReflector::class), + $c->get(IControllerMethodReflector::class), $isAdmin, $isSubAdmin ); }); - $container->registerMiddleWare('ProvisioningApiMiddleware'); + $context->registerMiddleware(ProvisioningApiMiddleware::class); + $context->registerCapability(Capabilities::class); + } + + public function boot(IBootContext $context): void { } } diff --git a/apps/provisioning_api/lib/Capabilities.php b/apps/provisioning_api/lib/Capabilities.php new file mode 100644 index 00000000000..5becf6f611f --- /dev/null +++ b/apps/provisioning_api/lib/Capabilities.php @@ -0,0 +1,54 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\Provisioning_API; + +use OCA\FederatedFileSharing\FederatedShareProvider; +use OCP\App\IAppManager; +use OCP\Capabilities\ICapability; +use OCP\Server; + +class Capabilities implements ICapability { + + public function __construct( + private IAppManager $appManager, + ) { + } + + /** + * Function an app uses to return the capabilities + * + * @return array{ + * provisioning_api: array{ + * version: string, + * AccountPropertyScopesVersion: int, + * AccountPropertyScopesFederatedEnabled: bool, + * AccountPropertyScopesPublishedEnabled: bool, + * }, + * } + */ + public function getCapabilities() { + $federatedScopeEnabled = $this->appManager->isEnabledForUser('federation'); + + $publishedScopeEnabled = false; + + $federatedFileSharingEnabled = $this->appManager->isEnabledForUser('federatedfilesharing'); + if ($federatedFileSharingEnabled) { + /** @var FederatedShareProvider $shareProvider */ + $shareProvider = Server::get(FederatedShareProvider::class); + $publishedScopeEnabled = $shareProvider->isLookupServerUploadEnabled(); + } + + return [ + 'provisioning_api' => [ + 'version' => $this->appManager->getAppVersion('provisioning_api'), + 'AccountPropertyScopesVersion' => 2, + 'AccountPropertyScopesFederatedEnabled' => $federatedScopeEnabled, + 'AccountPropertyScopesPublishedEnabled' => $publishedScopeEnabled, + ] + ]; + } +} diff --git a/apps/provisioning_api/lib/Controller/AUserData.php b/apps/provisioning_api/lib/Controller/AUserData.php deleted file mode 100644 index b7b31b18b53..00000000000 --- a/apps/provisioning_api/lib/Controller/AUserData.php +++ /dev/null @@ -1,216 +0,0 @@ -<?php - -declare(strict_types=1); - -/** - * @copyright Copyright (c) 2018 John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Georg Ehrke <oc.list@georgehrke.com> - * @author Joas Schilling <coding@schilljs.com> - * @author John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * - */ - -namespace OCA\Provisioning_API\Controller; - -use OC\Accounts\AccountManager; -use OC\User\Backend; -use OC\User\NoUserException; -use OC_Helper; -use OCP\Accounts\IAccountManager; -use OCP\AppFramework\OCS\OCSException; -use OCP\AppFramework\OCS\OCSNotFoundException; -use OCP\AppFramework\OCSController; -use OCP\Files\NotFoundException; -use OCP\IConfig; -use OCP\IGroupManager; -use OCP\IRequest; -use OCP\IUserManager; -use OCP\IUserSession; -use OCP\L10N\IFactory; -use OCP\User\Backend\ISetDisplayNameBackend; -use OCP\User\Backend\ISetPasswordBackend; - -abstract class AUserData extends OCSController { - - /** @var IUserManager */ - protected $userManager; - /** @var IConfig */ - protected $config; - /** @var IGroupManager|\OC\Group\Manager */ // FIXME Requires a method that is not on the interface - protected $groupManager; - /** @var IUserSession */ - protected $userSession; - /** @var AccountManager */ - protected $accountManager; - /** @var IFactory */ - protected $l10nFactory; - - public function __construct(string $appName, - IRequest $request, - IUserManager $userManager, - IConfig $config, - IGroupManager $groupManager, - IUserSession $userSession, - AccountManager $accountManager, - IFactory $l10nFactory) { - parent::__construct($appName, $request); - - $this->userManager = $userManager; - $this->config = $config; - $this->groupManager = $groupManager; - $this->userSession = $userSession; - $this->accountManager = $accountManager; - $this->l10nFactory = $l10nFactory; - } - - /** - * creates a array with all user data - * - * @param string $userId - * @return array - * @throws NotFoundException - * @throws OCSException - * @throws OCSNotFoundException - */ - protected function getUserData(string $userId): array { - $currentLoggedInUser = $this->userSession->getUser(); - - $data = []; - - // Check if the target user exists - $targetUserObject = $this->userManager->get($userId); - if ($targetUserObject === null) { - throw new OCSNotFoundException('User does not exist'); - } - - // Should be at least Admin Or SubAdmin! - if ($this->groupManager->isAdmin($currentLoggedInUser->getUID()) - || $this->groupManager->getSubAdmin()->isUserAccessible($currentLoggedInUser, $targetUserObject)) { - $data['enabled'] = $this->config->getUserValue($targetUserObject->getUID(), 'core', 'enabled', 'true') === 'true'; - } else { - // Check they are looking up themselves - if ($currentLoggedInUser->getUID() !== $targetUserObject->getUID()) { - return $data; - } - } - - // Get groups data - $userAccount = $this->accountManager->getUser($targetUserObject); - $groups = $this->groupManager->getUserGroups($targetUserObject); - $gids = []; - foreach ($groups as $group) { - $gids[] = $group->getGID(); - } - - try { - # might be thrown by LDAP due to handling of users disappears - # from the external source (reasons unknown to us) - # cf. https://github.com/nextcloud/server/issues/12991 - $data['storageLocation'] = $targetUserObject->getHome(); - } catch (NoUserException $e) { - throw new OCSNotFoundException($e->getMessage(), $e); - } - - // Find the data - $data['id'] = $targetUserObject->getUID(); - $data['lastLogin'] = $targetUserObject->getLastLogin() * 1000; - $data['backend'] = $targetUserObject->getBackendClassName(); - $data['subadmin'] = $this->getUserSubAdminGroupsData($targetUserObject->getUID()); - $data['quota'] = $this->fillStorageInfo($targetUserObject->getUID()); - $data[IAccountManager::PROPERTY_EMAIL] = $targetUserObject->getEMailAddress(); - $data[IAccountManager::PROPERTY_DISPLAYNAME] = $targetUserObject->getDisplayName(); - $data[IAccountManager::PROPERTY_PHONE] = $userAccount[IAccountManager::PROPERTY_PHONE]['value']; - $data[IAccountManager::PROPERTY_ADDRESS] = $userAccount[IAccountManager::PROPERTY_ADDRESS]['value']; - $data[IAccountManager::PROPERTY_WEBSITE] = $userAccount[IAccountManager::PROPERTY_WEBSITE]['value']; - $data[IAccountManager::PROPERTY_TWITTER] = $userAccount[IAccountManager::PROPERTY_TWITTER]['value']; - $data['groups'] = $gids; - $data['language'] = $this->l10nFactory->getUserLanguage($targetUserObject); - $data['locale'] = $this->config->getUserValue($targetUserObject->getUID(), 'core', 'locale'); - - $backend = $targetUserObject->getBackend(); - $data['backendCapabilities'] = [ - 'setDisplayName' => $backend instanceof ISetDisplayNameBackend || $backend->implementsActions(Backend::SET_DISPLAYNAME), - 'setPassword' => $backend instanceof ISetPasswordBackend || $backend->implementsActions(Backend::SET_PASSWORD), - ]; - - return $data; - } - - /** - * Get the groups a user is a subadmin of - * - * @param string $userId - * @return array - * @throws OCSException - */ - protected function getUserSubAdminGroupsData(string $userId): array { - $user = $this->userManager->get($userId); - // Check if the user exists - if ($user === null) { - throw new OCSNotFoundException('User does not exist'); - } - - // Get the subadmin groups - $subAdminGroups = $this->groupManager->getSubAdmin()->getSubAdminsGroups($user); - $groups = []; - foreach ($subAdminGroups as $key => $group) { - $groups[] = $group->getGID(); - } - - return $groups; - } - - /** - * @param string $userId - * @return array - * @throws \OCP\Files\NotFoundException - */ - protected function fillStorageInfo(string $userId): array { - try { - \OC_Util::tearDownFS(); - \OC_Util::setupFS($userId); - $storage = OC_Helper::getStorageInfo('/'); - $data = [ - 'free' => $storage['free'], - 'used' => $storage['used'], - 'total' => $storage['total'], - 'relative' => $storage['relative'], - 'quota' => $storage['quota'], - ]; - } catch (NotFoundException $ex) { - // User fs is not setup yet - $user = $this->userManager->get($userId); - if ($user === null) { - throw new OCSException('User does not exist', 101); - } - $quota = $user->getQuota(); - if ($quota !== 'none') { - $quota = OC_Helper::computerFileSize($quota); - } - $data = [ - 'quota' => $quota !== false ? $quota : 'none', - 'used' => 0 - ]; - } - return $data; - } -} diff --git a/apps/provisioning_api/lib/Controller/AUserDataOCSController.php b/apps/provisioning_api/lib/Controller/AUserDataOCSController.php new file mode 100644 index 00000000000..d321adf7c8f --- /dev/null +++ b/apps/provisioning_api/lib/Controller/AUserDataOCSController.php @@ -0,0 +1,325 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\Provisioning_API\Controller; + +use OC\Group\Manager as GroupManager; +use OC\User\Backend; +use OC\User\NoUserException; +use OCA\Provisioning_API\ResponseDefinitions; +use OCP\Accounts\IAccountManager; +use OCP\Accounts\PropertyDoesNotExistException; +use OCP\AppFramework\Http; +use OCP\AppFramework\OCS\OCSException; +use OCP\AppFramework\OCS\OCSNotFoundException; +use OCP\AppFramework\OCSController; +use OCP\Files\FileInfo; +use OCP\Files\IRootFolder; +use OCP\Files\NotFoundException; +use OCP\Group\ISubAdmin; +use OCP\IConfig; +use OCP\IRequest; +use OCP\IUser; +use OCP\IUserManager; +use OCP\IUserSession; +use OCP\L10N\IFactory; +use OCP\Server; +use OCP\User\Backend\ISetDisplayNameBackend; +use OCP\User\Backend\ISetPasswordBackend; +use OCP\Util; + +/** + * @psalm-import-type Provisioning_APIUserDetails from ResponseDefinitions + * @psalm-import-type Provisioning_APIUserDetailsQuota from ResponseDefinitions + */ +abstract class AUserDataOCSController extends OCSController { + public const SCOPE_SUFFIX = 'Scope'; + + public const USER_FIELD_DISPLAYNAME = 'display'; + public const USER_FIELD_LANGUAGE = 'language'; + public const USER_FIELD_LOCALE = 'locale'; + public const USER_FIELD_FIRST_DAY_OF_WEEK = 'first_day_of_week'; + public const USER_FIELD_PASSWORD = 'password'; + public const USER_FIELD_QUOTA = 'quota'; + public const USER_FIELD_MANAGER = 'manager'; + public const USER_FIELD_NOTIFICATION_EMAIL = 'notify_email'; + + public function __construct( + string $appName, + IRequest $request, + protected IUserManager $userManager, + protected IConfig $config, + protected GroupManager $groupManager, + protected IUserSession $userSession, + protected IAccountManager $accountManager, + protected ISubAdmin $subAdminManager, + protected IFactory $l10nFactory, + protected IRootFolder $rootFolder, + ) { + parent::__construct($appName, $request); + } + + /** + * creates a array with all user data + * + * @param string $userId + * @param bool $includeScopes + * @return Provisioning_APIUserDetails|null + * @throws NotFoundException + * @throws OCSException + * @throws OCSNotFoundException + */ + protected function getUserData(string $userId, bool $includeScopes = false): ?array { + $currentLoggedInUser = $this->userSession->getUser(); + assert($currentLoggedInUser !== null, 'No user logged in'); + + $data = []; + + // Check if the target user exists + $targetUserObject = $this->userManager->get($userId); + if ($targetUserObject === null) { + throw new OCSNotFoundException('User does not exist'); + } + + $isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID()); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($currentLoggedInUser->getUID()); + if ($isAdmin + || $isDelegatedAdmin + || $this->groupManager->getSubAdmin()->isUserAccessible($currentLoggedInUser, $targetUserObject)) { + $data['enabled'] = $this->config->getUserValue($targetUserObject->getUID(), 'core', 'enabled', 'true') === 'true'; + } else { + // Check they are looking up themselves + if ($currentLoggedInUser->getUID() !== $targetUserObject->getUID()) { + return null; + } + } + + // Get groups data + $userAccount = $this->accountManager->getAccount($targetUserObject); + $groups = $this->groupManager->getUserGroups($targetUserObject); + $gids = []; + foreach ($groups as $group) { + $gids[] = $group->getGID(); + } + + if ($isAdmin || $isDelegatedAdmin) { + try { + # might be thrown by LDAP due to handling of users disappears + # from the external source (reasons unknown to us) + # cf. https://github.com/nextcloud/server/issues/12991 + $data['storageLocation'] = $targetUserObject->getHome(); + } catch (NoUserException $e) { + throw new OCSNotFoundException($e->getMessage(), $e); + } + } + + // Find the data + $data['id'] = $targetUserObject->getUID(); + $data['firstLoginTimestamp'] = $targetUserObject->getFirstLogin(); + $data['lastLoginTimestamp'] = $targetUserObject->getLastLogin(); + $data['lastLogin'] = $targetUserObject->getLastLogin() * 1000; + $data['backend'] = $targetUserObject->getBackendClassName(); + $data['subadmin'] = $this->getUserSubAdminGroupsData($targetUserObject->getUID()); + $data[self::USER_FIELD_QUOTA] = $this->fillStorageInfo($targetUserObject); + $managers = $this->getManagers($targetUserObject); + $data[self::USER_FIELD_MANAGER] = empty($managers) ? '' : $managers[0]; + + try { + if ($includeScopes) { + $data[IAccountManager::PROPERTY_AVATAR . self::SCOPE_SUFFIX] = $userAccount->getProperty(IAccountManager::PROPERTY_AVATAR)->getScope(); + } + + $data[IAccountManager::PROPERTY_EMAIL] = $targetUserObject->getSystemEMailAddress(); + if ($includeScopes) { + $data[IAccountManager::PROPERTY_EMAIL . self::SCOPE_SUFFIX] = $userAccount->getProperty(IAccountManager::PROPERTY_EMAIL)->getScope(); + } + + $additionalEmails = $additionalEmailScopes = []; + $emailCollection = $userAccount->getPropertyCollection(IAccountManager::COLLECTION_EMAIL); + foreach ($emailCollection->getProperties() as $property) { + $email = mb_strtolower(trim($property->getValue())); + $additionalEmails[] = $email; + if ($includeScopes) { + $additionalEmailScopes[] = $property->getScope(); + } + } + $data[IAccountManager::COLLECTION_EMAIL] = $additionalEmails; + if ($includeScopes) { + $data[IAccountManager::COLLECTION_EMAIL . self::SCOPE_SUFFIX] = $additionalEmailScopes; + } + + $data[IAccountManager::PROPERTY_DISPLAYNAME] = $targetUserObject->getDisplayName(); + $data[IAccountManager::PROPERTY_DISPLAYNAME_LEGACY] = $data[IAccountManager::PROPERTY_DISPLAYNAME]; + if ($includeScopes) { + $data[IAccountManager::PROPERTY_DISPLAYNAME . self::SCOPE_SUFFIX] = $userAccount->getProperty(IAccountManager::PROPERTY_DISPLAYNAME)->getScope(); + } + + foreach ([ + IAccountManager::PROPERTY_PHONE, + IAccountManager::PROPERTY_ADDRESS, + IAccountManager::PROPERTY_WEBSITE, + IAccountManager::PROPERTY_TWITTER, + IAccountManager::PROPERTY_BLUESKY, + IAccountManager::PROPERTY_FEDIVERSE, + IAccountManager::PROPERTY_ORGANISATION, + IAccountManager::PROPERTY_ROLE, + IAccountManager::PROPERTY_HEADLINE, + IAccountManager::PROPERTY_BIOGRAPHY, + IAccountManager::PROPERTY_PROFILE_ENABLED, + IAccountManager::PROPERTY_PRONOUNS, + ] as $propertyName) { + $property = $userAccount->getProperty($propertyName); + $data[$propertyName] = $property->getValue(); + if ($includeScopes) { + $data[$propertyName . self::SCOPE_SUFFIX] = $property->getScope(); + } + } + } catch (PropertyDoesNotExistException $e) { + // hard coded properties should exist + throw new OCSException($e->getMessage(), Http::STATUS_INTERNAL_SERVER_ERROR, $e); + } + + $data['groups'] = $gids; + $data[self::USER_FIELD_LANGUAGE] = $this->l10nFactory->getUserLanguage($targetUserObject); + $data[self::USER_FIELD_LOCALE] = $this->config->getUserValue($targetUserObject->getUID(), 'core', 'locale'); + $data[self::USER_FIELD_NOTIFICATION_EMAIL] = $targetUserObject->getPrimaryEMailAddress(); + + $backend = $targetUserObject->getBackend(); + $data['backendCapabilities'] = [ + 'setDisplayName' => $backend instanceof ISetDisplayNameBackend || $backend->implementsActions(Backend::SET_DISPLAYNAME), + 'setPassword' => $backend instanceof ISetPasswordBackend || $backend->implementsActions(Backend::SET_PASSWORD), + ]; + + return $data; + } + + /** + * @return string[] + */ + protected function getManagers(IUser $user): array { + $currentLoggedInUser = $this->userSession->getUser(); + + $managerUids = $user->getManagerUids(); + if ($this->groupManager->isAdmin($currentLoggedInUser->getUID()) || $this->groupManager->isDelegatedAdmin($currentLoggedInUser->getUID())) { + return $managerUids; + } + + if ($this->subAdminManager->isSubAdmin($currentLoggedInUser)) { + $accessibleManagerUids = array_values(array_filter( + $managerUids, + function (string $managerUid) use ($currentLoggedInUser) { + $manager = $this->userManager->get($managerUid); + if (!($manager instanceof IUser)) { + return false; + } + return $this->subAdminManager->isUserAccessible($currentLoggedInUser, $manager); + }, + )); + return $accessibleManagerUids; + } + + return []; + } + + /** + * Get the groups a user is a subadmin of + * + * @param string $userId + * @return list<string> + * @throws OCSException + */ + protected function getUserSubAdminGroupsData(string $userId): array { + $user = $this->userManager->get($userId); + // Check if the user exists + if ($user === null) { + throw new OCSNotFoundException('User does not exist'); + } + + // Get the subadmin groups + $subAdminGroups = $this->groupManager->getSubAdmin()->getSubAdminsGroups($user); + $groups = []; + foreach ($subAdminGroups as $key => $group) { + $groups[] = $group->getGID(); + } + + return $groups; + } + + /** + * @param IUser $user + * @return Provisioning_APIUserDetailsQuota + * @throws OCSException + */ + protected function fillStorageInfo(IUser $user): array { + $includeExternal = $this->config->getSystemValueBool('quota_include_external_storage'); + $userId = $user->getUID(); + + $quota = $user->getQuota(); + if ($quota === 'none') { + $quota = FileInfo::SPACE_UNLIMITED; + } else { + $quota = Util::computerFileSize($quota); + if ($quota === false) { + $quota = FileInfo::SPACE_UNLIMITED; + } + } + + try { + if ($includeExternal) { + \OC_Util::tearDownFS(); + \OC_Util::setupFS($user->getUID()); + $storage = \OC_Helper::getStorageInfo('/', null, true, false); + $data = [ + 'free' => $storage['free'], + 'used' => $storage['used'], + 'total' => $storage['total'], + 'relative' => $storage['relative'], + self::USER_FIELD_QUOTA => $storage['quota'], + ]; + } else { + $userFileInfo = $this->rootFolder->getUserFolder($userId)->getStorage()->getCache()->get(''); + $used = $userFileInfo->getSize(); + + if ($quota > 0) { + // prevent division by zero or error codes (negative values) + $relative = round(($used / $quota) * 10000) / 100; + $free = $quota - $used; + $total = $quota; + } else { + $relative = 0; + $free = FileInfo::SPACE_UNLIMITED; + $total = FileInfo::SPACE_UNLIMITED; + } + + $data = [ + 'free' => $free, + 'used' => $used, + 'total' => $total, + 'relative' => $relative, + self::USER_FIELD_QUOTA => $quota, + ]; + } + } catch (NotFoundException $ex) { + $data = [ + self::USER_FIELD_QUOTA => $quota >= 0 ? $quota : 'none', + 'used' => 0 + ]; + } catch (\Exception $e) { + Server::get(\Psr\Log\LoggerInterface::class)->error( + 'Could not load storage info for {user}', + [ + 'app' => 'provisioning_api', + 'user' => $userId, + 'exception' => $e, + ] + ); + return []; + } + return $data; + } +} diff --git a/apps/provisioning_api/lib/Controller/AppConfigController.php b/apps/provisioning_api/lib/Controller/AppConfigController.php index b8a8cb4109f..d8af1f38d95 100644 --- a/apps/provisioning_api/lib/Controller/AppConfigController.php +++ b/apps/provisioning_api/lib/Controller/AppConfigController.php @@ -3,62 +3,50 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2016 Joas Schilling <coding@schilljs.com> - * - * @author Joas Schilling <coding@schilljs.com> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\Provisioning_API\Controller; +use OC\AppConfig; +use OC\AppFramework\Middleware\Security\Exceptions\NotAdminException; +use OCP\App\IAppManager; use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\NoAdminRequired; +use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\OCSController; +use OCP\Exceptions\AppConfigUnknownKeyException; use OCP\IAppConfig; -use OCP\IConfig; +use OCP\IGroupManager; +use OCP\IL10N; use OCP\IRequest; +use OCP\IUser; +use OCP\IUserSession; +use OCP\Settings\IDelegatedSettings; +use OCP\Settings\IManager; class AppConfigController extends OCSController { - - /** @var IConfig */ - protected $config; - - /** @var IAppConfig */ - protected $appConfig; - - /** - * @param string $appName - * @param IRequest $request - * @param IConfig $config - * @param IAppConfig $appConfig - */ - public function __construct(string $appName, - IRequest $request, - IConfig $config, - IAppConfig $appConfig) { + public function __construct( + string $appName, + IRequest $request, + /** @var AppConfig */ + private IAppConfig $appConfig, + private IUserSession $userSession, + private IL10N $l10n, + private IGroupManager $groupManager, + private IManager $settingManager, + private IAppManager $appManager, + ) { parent::__construct($appName, $request); - $this->config = $config; - $this->appConfig = $appConfig; } /** - * @return DataResponse + * Get a list of apps + * + * @return DataResponse<Http::STATUS_OK, array{data: list<string>}, array{}> + * + * 200: Apps returned */ public function getApps(): DataResponse { return new DataResponse([ @@ -67,8 +55,13 @@ class AppConfigController extends OCSController { } /** - * @param string $app - * @return DataResponse + * Get the config keys of an app + * + * @param string $app ID of the app + * @return DataResponse<Http::STATUS_OK, array{data: list<string>}, array{}>|DataResponse<Http::STATUS_FORBIDDEN, array{data: array{message: string}}, array{}> + * + * 200: Keys returned + * 403: App is not allowed */ public function getKeys(string $app): DataResponse { try { @@ -77,15 +70,20 @@ class AppConfigController extends OCSController { return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN); } return new DataResponse([ - 'data' => $this->config->getAppKeys($app), + 'data' => $this->appConfig->getKeys($app), ]); } /** - * @param string $app - * @param string $key - * @param string $defaultValue - * @return DataResponse + * Get a the config value of an app + * + * @param string $app ID of the app + * @param string $key Key + * @param string $defaultValue Default returned value if the value is empty + * @return DataResponse<Http::STATUS_OK, array{data: string}, array{}>|DataResponse<Http::STATUS_FORBIDDEN, array{data: array{message: string}}, array{}> + * + * 200: Value returned + * 403: App is not allowed */ public function getValue(string $app, string $key, string $defaultValue = ''): DataResponse { try { @@ -93,19 +91,37 @@ class AppConfigController extends OCSController { } catch (\InvalidArgumentException $e) { return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN); } - return new DataResponse([ - 'data' => $this->config->getAppValue($app, $key, $defaultValue), - ]); + + /** @psalm-suppress InternalMethod */ + $value = $this->appConfig->getValueMixed($app, $key, $defaultValue, null); + return new DataResponse(['data' => $value]); } /** - * @PasswordConfirmationRequired - * @param string $app - * @param string $key - * @param string $value - * @return DataResponse + * @NoSubAdminRequired + * + * Update the config value of an app + * + * @param string $app ID of the app + * @param string $key Key to update + * @param string $value New value for the key + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}>|DataResponse<Http::STATUS_FORBIDDEN, array{data: array{message: string}}, array{}> + * + * 200: Value updated successfully + * 403: App or key is not allowed */ + #[PasswordConfirmationRequired] + #[NoAdminRequired] public function setValue(string $app, string $key, string $value): DataResponse { + $user = $this->userSession->getUser(); + if ($user === null) { + throw new \Exception('User is not logged in.'); // Should not happen, since method is guarded by middleware + } + + if (!$this->isAllowedToChangedKey($user, $app, $key)) { + throw new NotAdminException($this->l10n->t('Logged in account must be an administrator or have authorization to edit this setting.')); + } + try { $this->verifyAppId($app); $this->verifyConfigKey($app, $key, $value); @@ -113,16 +129,37 @@ class AppConfigController extends OCSController { return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN); } - $this->config->setAppValue($app, $key, $value); + $type = null; + try { + $configDetails = $this->appConfig->getDetails($app, $key); + $type = $configDetails['type']; + } catch (AppConfigUnknownKeyException) { + } + + /** @psalm-suppress InternalMethod */ + match ($type) { + IAppConfig::VALUE_BOOL => $this->appConfig->setValueBool($app, $key, (bool)$value), + IAppConfig::VALUE_FLOAT => $this->appConfig->setValueFloat($app, $key, (float)$value), + IAppConfig::VALUE_INT => $this->appConfig->setValueInt($app, $key, (int)$value), + IAppConfig::VALUE_STRING => $this->appConfig->setValueString($app, $key, $value), + IAppConfig::VALUE_ARRAY => $this->appConfig->setValueArray($app, $key, \json_decode($value, true)), + default => $this->appConfig->setValueMixed($app, $key, $value), + }; + return new DataResponse(); } /** - * @PasswordConfirmationRequired - * @param string $app - * @param string $key - * @return DataResponse + * Delete a config key of an app + * + * @param string $app ID of the app + * @param string $key Key to delete + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}>|DataResponse<Http::STATUS_FORBIDDEN, array{data: array{message: string}}, array{}> + * + * 200: Key deleted successfully + * 403: App or key is not allowed */ + #[PasswordConfirmationRequired] public function deleteKey(string $app, string $key): DataResponse { try { $this->verifyAppId($app); @@ -131,16 +168,15 @@ class AppConfigController extends OCSController { return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN); } - $this->config->deleteAppValue($app, $key); + $this->appConfig->deleteKey($app, $key); return new DataResponse(); } /** - * @param string $app * @throws \InvalidArgumentException */ - protected function verifyAppId(string $app) { - if (\OC_App::cleanAppId($app) !== $app) { + protected function verifyAppId(string $app): void { + if ($this->appManager->cleanAppId($app) !== $app) { throw new \InvalidArgumentException('Invalid app id given'); } } @@ -163,5 +199,38 @@ class AppConfigController extends OCSController { if ($app === 'core' && (strpos($key, 'public_') === 0 || strpos($key, 'remote_') === 0)) { throw new \InvalidArgumentException('The given key can not be set'); } + + if ($app === 'files' + && $key === 'default_quota' + && $value === 'none' + && $this->appConfig->getValueInt('files', 'allow_unlimited_quota', 1) === 0) { + throw new \InvalidArgumentException('The given key can not be set, unlimited quota is forbidden on this instance'); + } + } + + private function isAllowedToChangedKey(IUser $user, string $app, string $key): bool { + // Admin right verification + $isAdmin = $this->groupManager->isAdmin($user->getUID()); + if ($isAdmin) { + return true; + } + + $settings = $this->settingManager->getAllAllowedAdminSettings($user); + foreach ($settings as $setting) { + if (!($setting instanceof IDelegatedSettings)) { + continue; + } + $allowedKeys = $setting->getAuthorizedAppConfig(); + if (!array_key_exists($app, $allowedKeys)) { + continue; + } + foreach ($allowedKeys[$app] as $regex) { + if ($regex === $key + || (str_starts_with($regex, '/') && preg_match($regex, $key) === 1)) { + return true; + } + } + } + return false; } } diff --git a/apps/provisioning_api/lib/Controller/AppsController.php b/apps/provisioning_api/lib/Controller/AppsController.php index e7383fd355b..3f6cff7442a 100644 --- a/apps/provisioning_api/lib/Controller/AppsController.php +++ b/apps/provisioning_api/lib/Controller/AppsController.php @@ -1,69 +1,60 @@ <?php declare(strict_types=1); - /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Tom Needham <tom@owncloud.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\Provisioning_API\Controller; +use OC\App\AppStore\AppNotFoundException; +use OC\Installer; use OC_App; use OCP\App\AppPathNotFoundException; use OCP\App\IAppManager; +use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\OCS\OCSException; use OCP\AppFramework\OCSController; +use OCP\IAppConfig; use OCP\IRequest; class AppsController extends OCSController { - /** @var \OCP\App\IAppManager */ - private $appManager; - - /** - * @param string $appName - * @param IRequest $request - * @param IAppManager $appManager - */ public function __construct( string $appName, IRequest $request, - IAppManager $appManager + private IAppManager $appManager, + private Installer $installer, + private IAppConfig $appConfig, ) { parent::__construct($appName, $request); + } - $this->appManager = $appManager; + /** + * @throws \InvalidArgumentException + */ + protected function verifyAppId(string $app): string { + $cleanId = $this->appManager->cleanAppId($app); + if ($cleanId !== $app) { + throw new \InvalidArgumentException('Invalid app id given'); + } + return $cleanId; } /** - * @param string $filter - * @return DataResponse + * Get a list of installed apps + * + * @param ?string $filter Filter for enabled or disabled apps + * @return DataResponse<Http::STATUS_OK, array{apps: list<string>}, array{}> * @throws OCSException + * + * 200: Installed apps returned */ - public function getApps(string $filter = null): DataResponse { + public function getApps(?string $filter = null): DataResponse { $apps = (new OC_App())->listAllApps(); + /** @var list<string> $list */ $list = []; foreach ($apps as $app) { $list[] = $app['id']; @@ -75,7 +66,7 @@ class AppsController extends OCSController { break; case 'disabled': $enabled = OC_App::getEnabledApps(); - return new DataResponse(['apps' => array_diff($list, $enabled)]); + return new DataResponse(['apps' => array_values(array_diff($list, $enabled))]); break; default: // Invalid filter variable @@ -87,41 +78,76 @@ class AppsController extends OCSController { } /** - * @param string $app - * @return DataResponse + * Get the app info for an app + * + * @param string $app ID of the app + * @return DataResponse<Http::STATUS_OK, array<string, ?mixed>, array{}> * @throws OCSException + * + * 200: App info returned */ public function getAppInfo(string $app): DataResponse { - $info = \OCP\App::getAppInfo($app); + try { + $app = $this->verifyAppId($app); + } catch (\InvalidArgumentException $e) { + throw new OCSException($e->getMessage(), OCSController::RESPOND_UNAUTHORISED); + } + $info = $this->appManager->getAppInfo($app); if (!is_null($info)) { - return new DataResponse(OC_App::getAppInfo($app)); + return new DataResponse($info); } - throw new OCSException('The request app was not found', \OCP\API::RESPOND_NOT_FOUND); + throw new OCSException('The request app was not found', OCSController::RESPOND_NOT_FOUND); } /** - * @PasswordConfirmationRequired - * @param string $app - * @return DataResponse + * Enable an app + * + * @param string $app ID of the app + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> * @throws OCSException + * + * 200: App enabled successfully */ + #[PasswordConfirmationRequired] public function enable(string $app): DataResponse { try { + $app = $this->verifyAppId($app); + + if (!$this->installer->isDownloaded($app)) { + $this->installer->downloadApp($app); + } + + if ($this->appConfig->getValueString($app, 'installed_version', '') === '') { + $this->installer->installApp($app); + } + $this->appManager->enableApp($app); - } catch (AppPathNotFoundException $e) { - throw new OCSException('The request app was not found', \OCP\API::RESPOND_NOT_FOUND); + } catch (\InvalidArgumentException $e) { + throw new OCSException($e->getMessage(), OCSController::RESPOND_UNAUTHORISED); + } catch (AppPathNotFoundException|AppNotFoundException $e) { + throw new OCSException('The request app was not found', OCSController::RESPOND_NOT_FOUND); } return new DataResponse(); } /** - * @PasswordConfirmationRequired - * @param string $app - * @return DataResponse + * Disable an app + * + * @param string $app ID of the app + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> + * @throws OCSException + * + * 200: App disabled successfully */ + #[PasswordConfirmationRequired] public function disable(string $app): DataResponse { - $this->appManager->disableApp($app); + try { + $app = $this->verifyAppId($app); + $this->appManager->disableApp($app); + } catch (\InvalidArgumentException $e) { + throw new OCSException($e->getMessage(), OCSController::RESPOND_UNAUTHORISED); + } return new DataResponse(); } } diff --git a/apps/provisioning_api/lib/Controller/GroupsController.php b/apps/provisioning_api/lib/Controller/GroupsController.php index 0f37b63caa1..37af51419df 100644 --- a/apps/provisioning_api/lib/Controller/GroupsController.php +++ b/apps/provisioning_api/lib/Controller/GroupsController.php @@ -1,68 +1,57 @@ <?php declare(strict_types=1); - /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com> - * @author Julius Härtl <jus@bitgrid.net> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin Appelman <robin@icewind.nl> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Tom Needham <tom@owncloud.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\Provisioning_API\Controller; -use OC\Accounts\AccountManager; +use OCA\Provisioning_API\ResponseDefinitions; +use OCA\Settings\Settings\Admin\Sharing; +use OCA\Settings\Settings\Admin\Users; +use OCP\Accounts\IAccountManager; +use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\AuthorizedAdminSetting; +use OCP\AppFramework\Http\Attribute\NoAdminRequired; +use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\OCS\OCSException; use OCP\AppFramework\OCS\OCSForbiddenException; use OCP\AppFramework\OCS\OCSNotFoundException; +use OCP\AppFramework\OCSController; +use OCP\Files\IRootFolder; +use OCP\Group\ISubAdmin; use OCP\IConfig; use OCP\IGroup; use OCP\IGroupManager; -use OCP\ILogger; use OCP\IRequest; use OCP\IUser; use OCP\IUserManager; use OCP\IUserSession; use OCP\L10N\IFactory; +use Psr\Log\LoggerInterface; -class GroupsController extends AUserData { - - /** @var ILogger */ - private $logger; - - public function __construct(string $appName, - IRequest $request, - IUserManager $userManager, - IConfig $config, - IGroupManager $groupManager, - IUserSession $userSession, - AccountManager $accountManager, - IFactory $l10nFactory, - ILogger $logger) { +/** + * @psalm-import-type Provisioning_APIGroupDetails from ResponseDefinitions + * @psalm-import-type Provisioning_APIUserDetails from ResponseDefinitions + */ +class GroupsController extends AUserDataOCSController { + + public function __construct( + string $appName, + IRequest $request, + IUserManager $userManager, + IConfig $config, + IGroupManager $groupManager, + IUserSession $userSession, + IAccountManager $accountManager, + ISubAdmin $subAdminManager, + IFactory $l10nFactory, + IRootFolder $rootFolder, + private LoggerInterface $logger, + ) { parent::__construct($appName, $request, $userManager, @@ -70,45 +59,49 @@ class GroupsController extends AUserData { $groupManager, $userSession, $accountManager, - $l10nFactory + $subAdminManager, + $l10nFactory, + $rootFolder, ); - - $this->logger = $logger; } /** - * returns a list of groups + * Get a list of groups * - * @NoAdminRequired + * @param string $search Text to search for + * @param ?int $limit Limit the amount of groups returned + * @param int $offset Offset for searching for groups + * @return DataResponse<Http::STATUS_OK, array{groups: list<string>}, array{}> * - * @param string $search - * @param int $limit - * @param int $offset - * @return DataResponse + * 200: Groups returned */ - public function getGroups(string $search = '', int $limit = null, int $offset = 0): DataResponse { + #[NoAdminRequired] + public function getGroups(string $search = '', ?int $limit = null, int $offset = 0): DataResponse { $groups = $this->groupManager->search($search, $limit, $offset); - $groups = array_map(function ($group) { + $groups = array_values(array_map(function ($group) { /** @var IGroup $group */ return $group->getGID(); - }, $groups); + }, $groups)); return new DataResponse(['groups' => $groups]); } /** - * returns a list of groups details with ids and displaynames + * Get a list of groups details * - * @NoAdminRequired + * @param string $search Text to search for + * @param ?int $limit Limit the amount of groups returned + * @param int $offset Offset for searching for groups + * @return DataResponse<Http::STATUS_OK, array{groups: list<Provisioning_APIGroupDetails>}, array{}> * - * @param string $search - * @param int $limit - * @param int $offset - * @return DataResponse + * 200: Groups details returned */ - public function getGroupsDetails(string $search = '', int $limit = null, int $offset = 0): DataResponse { + #[NoAdminRequired] + #[AuthorizedAdminSetting(settings: Sharing::class)] + #[AuthorizedAdminSetting(settings: Users::class)] + public function getGroupsDetails(string $search = '', ?int $limit = null, int $offset = 0): DataResponse { $groups = $this->groupManager->search($search, $limit, $offset); - $groups = array_map(function ($group) { + $groups = array_values(array_map(function ($group) { /** @var IGroup $group */ return [ 'id' => $group->getGID(), @@ -118,33 +111,39 @@ class GroupsController extends AUserData { 'canAdd' => $group->canAddUser(), 'canRemove' => $group->canRemoveUser(), ]; - }, $groups); + }, $groups)); return new DataResponse(['groups' => $groups]); } /** - * @NoAdminRequired + * Get a list of users in the specified group * - * @param string $groupId - * @return DataResponse + * @param string $groupId ID of the group + * @return DataResponse<Http::STATUS_OK, array{users: list<string>}, array{}> * @throws OCSException * * @deprecated 14 Use getGroupUsers + * + * 200: Group users returned */ + #[NoAdminRequired] public function getGroup(string $groupId): DataResponse { return $this->getGroupUsers($groupId); } /** - * returns an array of users in the specified group + * Get a list of users in the specified group * - * @NoAdminRequired - * - * @param string $groupId - * @return DataResponse + * @param string $groupId ID of the group + * @return DataResponse<Http::STATUS_OK, array{users: list<string>}, array{}> * @throws OCSException + * @throws OCSNotFoundException Group not found + * @throws OCSForbiddenException Missing permissions to get users in the group + * + * 200: User IDs returned */ + #[NoAdminRequired] public function getGroupUsers(string $groupId): DataResponse { $groupId = urldecode($groupId); @@ -160,13 +159,15 @@ class GroupsController extends AUserData { } // Check subadmin has access to this group - if ($this->groupManager->isAdmin($user->getUID()) - || $isSubadminOfGroup) { + $isAdmin = $this->groupManager->isAdmin($user->getUID()); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($user->getUID()); + if ($isAdmin || $isDelegatedAdmin || $isSubadminOfGroup) { $users = $this->groupManager->get($groupId)->getUsers(); $users = array_map(function ($user) { /** @var IUser $user */ return $user->getUID(); }, $users); + /** @var list<string> $users */ $users = array_values($users); return new DataResponse(['users' => $users]); } @@ -175,18 +176,20 @@ class GroupsController extends AUserData { } /** - * returns an array of users details in the specified group + * Get a list of users details in the specified group * - * @NoAdminRequired + * @param string $groupId ID of the group + * @param string $search Text to search for + * @param int|null $limit Limit the amount of groups returned + * @param int $offset Offset for searching for groups * - * @param string $groupId - * @param string $search - * @param int $limit - * @param int $offset - * @return DataResponse + * @return DataResponse<Http::STATUS_OK, array{users: array<string, Provisioning_APIUserDetails|array{id: string}>}, array{}> * @throws OCSException + * + * 200: Group users details returned */ - public function getGroupUsersDetails(string $groupId, string $search = '', int $limit = null, int $offset = 0): DataResponse { + #[NoAdminRequired] + public function getGroupUsersDetails(string $groupId, string $search = '', ?int $limit = null, int $offset = 0): DataResponse { $groupId = urldecode($groupId); $currentUser = $this->userSession->getUser(); @@ -195,11 +198,13 @@ class GroupsController extends AUserData { if ($group !== null) { $isSubadminOfGroup = $this->groupManager->getSubAdmin()->isSubAdminOfGroup($currentUser, $group); } else { - throw new OCSException('The requested group could not be found', \OCP\API::RESPOND_NOT_FOUND); + throw new OCSException('The requested group could not be found', OCSController::RESPOND_NOT_FOUND); } // Check subadmin has access to this group - if ($this->groupManager->isAdmin($currentUser->getUID()) || $isSubadminOfGroup) { + $isAdmin = $this->groupManager->isAdmin($currentUser->getUID()); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($currentUser->getUID()); + if ($isAdmin || $isDelegatedAdmin || $isSubadminOfGroup) { $users = $group->searchUsers($search, $limit, $offset); // Extract required number @@ -210,7 +215,7 @@ class GroupsController extends AUserData { $userId = (string)$user->getUID(); $userData = $this->getUserData($userId); // Do not insert empty entry - if (!empty($userData)) { + if ($userData !== null) { $usersDetails[$userId] = $userData; } else { // Logged user does not have permissions to see this user @@ -224,19 +229,22 @@ class GroupsController extends AUserData { return new DataResponse(['users' => $usersDetails]); } - throw new OCSException('User does not have access to specified group', \OCP\API::RESPOND_UNAUTHORISED); + throw new OCSException('The requested group could not be found', OCSController::RESPOND_NOT_FOUND); } /** - * creates a new group - * - * @PasswordConfirmationRequired + * Create a new group * - * @param string $groupid - * @return DataResponse + * @param string $groupid ID of the group + * @param string $displayname Display name of the group + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> * @throws OCSException + * + * 200: Group created successfully */ - public function addGroup(string $groupid): DataResponse { + #[AuthorizedAdminSetting(settings:Users::class)] + #[PasswordConfirmationRequired] + public function addGroup(string $groupid, string $displayname = ''): DataResponse { // Validate name if (empty($groupid)) { $this->logger->error('Group name not supplied', ['app' => 'provisioning_api']); @@ -246,41 +254,58 @@ class GroupsController extends AUserData { if ($this->groupManager->groupExists($groupid)) { throw new OCSException('group exists', 102); } - $this->groupManager->createGroup($groupid); + $group = $this->groupManager->createGroup($groupid); + if ($group === null) { + throw new OCSException('Not supported by backend', 103); + } + if ($displayname !== '') { + $group->setDisplayName($displayname); + } return new DataResponse(); } /** - * @PasswordConfirmationRequired + * Update a group * - * @param string $groupId - * @param string $key - * @param string $value - * @return DataResponse + * @param string $groupId ID of the group + * @param string $key Key to update, only 'displayname' + * @param string $value New value for the key + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> * @throws OCSException + * + * 200: Group updated successfully */ + #[AuthorizedAdminSetting(settings:Users::class)] + #[PasswordConfirmationRequired] public function updateGroup(string $groupId, string $key, string $value): DataResponse { $groupId = urldecode($groupId); if ($key === 'displayname') { $group = $this->groupManager->get($groupId); + if ($group === null) { + throw new OCSException('Group does not exist', OCSController::RESPOND_NOT_FOUND); + } if ($group->setDisplayName($value)) { return new DataResponse(); } throw new OCSException('Not supported by backend', 101); } else { - throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED); + throw new OCSException('', OCSController::RESPOND_UNKNOWN_ERROR); } } /** - * @PasswordConfirmationRequired + * Delete a group * - * @param string $groupId - * @return DataResponse + * @param string $groupId ID of the group + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> * @throws OCSException + * + * 200: Group deleted successfully */ + #[AuthorizedAdminSetting(settings:Users::class)] + #[PasswordConfirmationRequired] public function deleteGroup(string $groupId): DataResponse { $groupId = urldecode($groupId); @@ -296,10 +321,15 @@ class GroupsController extends AUserData { } /** - * @param string $groupId - * @return DataResponse + * Get the list of user IDs that are a subadmin of the group + * + * @param string $groupId ID of the group + * @return DataResponse<Http::STATUS_OK, list<string>, array{}> * @throws OCSException + * + * 200: Sub admins returned */ + #[AuthorizedAdminSetting(settings:Users::class)] public function getSubAdminsOfGroup(string $groupId): DataResponse { // Check group exists $targetGroup = $this->groupManager->get($groupId); @@ -310,6 +340,7 @@ class GroupsController extends AUserData { /** @var IUser[] $subadmins */ $subadmins = $this->groupManager->getSubAdmin()->getGroupsSubAdmins($targetGroup); // New class returns IUser[] so convert back + /** @var list<string> $uids */ $uids = []; foreach ($subadmins as $user) { $uids[] = $user->getUID(); diff --git a/apps/provisioning_api/lib/Controller/PreferencesController.php b/apps/provisioning_api/lib/Controller/PreferencesController.php new file mode 100644 index 00000000000..8ae64e65b81 --- /dev/null +++ b/apps/provisioning_api/lib/Controller/PreferencesController.php @@ -0,0 +1,201 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2022 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\Provisioning_API\Controller; + +use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\NoAdminRequired; +use OCP\AppFramework\Http\DataResponse; +use OCP\AppFramework\OCSController; +use OCP\Config\BeforePreferenceDeletedEvent; +use OCP\Config\BeforePreferenceSetEvent; +use OCP\EventDispatcher\IEventDispatcher; +use OCP\IConfig; +use OCP\IRequest; +use OCP\IUserSession; + +class PreferencesController extends OCSController { + + public function __construct( + string $appName, + IRequest $request, + private IConfig $config, + private IUserSession $userSession, + private IEventDispatcher $eventDispatcher, + ) { + parent::__construct($appName, $request); + } + + /** + * @NoSubAdminRequired + * + * Update multiple preference values of an app + * + * @param string $appId ID of the app + * @param array<string, string> $configs Key-value pairs of the preferences + * + * @return DataResponse<Http::STATUS_OK|Http::STATUS_BAD_REQUEST, list<empty>, array{}> + * + * 200: Preferences updated successfully + * 400: Preference invalid + */ + #[NoAdminRequired] + public function setMultiplePreferences(string $appId, array $configs): DataResponse { + $userId = $this->userSession->getUser()->getUID(); + + foreach ($configs as $configKey => $configValue) { + $event = new BeforePreferenceSetEvent( + $userId, + $appId, + $configKey, + $configValue + ); + + $this->eventDispatcher->dispatchTyped($event); + + if (!$event->isValid()) { + // No listener validated that the preference can be set (to this value) + return new DataResponse([], Http::STATUS_BAD_REQUEST); + } + } + + foreach ($configs as $configKey => $configValue) { + $this->config->setUserValue( + $userId, + $appId, + $configKey, + $configValue + ); + } + + return new DataResponse(); + } + + /** + * @NoSubAdminRequired + * + * Update a preference value of an app + * + * @param string $appId ID of the app + * @param string $configKey Key of the preference + * @param string $configValue New value + * @return DataResponse<Http::STATUS_OK|Http::STATUS_BAD_REQUEST, list<empty>, array{}> + * + * 200: Preference updated successfully + * 400: Preference invalid + */ + #[NoAdminRequired] + public function setPreference(string $appId, string $configKey, string $configValue): DataResponse { + $userId = $this->userSession->getUser()->getUID(); + + $event = new BeforePreferenceSetEvent( + $userId, + $appId, + $configKey, + $configValue + ); + + $this->eventDispatcher->dispatchTyped($event); + + if (!$event->isValid()) { + // No listener validated that the preference can be set (to this value) + return new DataResponse([], Http::STATUS_BAD_REQUEST); + } + + $this->config->setUserValue( + $userId, + $appId, + $configKey, + $configValue + ); + + return new DataResponse(); + } + + /** + * @NoSubAdminRequired + * + * Delete multiple preferences for an app + * + * @param string $appId ID of the app + * @param list<string> $configKeys Keys to delete + * + * @return DataResponse<Http::STATUS_OK|Http::STATUS_BAD_REQUEST, list<empty>, array{}> + * + * 200: Preferences deleted successfully + * 400: Preference invalid + */ + #[NoAdminRequired] + public function deleteMultiplePreference(string $appId, array $configKeys): DataResponse { + $userId = $this->userSession->getUser()->getUID(); + + foreach ($configKeys as $configKey) { + $event = new BeforePreferenceDeletedEvent( + $userId, + $appId, + $configKey + ); + + $this->eventDispatcher->dispatchTyped($event); + + if (!$event->isValid()) { + // No listener validated that the preference can be deleted + return new DataResponse([], Http::STATUS_BAD_REQUEST); + } + } + + foreach ($configKeys as $configKey) { + $this->config->deleteUserValue( + $userId, + $appId, + $configKey + ); + } + + return new DataResponse(); + } + + /** + * @NoSubAdminRequired + * + * Delete a preference for an app + * + * @param string $appId ID of the app + * @param string $configKey Key to delete + * @return DataResponse<Http::STATUS_OK|Http::STATUS_BAD_REQUEST, list<empty>, array{}> + * + * 200: Preference deleted successfully + * 400: Preference invalid + */ + #[NoAdminRequired] + public function deletePreference(string $appId, string $configKey): DataResponse { + $userId = $this->userSession->getUser()->getUID(); + + $event = new BeforePreferenceDeletedEvent( + $userId, + $appId, + $configKey + ); + + $this->eventDispatcher->dispatchTyped($event); + + if (!$event->isValid()) { + // No listener validated that the preference can be deleted + return new DataResponse([], Http::STATUS_BAD_REQUEST); + } + + $this->config->deleteUserValue( + $userId, + $appId, + $configKey + ); + + return new DataResponse(); + } +} diff --git a/apps/provisioning_api/lib/Controller/UsersController.php b/apps/provisioning_api/lib/Controller/UsersController.php index 34c0135485f..513a27c7df8 100644 --- a/apps/provisioning_api/lib/Controller/UsersController.php +++ b/apps/provisioning_api/lib/Controller/UsersController.php @@ -3,149 +3,122 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bjoern Schiessle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Daniel Calviño Sánchez <danxuliu@gmail.com> - * @author Daniel Kesselberg <mail@danielkesselberg.de> - * @author Joas Schilling <coding@schilljs.com> - * @author John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com> - * @author Julius Härtl <jus@bitgrid.net> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author michag86 <micha_g@arcor.de> - * @author Mikael Hammarin <mikael@try2.se> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin Appelman <robin@icewind.nl> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Sujith Haridasan <sujith.h@gmail.com> - * @author Thomas Citharel <nextcloud@tcit.fr> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * @author Tom Needham <tom@owncloud.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Provisioning_API\Controller; -use libphonenumber\NumberParseException; -use libphonenumber\PhoneNumber; -use libphonenumber\PhoneNumberFormat; -use libphonenumber\PhoneNumberUtil; -use OC\Accounts\AccountManager; +use InvalidArgumentException; use OC\Authentication\Token\RemoteWipe; -use OC\HintException; -use OCA\Provisioning_API\FederatedShareProviderFactory; +use OC\Group\Group; +use OC\KnownUser\KnownUserService; +use OC\User\Backend; +use OCA\Provisioning_API\ResponseDefinitions; use OCA\Settings\Mailer\NewUserMailHelper; +use OCA\Settings\Settings\Admin\Users; use OCP\Accounts\IAccountManager; +use OCP\Accounts\IAccountProperty; +use OCP\Accounts\PropertyDoesNotExistException; use OCP\App\IAppManager; use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\AuthorizedAdminSetting; +use OCP\AppFramework\Http\Attribute\NoAdminRequired; +use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired; +use OCP\AppFramework\Http\Attribute\UserRateLimit; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\OCS\OCSException; use OCP\AppFramework\OCS\OCSForbiddenException; +use OCP\AppFramework\OCS\OCSNotFoundException; +use OCP\AppFramework\OCSController; +use OCP\EventDispatcher\IEventDispatcher; +use OCP\Files\IRootFolder; +use OCP\Group\ISubAdmin; +use OCP\HintException; use OCP\IConfig; use OCP\IGroup; use OCP\IGroupManager; -use OCP\ILogger; +use OCP\IL10N; +use OCP\IPhoneNumberUtil; use OCP\IRequest; use OCP\IURLGenerator; use OCP\IUser; use OCP\IUserManager; use OCP\IUserSession; use OCP\L10N\IFactory; -use OCP\Security\ISecureRandom; use OCP\Security\Events\GenerateSecurePasswordEvent; -use OCP\EventDispatcher\IEventDispatcher; +use OCP\Security\ISecureRandom; +use OCP\User\Backend\ISetDisplayNameBackend; +use OCP\Util; +use Psr\Log\LoggerInterface; -class UsersController extends AUserData { - - /** @var IAppManager */ - private $appManager; - /** @var IURLGenerator */ - protected $urlGenerator; - /** @var ILogger */ - private $logger; - /** @var IFactory */ - protected $l10nFactory; - /** @var NewUserMailHelper */ - private $newUserMailHelper; - /** @var FederatedShareProviderFactory */ - private $federatedShareProviderFactory; - /** @var ISecureRandom */ - private $secureRandom; - /** @var RemoteWipe */ - private $remoteWipe; - /** @var IEventDispatcher */ - private $eventDispatcher; - - public function __construct(string $appName, - IRequest $request, - IUserManager $userManager, - IConfig $config, - IAppManager $appManager, - IGroupManager $groupManager, - IUserSession $userSession, - AccountManager $accountManager, - IURLGenerator $urlGenerator, - ILogger $logger, - IFactory $l10nFactory, - NewUserMailHelper $newUserMailHelper, - FederatedShareProviderFactory $federatedShareProviderFactory, - ISecureRandom $secureRandom, - RemoteWipe $remoteWipe, - IEventDispatcher $eventDispatcher) { - parent::__construct($appName, - $request, - $userManager, - $config, - $groupManager, - $userSession, - $accountManager, - $l10nFactory); - - $this->appManager = $appManager; - $this->urlGenerator = $urlGenerator; - $this->logger = $logger; - $this->l10nFactory = $l10nFactory; - $this->newUserMailHelper = $newUserMailHelper; - $this->federatedShareProviderFactory = $federatedShareProviderFactory; - $this->secureRandom = $secureRandom; - $this->remoteWipe = $remoteWipe; - $this->eventDispatcher = $eventDispatcher; +/** + * @psalm-import-type Provisioning_APIGroupDetails from ResponseDefinitions + * @psalm-import-type Provisioning_APIUserDetails from ResponseDefinitions + */ +class UsersController extends AUserDataOCSController { + + private IL10N $l10n; + + public function __construct( + string $appName, + IRequest $request, + IUserManager $userManager, + IConfig $config, + IGroupManager $groupManager, + IUserSession $userSession, + IAccountManager $accountManager, + ISubAdmin $subAdminManager, + IFactory $l10nFactory, + IRootFolder $rootFolder, + private IURLGenerator $urlGenerator, + private LoggerInterface $logger, + private NewUserMailHelper $newUserMailHelper, + private ISecureRandom $secureRandom, + private RemoteWipe $remoteWipe, + private KnownUserService $knownUserService, + private IEventDispatcher $eventDispatcher, + private IPhoneNumberUtil $phoneNumberUtil, + private IAppManager $appManager, + ) { + parent::__construct( + $appName, + $request, + $userManager, + $config, + $groupManager, + $userSession, + $accountManager, + $subAdminManager, + $l10nFactory, + $rootFolder, + ); + + $this->l10n = $l10nFactory->get($appName); } /** - * @NoAdminRequired + * Get a list of users * - * returns a list of users + * @param string $search Text to search for + * @param int|null $limit Limit the amount of groups returned + * @param int $offset Offset for searching for groups + * @return DataResponse<Http::STATUS_OK, array{users: list<string>}, array{}> * - * @param string $search - * @param int $limit - * @param int $offset - * @return DataResponse + * 200: Users returned */ - public function getUsers(string $search = '', int $limit = null, int $offset = 0): DataResponse { + #[NoAdminRequired] + public function getUsers(string $search = '', ?int $limit = null, int $offset = 0): DataResponse { $user = $this->userSession->getUser(); $users = []; // Admin? Or SubAdmin? $uid = $user->getUID(); $subAdminManager = $this->groupManager->getSubAdmin(); - if ($this->groupManager->isAdmin($uid)) { + $isAdmin = $this->groupManager->isAdmin($uid); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($uid); + if ($isAdmin || $isDelegatedAdmin) { $users = $this->userManager->search($search, $limit, $offset); } elseif ($subAdminManager->isSubAdmin($user)) { $subAdminOfGroups = $subAdminManager->getSubAdminsGroups($user); @@ -159,6 +132,7 @@ class UsersController extends AUserData { } } + /** @var list<string> $users */ $users = array_keys($users); return new DataResponse([ @@ -167,18 +141,26 @@ class UsersController extends AUserData { } /** - * @NoAdminRequired + * Get a list of users and their details * - * returns a list of users and their data + * @param string $search Text to search for + * @param int|null $limit Limit the amount of groups returned + * @param int $offset Offset for searching for groups + * @return DataResponse<Http::STATUS_OK, array{users: array<string, Provisioning_APIUserDetails|array{id: string}>}, array{}> + * + * 200: Users details returned */ - public function getUsersDetails(string $search = '', int $limit = null, int $offset = 0): DataResponse { + #[NoAdminRequired] + public function getUsersDetails(string $search = '', ?int $limit = null, int $offset = 0): DataResponse { $currentUser = $this->userSession->getUser(); $users = []; // Admin? Or SubAdmin? $uid = $currentUser->getUID(); $subAdminManager = $this->groupManager->getSubAdmin(); - if ($this->groupManager->isAdmin($uid)) { + $isAdmin = $this->groupManager->isAdmin($uid); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($uid); + if ($isAdmin || $isDelegatedAdmin) { $users = $this->userManager->search($search, $limit, $offset); $users = array_keys($users); } elseif ($subAdminManager->isSubAdmin($currentUser)) { @@ -196,10 +178,17 @@ class UsersController extends AUserData { $usersDetails = []; foreach ($users as $userId) { - $userId = (string) $userId; - $userData = $this->getUserData($userId); + $userId = (string)$userId; + try { + $userData = $this->getUserData($userId); + } catch (OCSNotFoundException $e) { + // We still want to return all other accounts, but this one was removed from the backends + // yet they are still in our database. Might be a LDAP remnant. + $userData = null; + $this->logger->warning('Found one enabled account that is removed from its backend, but still exists in Nextcloud database', ['accountId' => $userId]); + } // Do not insert empty entry - if (!empty($userData)) { + if ($userData !== null) { $usersDetails[$userId] = $userData; } else { // Logged user does not have permissions to see this user @@ -213,33 +202,186 @@ class UsersController extends AUserData { ]); } + /** + * Get the list of disabled users and their details + * + * @param string $search Text to search for + * @param ?int $limit Limit the amount of users returned + * @param int $offset Offset + * @return DataResponse<Http::STATUS_OK, array{users: array<string, Provisioning_APIUserDetails|array{id: string}>}, array{}> + * + * 200: Disabled users details returned + */ + #[NoAdminRequired] + public function getDisabledUsersDetails(string $search = '', ?int $limit = null, int $offset = 0): DataResponse { + $currentUser = $this->userSession->getUser(); + if ($currentUser === null) { + return new DataResponse(['users' => []]); + } + if ($limit !== null && $limit < 0) { + throw new InvalidArgumentException("Invalid limit value: $limit"); + } + if ($offset < 0) { + throw new InvalidArgumentException("Invalid offset value: $offset"); + } + + $users = []; + + // Admin? Or SubAdmin? + $uid = $currentUser->getUID(); + $subAdminManager = $this->groupManager->getSubAdmin(); + $isAdmin = $this->groupManager->isAdmin($uid); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($uid); + if ($isAdmin || $isDelegatedAdmin) { + $users = $this->userManager->getDisabledUsers($limit, $offset, $search); + $users = array_map(fn (IUser $user): string => $user->getUID(), $users); + } elseif ($subAdminManager->isSubAdmin($currentUser)) { + $subAdminOfGroups = $subAdminManager->getSubAdminsGroups($currentUser); + + $users = []; + /* We have to handle offset ourselve for correctness */ + $tempLimit = ($limit === null ? null : $limit + $offset); + foreach ($subAdminOfGroups as $group) { + $users = array_unique(array_merge( + $users, + array_map( + fn (IUser $user): string => $user->getUID(), + array_filter( + $group->searchUsers($search), + fn (IUser $user): bool => !$user->isEnabled() + ) + ) + )); + if (($tempLimit !== null) && (count($users) >= $tempLimit)) { + break; + } + } + $users = array_slice($users, $offset, $limit); + } + + $usersDetails = []; + foreach ($users as $userId) { + try { + $userData = $this->getUserData($userId); + } catch (OCSNotFoundException $e) { + // We still want to return all other accounts, but this one was removed from the backends + // yet they are still in our database. Might be a LDAP remnant. + $userData = null; + $this->logger->warning('Found one disabled account that was removed from its backend, but still exists in Nextcloud database', ['accountId' => $userId]); + } + // Do not insert empty entry + if ($userData !== null) { + $usersDetails[$userId] = $userData; + } else { + // Currently logged in user does not have permissions to see this user + // only showing its id + $usersDetails[$userId] = ['id' => $userId]; + } + } + + return new DataResponse([ + 'users' => $usersDetails + ]); + } + + /** + * Gets the list of users sorted by lastLogin, from most recent to least recent + * + * @param string $search Text to search for + * @param ?int $limit Limit the amount of users returned + * @param int $offset Offset + * @return DataResponse<Http::STATUS_OK, array{users: array<string, Provisioning_APIUserDetails|array{id: string}>}, array{}> + * + * 200: Users details returned based on last logged in information + */ + #[AuthorizedAdminSetting(settings:Users::class)] + public function getLastLoggedInUsers(string $search = '', + ?int $limit = null, + int $offset = 0, + ): DataResponse { + $currentUser = $this->userSession->getUser(); + if ($currentUser === null) { + return new DataResponse(['users' => []]); + } + if ($limit !== null && $limit < 0) { + throw new InvalidArgumentException("Invalid limit value: $limit"); + } + if ($offset < 0) { + throw new InvalidArgumentException("Invalid offset value: $offset"); + } + + $users = []; + + // For Admin alone user sorting based on lastLogin. For sub admin and groups this is not supported + $users = $this->userManager->getLastLoggedInUsers($limit, $offset, $search); + + $usersDetails = []; + foreach ($users as $userId) { + try { + $userData = $this->getUserData($userId); + } catch (OCSNotFoundException $e) { + // We still want to return all other accounts, but this one was removed from the backends + // yet they are still in our database. Might be a LDAP remnant. + $userData = null; + $this->logger->warning('Found one account that was removed from its backend, but still exists in Nextcloud database', ['accountId' => $userId]); + } + // Do not insert empty entry + if ($userData !== null) { + $usersDetails[$userId] = $userData; + } else { + // Currently logged-in user does not have permissions to see this user + // only showing its id + $usersDetails[$userId] = ['id' => $userId]; + } + } + + return new DataResponse([ + 'users' => $usersDetails + ]); + } + + /** - * @NoAdminRequired * @NoSubAdminRequired * - * @param string $location - * @param array $search - * @return DataResponse + * Search users by their phone numbers + * + * @param string $location Location of the phone number (for country code) + * @param array<string, list<string>> $search Phone numbers to search for + * @return DataResponse<Http::STATUS_OK, array<string, string>, array{}>|DataResponse<Http::STATUS_BAD_REQUEST, list<empty>, array{}> + * + * 200: Users returned + * 400: Invalid location */ + #[NoAdminRequired] public function searchByPhoneNumbers(string $location, array $search): DataResponse { - $phoneUtil = PhoneNumberUtil::getInstance(); - - if ($phoneUtil->getCountryCodeForRegion($location) === 0) { + if ($this->phoneNumberUtil->getCountryCodeForRegion($location) === null) { // Not a valid region code return new DataResponse([], Http::STATUS_BAD_REQUEST); } + /** @var IUser $user */ + $user = $this->userSession->getUser(); + $knownTo = $user->getUID(); + $defaultPhoneRegion = $this->config->getSystemValueString('default_phone_region'); + $normalizedNumberToKey = []; foreach ($search as $key => $phoneNumbers) { foreach ($phoneNumbers as $phone) { - try { - $phoneNumber = $phoneUtil->parse($phone, $location); - if ($phoneNumber instanceof PhoneNumber && $phoneUtil->isValidNumber($phoneNumber)) { - $normalizedNumber = $phoneUtil->format($phoneNumber, PhoneNumberFormat::E164); - $normalizedNumberToKey[$normalizedNumber] = (string) $key; + $normalizedNumber = $this->phoneNumberUtil->convertToStandardFormat($phone, $location); + if ($normalizedNumber !== null) { + $normalizedNumberToKey[$normalizedNumber] = (string)$key; + } + + if ($defaultPhoneRegion !== '' && $defaultPhoneRegion !== $location && str_starts_with($phone, '0')) { + // If the number has a leading zero (no country code), + // we also check the default phone region of the instance, + // when it's different to the user's given region. + $normalizedNumber = $this->phoneNumberUtil->convertToStandardFormat($phone, $defaultPhoneRegion); + if ($normalizedNumber !== null) { + $normalizedNumberToKey[$normalizedNumber] = (string)$key; } - } catch (NumberParseException $e) { } } } @@ -250,6 +392,9 @@ class UsersController extends AUserData { return new DataResponse(); } + // Cleanup all previous entries and only allow new matches + $this->knownUserService->deleteKnownTo($knownTo); + $userMatches = $this->accountManager->searchUsers(IAccountManager::PROPERTY_PHONE, $phoneNumbers); if (empty($userMatches)) { @@ -267,6 +412,7 @@ class UsersController extends AUserData { foreach ($userMatches as $phone => $userId) { // Not using the ICloudIdManager as that would run a search for each contact to find the display name in the address book $matches[$normalizedNumberToKey[$phone]] = $userId . '@' . $cloudUrl; + $this->knownUserService->storeIsKnownToUser($knownTo, $userId); } return new DataResponse($matches); @@ -284,34 +430,43 @@ class UsersController extends AUserData { } $attempts++; } while ($attempts < 10); - throw new OCSException('Could not create non-existing user id', 111); + throw new OCSException($this->l10n->t('Could not create non-existing user ID'), 111); } /** - * @PasswordConfirmationRequired - * @NoAdminRequired - * - * @param string $userid - * @param string $password - * @param string $displayName - * @param string $email - * @param array $groups - * @param array $subadmin - * @param string $quota - * @param string $language - * @return DataResponse + * Create a new user + * + * @param string $userid ID of the user + * @param string $password Password of the user + * @param string $displayName Display name of the user + * @param string $email Email of the user + * @param list<string> $groups Groups of the user + * @param list<string> $subadmin Groups where the user is subadmin + * @param string $quota Quota of the user + * @param string $language Language of the user + * @param ?string $manager Manager of the user + * @return DataResponse<Http::STATUS_OK, array{id: string}, array{}> * @throws OCSException + * @throws OCSForbiddenException Missing permissions to make user subadmin + * + * 200: User added successfully */ - public function addUser(string $userid, - string $password = '', - string $displayName = '', - string $email = '', - array $groups = [], - array $subadmin = [], - string $quota = '', - string $language = ''): DataResponse { + #[PasswordConfirmationRequired] + #[NoAdminRequired] + public function addUser( + string $userid, + string $password = '', + string $displayName = '', + string $email = '', + array $groups = [], + array $subadmin = [], + string $quota = '', + string $language = '', + ?string $manager = null, + ): DataResponse { $user = $this->userSession->getUser(); $isAdmin = $this->groupManager->isAdmin($user->getUID()); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($user->getUID()); $subAdminManager = $this->groupManager->getSubAdmin(); if (empty($userid) && $this->config->getAppValue('core', 'newUser.generateUserID', 'no') === 'yes') { @@ -320,21 +475,21 @@ class UsersController extends AUserData { if ($this->userManager->userExists($userid)) { $this->logger->error('Failed addUser attempt: User already exists.', ['app' => 'ocs_api']); - throw new OCSException('User already exists', 102); + throw new OCSException($this->l10n->t('User already exists'), 102); } if ($groups !== []) { foreach ($groups as $group) { if (!$this->groupManager->groupExists($group)) { - throw new OCSException('group '.$group.' does not exist', 104); + throw new OCSException($this->l10n->t('Group %1$s does not exist', [$group]), 104); } - if (!$isAdmin && !$subAdminManager->isSubAdminOfGroup($user, $this->groupManager->get($group))) { - throw new OCSException('insufficient privileges for group '. $group, 105); + if (!$isAdmin && !($isDelegatedAdmin && $group !== 'admin') && !$subAdminManager->isSubAdminOfGroup($user, $this->groupManager->get($group))) { + throw new OCSException($this->l10n->t('Insufficient privileges for group %1$s', [$group]), 105); } } } else { - if (!$isAdmin) { - throw new OCSException('no group specified (required for subadmins)', 106); + if (!$isAdmin && !$isDelegatedAdmin) { + throw new OCSException($this->l10n->t('No group specified (required for sub-admins)'), 106); } } @@ -344,24 +499,27 @@ class UsersController extends AUserData { $group = $this->groupManager->get($groupid); // Check if group exists if ($group === null) { - throw new OCSException('Subadmin group does not exist', 102); + throw new OCSException($this->l10n->t('Sub-admin group does not exist'), 109); } // Check if trying to make subadmin of admin group if ($group->getGID() === 'admin') { - throw new OCSException('Cannot create subadmins for admin group', 103); + throw new OCSException($this->l10n->t('Cannot create sub-admins for admin group'), 103); } // Check if has permission to promote subadmins - if (!$subAdminManager->isSubAdminOfGroup($user, $group) && !$isAdmin) { - throw new OCSForbiddenException('No permissions to promote subadmins'); + if (!$subAdminManager->isSubAdminOfGroup($user, $group) && !$isAdmin && !$isDelegatedAdmin) { + throw new OCSForbiddenException($this->l10n->t('No permissions to promote sub-admins')); } $subadminGroups[] = $group; } } $generatePasswordResetToken = false; + if (strlen($password) > IUserManager::MAX_PASSWORD_LENGTH) { + throw new OCSException($this->l10n->t('Invalid password value'), 101); + } if ($password === '') { if ($email === '') { - throw new OCSException('To send a password link to the user an email address is required.', 108); + throw new OCSException($this->l10n->t('An email address is required, to send a password link to the user.'), 108); } $passwordEvent = new GenerateSecurePasswordEvent(); @@ -379,14 +537,21 @@ class UsersController extends AUserData { $generatePasswordResetToken = true; } + $email = mb_strtolower(trim($email)); if ($email === '' && $this->config->getAppValue('core', 'newUser.requireEmail', 'no') === 'yes') { - throw new OCSException('Required email address was not provided', 110); + throw new OCSException($this->l10n->t('Required email address was not provided'), 110); } + // Create the user try { $newUser = $this->userManager->createUser($userid, $password); - $this->logger->info('Successful addUser call with userid: ' . $userid, ['app' => 'ocs_api']); + if (!$newUser instanceof IUser) { + // If the user is not an instance of IUser, it means the user creation failed + $this->logger->error('Failed addUser attempt: User creation failed.', ['app' => 'ocs_api']); + throw new OCSException($this->l10n->t('User creation failed'), 111); + } + $this->logger->info('Successful addUser call with userid: ' . $userid, ['app' => 'ocs_api']); foreach ($groups as $group) { $this->groupManager->get($group)->addUser($newUser); $this->logger->info('Added userid ' . $userid . ' to group ' . $group, ['app' => 'ocs_api']); @@ -396,20 +561,36 @@ class UsersController extends AUserData { } if ($displayName !== '') { - $this->editUser($userid, 'display', $displayName); + try { + $this->editUser($userid, self::USER_FIELD_DISPLAYNAME, $displayName); + } catch (OCSException $e) { + if ($newUser instanceof IUser) { + $newUser->delete(); + } + throw $e; + } } if ($quota !== '') { - $this->editUser($userid, 'quota', $quota); + $this->editUser($userid, self::USER_FIELD_QUOTA, $quota); } if ($language !== '') { - $this->editUser($userid, 'language', $language); + $this->editUser($userid, self::USER_FIELD_LANGUAGE, $language); + } + + /** + * null -> nothing sent + * '' -> unset manager + * else -> set manager + */ + if ($manager !== null) { + $this->editUser($userid, self::USER_FIELD_MANAGER, $manager); } // Send new user mail only if a mail is set if ($email !== '') { - $newUser->setEMailAddress($email); + $newUser->setSystemEMailAddress($email); if ($this->config->getAppValue('core', 'newUser.sendEmail', 'yes') === 'yes') { try { $emailTemplate = $this->newUserMailHelper->generateTemplate($newUser, $generatePasswordResetToken); @@ -417,288 +598,698 @@ class UsersController extends AUserData { } catch (\Exception $e) { // Mail could be failing hard or just be plain not configured // Logging error as it is the hardest of the two - $this->logger->logException($e, [ - 'message' => "Unable to send the invitation mail to $email", - 'level' => ILogger::ERROR, - 'app' => 'ocs_api', - ]); + $this->logger->error( + "Unable to send the invitation mail to $email", + [ + 'app' => 'ocs_api', + 'exception' => $e, + ] + ); } } } return new DataResponse(['id' => $userid]); } catch (HintException $e) { - $this->logger->logException($e, [ - 'message' => 'Failed addUser attempt with hint exception.', - 'level' => ILogger::WARN, - 'app' => 'ocs_api', - ]); + $this->logger->warning( + 'Failed addUser attempt with hint exception.', + [ + 'app' => 'ocs_api', + 'exception' => $e, + ] + ); throw new OCSException($e->getHint(), 107); } catch (OCSException $e) { - $this->logger->logException($e, [ - 'message' => 'Failed addUser attempt with ocs exeption.', - 'level' => ILogger::ERROR, - 'app' => 'ocs_api', - ]); + $this->logger->warning( + 'Failed addUser attempt with ocs exception.', + [ + 'app' => 'ocs_api', + 'exception' => $e, + ] + ); throw $e; + } catch (InvalidArgumentException $e) { + $this->logger->error( + 'Failed addUser attempt with invalid argument exception.', + [ + 'app' => 'ocs_api', + 'exception' => $e, + ] + ); + throw new OCSException($e->getMessage(), 101); } catch (\Exception $e) { - $this->logger->logException($e, [ - 'message' => 'Failed addUser attempt with exception.', - 'level' => ILogger::ERROR, - 'app' => 'ocs_api', - ]); + $this->logger->error( + 'Failed addUser attempt with exception.', + [ + 'app' => 'ocs_api', + 'exception' => $e + ] + ); throw new OCSException('Bad request', 101); } } /** - * @NoAdminRequired * @NoSubAdminRequired * - * gets user info + * Get the details of a user * - * @param string $userId - * @return DataResponse + * @param string $userId ID of the user + * @return DataResponse<Http::STATUS_OK, Provisioning_APIUserDetails, array{}> * @throws OCSException + * + * 200: User returned */ + #[NoAdminRequired] public function getUser(string $userId): DataResponse { - $data = $this->getUserData($userId); - // getUserData returns empty array if not enough permissions - if (empty($data)) { - throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED); + $includeScopes = false; + $currentUser = $this->userSession->getUser(); + if ($currentUser && $currentUser->getUID() === $userId) { + $includeScopes = true; + } + + $data = $this->getUserData($userId, $includeScopes); + // getUserData returns null if not enough permissions + if ($data === null) { + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } return new DataResponse($data); } /** - * @NoAdminRequired * @NoSubAdminRequired * - * gets user info from the currently logged in user + * Get the details of the current user * - * @return DataResponse + * @return DataResponse<Http::STATUS_OK, Provisioning_APIUserDetails, array{}> * @throws OCSException + * + * 200: Current user returned */ + #[NoAdminRequired] public function getCurrentUser(): DataResponse { $user = $this->userSession->getUser(); if ($user) { - $data = $this->getUserData($user->getUID()); - // rename "displayname" to "display-name" only for this call to keep - // the API stable. - $data['display-name'] = $data['displayname']; - unset($data['displayname']); + /** @var Provisioning_APIUserDetails $data */ + $data = $this->getUserData($user->getUID(), true); return new DataResponse($data); } - throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED); + throw new OCSException('', OCSController::RESPOND_UNAUTHORISED); } /** - * @NoAdminRequired * @NoSubAdminRequired + * + * Get a list of fields that are editable for the current user + * + * @return DataResponse<Http::STATUS_OK, list<string>, array{}> + * @throws OCSException + * + * 200: Editable fields returned */ + #[NoAdminRequired] public function getEditableFields(): DataResponse { + $currentLoggedInUser = $this->userSession->getUser(); + if (!$currentLoggedInUser instanceof IUser) { + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); + } + + return $this->getEditableFieldsForUser($currentLoggedInUser->getUID()); + } + + /** + * Get a list of enabled apps for the current user + * + * @return DataResponse<Http::STATUS_OK, array{apps: list<string>}, array{}> + * + * 200: Enabled apps returned + */ + #[NoAdminRequired] + public function getEnabledApps(): DataResponse { + $currentLoggedInUser = $this->userSession->getUser(); + return new DataResponse(['apps' => $this->appManager->getEnabledAppsForUser($currentLoggedInUser)]); + } + + /** + * @NoSubAdminRequired + * + * Get a list of fields that are editable for a user + * + * @param string $userId ID of the user + * @return DataResponse<Http::STATUS_OK, list<string>, array{}> + * @throws OCSException + * + * 200: Editable fields for user returned + */ + #[NoAdminRequired] + public function getEditableFieldsForUser(string $userId): DataResponse { + $currentLoggedInUser = $this->userSession->getUser(); + if (!$currentLoggedInUser instanceof IUser) { + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); + } + $permittedFields = []; - // Editing self (display, email) - if ($this->config->getSystemValue('allow_user_to_change_display_name', true) !== false) { + if ($userId !== $currentLoggedInUser->getUID()) { + $targetUser = $this->userManager->get($userId); + if (!$targetUser instanceof IUser) { + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); + } + + $subAdminManager = $this->groupManager->getSubAdmin(); + $isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID()); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($currentLoggedInUser->getUID()); + if ( + !($isAdmin || $isDelegatedAdmin) + && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser) + ) { + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); + } + } else { + $targetUser = $currentLoggedInUser; + } + + $allowDisplayNameChange = $this->config->getSystemValue('allow_user_to_change_display_name', true); + if ($allowDisplayNameChange === true && ( + $targetUser->getBackend() instanceof ISetDisplayNameBackend + || $targetUser->getBackend()->implementsActions(Backend::SET_DISPLAYNAME) + )) { $permittedFields[] = IAccountManager::PROPERTY_DISPLAYNAME; + } + + // Fallback to display name value to avoid changing behavior with the new option. + if ($this->config->getSystemValue('allow_user_to_change_email', $allowDisplayNameChange)) { $permittedFields[] = IAccountManager::PROPERTY_EMAIL; } - if ($this->appManager->isEnabledForUser('federatedfilesharing')) { - $shareProvider = $this->federatedShareProviderFactory->get(); - if ($shareProvider->isLookupServerUploadEnabled()) { - $permittedFields[] = IAccountManager::PROPERTY_PHONE; - $permittedFields[] = IAccountManager::PROPERTY_ADDRESS; - $permittedFields[] = IAccountManager::PROPERTY_WEBSITE; - $permittedFields[] = IAccountManager::PROPERTY_TWITTER; + $permittedFields[] = IAccountManager::COLLECTION_EMAIL; + $permittedFields[] = IAccountManager::PROPERTY_PHONE; + $permittedFields[] = IAccountManager::PROPERTY_ADDRESS; + $permittedFields[] = IAccountManager::PROPERTY_WEBSITE; + $permittedFields[] = IAccountManager::PROPERTY_TWITTER; + $permittedFields[] = IAccountManager::PROPERTY_BLUESKY; + $permittedFields[] = IAccountManager::PROPERTY_FEDIVERSE; + $permittedFields[] = IAccountManager::PROPERTY_ORGANISATION; + $permittedFields[] = IAccountManager::PROPERTY_ROLE; + $permittedFields[] = IAccountManager::PROPERTY_HEADLINE; + $permittedFields[] = IAccountManager::PROPERTY_BIOGRAPHY; + $permittedFields[] = IAccountManager::PROPERTY_PROFILE_ENABLED; + $permittedFields[] = IAccountManager::PROPERTY_PRONOUNS; + + return new DataResponse($permittedFields); + } + + /** + * @NoSubAdminRequired + * + * Update multiple values of the user's details + * + * @param string $userId ID of the user + * @param string $collectionName Collection to update + * @param string $key Key that will be updated + * @param string $value New value for the key + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> + * @throws OCSException + * + * 200: User values edited successfully + */ + #[PasswordConfirmationRequired] + #[NoAdminRequired] + #[UserRateLimit(limit: 5, period: 60)] + public function editUserMultiValue( + string $userId, + string $collectionName, + string $key, + string $value, + ): DataResponse { + $currentLoggedInUser = $this->userSession->getUser(); + if ($currentLoggedInUser === null) { + throw new OCSException('', OCSController::RESPOND_UNAUTHORISED); + } + + $targetUser = $this->userManager->get($userId); + if ($targetUser === null) { + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); + } + + $subAdminManager = $this->groupManager->getSubAdmin(); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($currentLoggedInUser->getUID()); + $isAdminOrSubadmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID()) + || $subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser); + + $permittedFields = []; + if ($targetUser->getUID() === $currentLoggedInUser->getUID()) { + // Editing self (display, email) + $permittedFields[] = IAccountManager::COLLECTION_EMAIL; + $permittedFields[] = IAccountManager::COLLECTION_EMAIL . self::SCOPE_SUFFIX; + } else { + // Check if admin / subadmin + if ($isAdminOrSubadmin || $isDelegatedAdmin && !$this->groupManager->isInGroup($targetUser->getUID(), 'admin')) { + // They have permissions over the user + $permittedFields[] = IAccountManager::COLLECTION_EMAIL; + } else { + // No rights + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } } - return new DataResponse($permittedFields); + // Check if permitted to edit this field + if (!in_array($collectionName, $permittedFields)) { + throw new OCSException('', 103); + } + + switch ($collectionName) { + case IAccountManager::COLLECTION_EMAIL: + $userAccount = $this->accountManager->getAccount($targetUser); + $mailCollection = $userAccount->getPropertyCollection(IAccountManager::COLLECTION_EMAIL); + $mailCollection->removePropertyByValue($key); + if ($value !== '') { + $value = mb_strtolower(trim($value)); + $mailCollection->addPropertyWithDefaults($value); + $property = $mailCollection->getPropertyByValue($key); + if ($isAdminOrSubadmin && $property) { + // admin set mails are auto-verified + $property->setLocallyVerified(IAccountManager::VERIFIED); + } + } + $this->accountManager->updateAccount($userAccount); + if ($value === '' && $key === $targetUser->getPrimaryEMailAddress()) { + $targetUser->setPrimaryEMailAddress(''); + } + break; + + case IAccountManager::COLLECTION_EMAIL . self::SCOPE_SUFFIX: + $userAccount = $this->accountManager->getAccount($targetUser); + $mailCollection = $userAccount->getPropertyCollection(IAccountManager::COLLECTION_EMAIL); + $targetProperty = null; + foreach ($mailCollection->getProperties() as $property) { + if ($property->getValue() === $key) { + $targetProperty = $property; + break; + } + } + if ($targetProperty instanceof IAccountProperty) { + try { + $targetProperty->setScope($value); + $this->accountManager->updateAccount($userAccount); + } catch (InvalidArgumentException $e) { + throw new OCSException('', 102); + } + } else { + throw new OCSException('', 102); + } + break; + + default: + throw new OCSException('', 103); + } + return new DataResponse(); } /** - * @NoAdminRequired * @NoSubAdminRequired - * @PasswordConfirmationRequired * - * edit users + * Update a value of the user's details * - * @param string $userId - * @param string $key - * @param string $value - * @return DataResponse + * @param string $userId ID of the user + * @param string $key Key that will be updated + * @param string $value New value for the key + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> * @throws OCSException + * + * 200: User value edited successfully */ + #[PasswordConfirmationRequired] + #[NoAdminRequired] + #[UserRateLimit(limit: 50, period: 600)] public function editUser(string $userId, string $key, string $value): DataResponse { $currentLoggedInUser = $this->userSession->getUser(); $targetUser = $this->userManager->get($userId); if ($targetUser === null) { - throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED); + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } $permittedFields = []; if ($targetUser->getUID() === $currentLoggedInUser->getUID()) { - // Editing self (display, email) - if ($this->config->getSystemValue('allow_user_to_change_display_name', true) !== false) { - $permittedFields[] = 'display'; + $allowDisplayNameChange = $this->config->getSystemValue('allow_user_to_change_display_name', true); + if ($allowDisplayNameChange !== false && ( + $targetUser->getBackend() instanceof ISetDisplayNameBackend + || $targetUser->getBackend()->implementsActions(Backend::SET_DISPLAYNAME) + )) { + $permittedFields[] = self::USER_FIELD_DISPLAYNAME; $permittedFields[] = IAccountManager::PROPERTY_DISPLAYNAME; - $permittedFields[] = IAccountManager::PROPERTY_EMAIL; } - $permittedFields[] = 'password'; - if ($this->config->getSystemValue('force_language', false) === false || - $this->groupManager->isAdmin($currentLoggedInUser->getUID())) { - $permittedFields[] = 'language'; + // Fallback to display name value to avoid changing behavior with the new option. + if ($this->config->getSystemValue('allow_user_to_change_email', $allowDisplayNameChange)) { + $permittedFields[] = IAccountManager::PROPERTY_EMAIL; } - if ($this->config->getSystemValue('force_locale', false) === false || - $this->groupManager->isAdmin($currentLoggedInUser->getUID())) { - $permittedFields[] = 'locale'; + $permittedFields[] = IAccountManager::PROPERTY_DISPLAYNAME . self::SCOPE_SUFFIX; + $permittedFields[] = IAccountManager::PROPERTY_EMAIL . self::SCOPE_SUFFIX; + + $permittedFields[] = IAccountManager::COLLECTION_EMAIL; + + $permittedFields[] = self::USER_FIELD_PASSWORD; + $permittedFields[] = self::USER_FIELD_NOTIFICATION_EMAIL; + if ( + $this->config->getSystemValue('force_language', false) === false + || $this->groupManager->isAdmin($currentLoggedInUser->getUID()) + || $this->groupManager->isDelegatedAdmin($currentLoggedInUser->getUID()) + ) { + $permittedFields[] = self::USER_FIELD_LANGUAGE; } - if ($this->appManager->isEnabledForUser('federatedfilesharing')) { - $shareProvider = $this->federatedShareProviderFactory->get(); - if ($shareProvider->isLookupServerUploadEnabled()) { - $permittedFields[] = IAccountManager::PROPERTY_PHONE; - $permittedFields[] = IAccountManager::PROPERTY_ADDRESS; - $permittedFields[] = IAccountManager::PROPERTY_WEBSITE; - $permittedFields[] = IAccountManager::PROPERTY_TWITTER; - } + if ( + $this->config->getSystemValue('force_locale', false) === false + || $this->groupManager->isAdmin($currentLoggedInUser->getUID()) + || $this->groupManager->isDelegatedAdmin($currentLoggedInUser->getUID()) + ) { + $permittedFields[] = self::USER_FIELD_LOCALE; + $permittedFields[] = self::USER_FIELD_FIRST_DAY_OF_WEEK; } - // If admin they can edit their own quota - if ($this->groupManager->isAdmin($currentLoggedInUser->getUID())) { - $permittedFields[] = 'quota'; + $permittedFields[] = IAccountManager::PROPERTY_PHONE; + $permittedFields[] = IAccountManager::PROPERTY_ADDRESS; + $permittedFields[] = IAccountManager::PROPERTY_WEBSITE; + $permittedFields[] = IAccountManager::PROPERTY_TWITTER; + $permittedFields[] = IAccountManager::PROPERTY_BLUESKY; + $permittedFields[] = IAccountManager::PROPERTY_FEDIVERSE; + $permittedFields[] = IAccountManager::PROPERTY_ORGANISATION; + $permittedFields[] = IAccountManager::PROPERTY_ROLE; + $permittedFields[] = IAccountManager::PROPERTY_HEADLINE; + $permittedFields[] = IAccountManager::PROPERTY_BIOGRAPHY; + $permittedFields[] = IAccountManager::PROPERTY_PROFILE_ENABLED; + $permittedFields[] = IAccountManager::PROPERTY_BIRTHDATE; + $permittedFields[] = IAccountManager::PROPERTY_PRONOUNS; + + $permittedFields[] = IAccountManager::PROPERTY_PHONE . self::SCOPE_SUFFIX; + $permittedFields[] = IAccountManager::PROPERTY_ADDRESS . self::SCOPE_SUFFIX; + $permittedFields[] = IAccountManager::PROPERTY_WEBSITE . self::SCOPE_SUFFIX; + $permittedFields[] = IAccountManager::PROPERTY_TWITTER . self::SCOPE_SUFFIX; + $permittedFields[] = IAccountManager::PROPERTY_BLUESKY . self::SCOPE_SUFFIX; + $permittedFields[] = IAccountManager::PROPERTY_FEDIVERSE . self::SCOPE_SUFFIX; + $permittedFields[] = IAccountManager::PROPERTY_ORGANISATION . self::SCOPE_SUFFIX; + $permittedFields[] = IAccountManager::PROPERTY_ROLE . self::SCOPE_SUFFIX; + $permittedFields[] = IAccountManager::PROPERTY_HEADLINE . self::SCOPE_SUFFIX; + $permittedFields[] = IAccountManager::PROPERTY_BIOGRAPHY . self::SCOPE_SUFFIX; + $permittedFields[] = IAccountManager::PROPERTY_PROFILE_ENABLED . self::SCOPE_SUFFIX; + $permittedFields[] = IAccountManager::PROPERTY_BIRTHDATE . self::SCOPE_SUFFIX; + $permittedFields[] = IAccountManager::PROPERTY_AVATAR . self::SCOPE_SUFFIX; + $permittedFields[] = IAccountManager::PROPERTY_PRONOUNS . self::SCOPE_SUFFIX; + + // If admin they can edit their own quota and manager + $isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID()); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($currentLoggedInUser->getUID()); + if ($isAdmin || $isDelegatedAdmin) { + $permittedFields[] = self::USER_FIELD_QUOTA; + $permittedFields[] = self::USER_FIELD_MANAGER; } } else { // Check if admin / subadmin $subAdminManager = $this->groupManager->getSubAdmin(); - if ($this->groupManager->isAdmin($currentLoggedInUser->getUID()) - || $subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) { + if ( + $this->groupManager->isAdmin($currentLoggedInUser->getUID()) + || $this->groupManager->isDelegatedAdmin($currentLoggedInUser->getUID()) && !$this->groupManager->isInGroup($targetUser->getUID(), 'admin') + || $subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser) + ) { // They have permissions over the user - $permittedFields[] = 'display'; - $permittedFields[] = IAccountManager::PROPERTY_DISPLAYNAME; + if ( + $targetUser->getBackend() instanceof ISetDisplayNameBackend + || $targetUser->getBackend()->implementsActions(Backend::SET_DISPLAYNAME) + ) { + $permittedFields[] = self::USER_FIELD_DISPLAYNAME; + $permittedFields[] = IAccountManager::PROPERTY_DISPLAYNAME; + } $permittedFields[] = IAccountManager::PROPERTY_EMAIL; - $permittedFields[] = 'password'; - $permittedFields[] = 'language'; - $permittedFields[] = 'locale'; + $permittedFields[] = IAccountManager::COLLECTION_EMAIL; + $permittedFields[] = self::USER_FIELD_PASSWORD; + $permittedFields[] = self::USER_FIELD_LANGUAGE; + $permittedFields[] = self::USER_FIELD_LOCALE; + $permittedFields[] = self::USER_FIELD_FIRST_DAY_OF_WEEK; $permittedFields[] = IAccountManager::PROPERTY_PHONE; $permittedFields[] = IAccountManager::PROPERTY_ADDRESS; $permittedFields[] = IAccountManager::PROPERTY_WEBSITE; $permittedFields[] = IAccountManager::PROPERTY_TWITTER; - $permittedFields[] = 'quota'; + $permittedFields[] = IAccountManager::PROPERTY_BLUESKY; + $permittedFields[] = IAccountManager::PROPERTY_FEDIVERSE; + $permittedFields[] = IAccountManager::PROPERTY_ORGANISATION; + $permittedFields[] = IAccountManager::PROPERTY_ROLE; + $permittedFields[] = IAccountManager::PROPERTY_HEADLINE; + $permittedFields[] = IAccountManager::PROPERTY_BIOGRAPHY; + $permittedFields[] = IAccountManager::PROPERTY_PROFILE_ENABLED; + $permittedFields[] = IAccountManager::PROPERTY_PRONOUNS; + $permittedFields[] = self::USER_FIELD_QUOTA; + $permittedFields[] = self::USER_FIELD_NOTIFICATION_EMAIL; + $permittedFields[] = self::USER_FIELD_MANAGER; } else { // No rights - throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED); + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } } // Check if permitted to edit this field if (!in_array($key, $permittedFields)) { - throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED); + throw new OCSException('', 113); } // Process the edit switch ($key) { - case 'display': + case self::USER_FIELD_DISPLAYNAME: case IAccountManager::PROPERTY_DISPLAYNAME: - $targetUser->setDisplayName($value); + try { + $targetUser->setDisplayName($value); + } catch (InvalidArgumentException $e) { + throw new OCSException($e->getMessage(), 101); + } break; - case 'quota': + case self::USER_FIELD_QUOTA: $quota = $value; if ($quota !== 'none' && $quota !== 'default') { if (is_numeric($quota)) { - $quota = (float) $quota; + $quota = (float)$quota; } else { - $quota = \OCP\Util::computerFileSize($quota); + $quota = Util::computerFileSize($quota); } if ($quota === false) { - throw new OCSException('Invalid quota value '.$value, 103); + throw new OCSException($this->l10n->t('Invalid quota value: %1$s', [$value]), 101); } if ($quota === -1) { $quota = 'none'; } else { - $quota = \OCP\Util::humanFileSize($quota); + $maxQuota = (int)$this->config->getAppValue('files', 'max_quota', '-1'); + if ($maxQuota !== -1 && $quota > $maxQuota) { + throw new OCSException($this->l10n->t('Invalid quota value. %1$s is exceeding the maximum quota', [$value]), 101); + } + $quota = Util::humanFileSize($quota); + } + } + // no else block because quota can be set to 'none' in previous if + if ($quota === 'none') { + $allowUnlimitedQuota = $this->config->getAppValue('files', 'allow_unlimited_quota', '1') === '1'; + if (!$allowUnlimitedQuota) { + throw new OCSException($this->l10n->t('Unlimited quota is forbidden on this instance'), 101); } } $targetUser->setQuota($quota); break; - case 'password': + case self::USER_FIELD_MANAGER: + $targetUser->setManagerUids([$value]); + break; + case self::USER_FIELD_PASSWORD: try { + if (strlen($value) > IUserManager::MAX_PASSWORD_LENGTH) { + throw new OCSException($this->l10n->t('Invalid password value'), 101); + } if (!$targetUser->canChangePassword()) { - throw new OCSException('Setting the password is not supported by the users backend', 103); + throw new OCSException($this->l10n->t('Setting the password is not supported by the users backend'), 112); } $targetUser->setPassword($value); } catch (HintException $e) { // password policy error - throw new OCSException($e->getMessage(), 103); + throw new OCSException($e->getHint(), 107); } break; - case 'language': + case self::USER_FIELD_LANGUAGE: $languagesCodes = $this->l10nFactory->findAvailableLanguages(); if (!in_array($value, $languagesCodes, true) && $value !== 'en') { - throw new OCSException('Invalid language', 102); + throw new OCSException($this->l10n->t('Invalid language'), 101); } $this->config->setUserValue($targetUser->getUID(), 'core', 'lang', $value); break; - case 'locale': + case self::USER_FIELD_LOCALE: if (!$this->l10nFactory->localeExists($value)) { - throw new OCSException('Invalid locale', 102); + throw new OCSException($this->l10n->t('Invalid locale'), 101); } $this->config->setUserValue($targetUser->getUID(), 'core', 'locale', $value); break; + case self::USER_FIELD_FIRST_DAY_OF_WEEK: + $intValue = (int)$value; + if ($intValue < -1 || $intValue > 6) { + throw new OCSException($this->l10n->t('Invalid first day of week'), 101); + } + if ($intValue === -1) { + $this->config->deleteUserValue($targetUser->getUID(), 'core', AUserDataOCSController::USER_FIELD_FIRST_DAY_OF_WEEK); + } else { + $this->config->setUserValue($targetUser->getUID(), 'core', AUserDataOCSController::USER_FIELD_FIRST_DAY_OF_WEEK, $value); + } + break; + case self::USER_FIELD_NOTIFICATION_EMAIL: + $success = false; + if ($value === '' || filter_var($value, FILTER_VALIDATE_EMAIL)) { + try { + $targetUser->setPrimaryEMailAddress($value); + $success = true; + } catch (InvalidArgumentException $e) { + $this->logger->info( + 'Cannot set primary email, because provided address is not verified', + [ + 'app' => 'provisioning_api', + 'exception' => $e, + ] + ); + } + } + if (!$success) { + throw new OCSException('', 101); + } + break; case IAccountManager::PROPERTY_EMAIL: + $value = mb_strtolower(trim($value)); if (filter_var($value, FILTER_VALIDATE_EMAIL) || $value === '') { - $targetUser->setEMailAddress($value); + $targetUser->setSystemEMailAddress($value); } else { - throw new OCSException('', 102); + throw new OCSException('', 101); + } + break; + case IAccountManager::COLLECTION_EMAIL: + $value = mb_strtolower(trim($value)); + if (filter_var($value, FILTER_VALIDATE_EMAIL) && $value !== $targetUser->getSystemEMailAddress()) { + $userAccount = $this->accountManager->getAccount($targetUser); + $mailCollection = $userAccount->getPropertyCollection(IAccountManager::COLLECTION_EMAIL); + + if ($mailCollection->getPropertyByValue($value)) { + throw new OCSException('', 101); + } + + $mailCollection->addPropertyWithDefaults($value); + $this->accountManager->updateAccount($userAccount); + } else { + throw new OCSException('', 101); } break; case IAccountManager::PROPERTY_PHONE: case IAccountManager::PROPERTY_ADDRESS: case IAccountManager::PROPERTY_WEBSITE: case IAccountManager::PROPERTY_TWITTER: - $userAccount = $this->accountManager->getUser($targetUser); - if ($userAccount[$key]['value'] !== $value) { - $userAccount[$key]['value'] = $value; + case IAccountManager::PROPERTY_BLUESKY: + case IAccountManager::PROPERTY_FEDIVERSE: + case IAccountManager::PROPERTY_ORGANISATION: + case IAccountManager::PROPERTY_ROLE: + case IAccountManager::PROPERTY_HEADLINE: + case IAccountManager::PROPERTY_BIOGRAPHY: + case IAccountManager::PROPERTY_BIRTHDATE: + case IAccountManager::PROPERTY_PRONOUNS: + $userAccount = $this->accountManager->getAccount($targetUser); + try { + $userProperty = $userAccount->getProperty($key); + if ($userProperty->getValue() !== $value) { + try { + $userProperty->setValue($value); + if ($userProperty->getName() === IAccountManager::PROPERTY_PHONE) { + $this->knownUserService->deleteByContactUserId($targetUser->getUID()); + } + } catch (InvalidArgumentException $e) { + throw new OCSException('Invalid ' . $e->getMessage(), 101); + } + } + } catch (PropertyDoesNotExistException $e) { + $userAccount->setProperty($key, $value, IAccountManager::SCOPE_PRIVATE, IAccountManager::NOT_VERIFIED); + } + try { + $this->accountManager->updateAccount($userAccount); + } catch (InvalidArgumentException $e) { + throw new OCSException('Invalid ' . $e->getMessage(), 101); + } + break; + case IAccountManager::PROPERTY_PROFILE_ENABLED: + $userAccount = $this->accountManager->getAccount($targetUser); + try { + $userProperty = $userAccount->getProperty($key); + if ($userProperty->getValue() !== $value) { + $userProperty->setValue($value); + } + } catch (PropertyDoesNotExistException $e) { + $userAccount->setProperty($key, $value, IAccountManager::SCOPE_LOCAL, IAccountManager::NOT_VERIFIED); + } + $this->accountManager->updateAccount($userAccount); + break; + case IAccountManager::PROPERTY_DISPLAYNAME . self::SCOPE_SUFFIX: + case IAccountManager::PROPERTY_EMAIL . self::SCOPE_SUFFIX: + case IAccountManager::PROPERTY_PHONE . self::SCOPE_SUFFIX: + case IAccountManager::PROPERTY_ADDRESS . self::SCOPE_SUFFIX: + case IAccountManager::PROPERTY_WEBSITE . self::SCOPE_SUFFIX: + case IAccountManager::PROPERTY_TWITTER . self::SCOPE_SUFFIX: + case IAccountManager::PROPERTY_BLUESKY . self::SCOPE_SUFFIX: + case IAccountManager::PROPERTY_FEDIVERSE . self::SCOPE_SUFFIX: + case IAccountManager::PROPERTY_ORGANISATION . self::SCOPE_SUFFIX: + case IAccountManager::PROPERTY_ROLE . self::SCOPE_SUFFIX: + case IAccountManager::PROPERTY_HEADLINE . self::SCOPE_SUFFIX: + case IAccountManager::PROPERTY_BIOGRAPHY . self::SCOPE_SUFFIX: + case IAccountManager::PROPERTY_PROFILE_ENABLED . self::SCOPE_SUFFIX: + case IAccountManager::PROPERTY_BIRTHDATE . self::SCOPE_SUFFIX: + case IAccountManager::PROPERTY_AVATAR . self::SCOPE_SUFFIX: + case IAccountManager::PROPERTY_PRONOUNS . self::SCOPE_SUFFIX: + $propertyName = substr($key, 0, strlen($key) - strlen(self::SCOPE_SUFFIX)); + $userAccount = $this->accountManager->getAccount($targetUser); + $userProperty = $userAccount->getProperty($propertyName); + if ($userProperty->getScope() !== $value) { try { - $this->accountManager->updateUser($targetUser, $userAccount, true); - } catch (\InvalidArgumentException $e) { - throw new OCSException('Invalid ' . $e->getMessage(), 102); + $userProperty->setScope($value); + $this->accountManager->updateAccount($userAccount); + } catch (InvalidArgumentException $e) { + throw new OCSException('Invalid ' . $e->getMessage(), 101); } } break; default: - throw new OCSException('', 103); + throw new OCSException('', 113); } return new DataResponse(); } /** - * @PasswordConfirmationRequired - * @NoAdminRequired + * Wipe all devices of a user * - * @param string $userId + * @param string $userId ID of the user * - * @return DataResponse + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> * * @throws OCSException + * + * 200: Wiped all user devices successfully */ + #[PasswordConfirmationRequired] + #[NoAdminRequired] public function wipeUserDevices(string $userId): DataResponse { /** @var IUser $currentLoggedInUser */ $currentLoggedInUser = $this->userSession->getUser(); $targetUser = $this->userManager->get($userId); - if ($targetUser === null || $targetUser->getUID() === $currentLoggedInUser->getUID()) { + if ($targetUser === null) { + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); + } + + if ($targetUser->getUID() === $currentLoggedInUser->getUID()) { throw new OCSException('', 101); } // If not permitted $subAdminManager = $this->groupManager->getSubAdmin(); - if (!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) { - throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED); + $isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID()); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($currentLoggedInUser->getUID()); + if (!$isAdmin && !($isDelegatedAdmin && !$this->groupManager->isInGroup($targetUser->getUID(), 'admin')) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) { + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } $this->remoteWipe->markAllTokensForWipe($targetUser); @@ -707,26 +1298,35 @@ class UsersController extends AUserData { } /** - * @PasswordConfirmationRequired - * @NoAdminRequired + * Delete a user * - * @param string $userId - * @return DataResponse + * @param string $userId ID of the user + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> * @throws OCSException + * + * 200: User deleted successfully */ + #[PasswordConfirmationRequired] + #[NoAdminRequired] public function deleteUser(string $userId): DataResponse { $currentLoggedInUser = $this->userSession->getUser(); $targetUser = $this->userManager->get($userId); - if ($targetUser === null || $targetUser->getUID() === $currentLoggedInUser->getUID()) { + if ($targetUser === null) { + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); + } + + if ($targetUser->getUID() === $currentLoggedInUser->getUID()) { throw new OCSException('', 101); } // If not permitted $subAdminManager = $this->groupManager->getSubAdmin(); - if (!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) { - throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED); + $isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID()); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($currentLoggedInUser->getUID()); + if (!$isAdmin && !($isDelegatedAdmin && !$this->groupManager->isInGroup($targetUser->getUID(), 'admin')) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) { + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } // Go ahead with the delete @@ -738,27 +1338,31 @@ class UsersController extends AUserData { } /** - * @PasswordConfirmationRequired - * @NoAdminRequired + * Disable a user * - * @param string $userId - * @return DataResponse + * @param string $userId ID of the user + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> * @throws OCSException - * @throws OCSForbiddenException + * + * 200: User disabled successfully */ + #[PasswordConfirmationRequired] + #[NoAdminRequired] public function disableUser(string $userId): DataResponse { return $this->setEnabled($userId, false); } /** - * @PasswordConfirmationRequired - * @NoAdminRequired + * Enable a user * - * @param string $userId - * @return DataResponse + * @param string $userId ID of the user + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> * @throws OCSException - * @throws OCSForbiddenException + * + * 200: User enabled successfully */ + #[PasswordConfirmationRequired] + #[NoAdminRequired] public function enableUser(string $userId): DataResponse { return $this->setEnabled($userId, true); } @@ -766,7 +1370,7 @@ class UsersController extends AUserData { /** * @param string $userId * @param bool $value - * @return DataResponse + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> * @throws OCSException */ private function setEnabled(string $userId, bool $value): DataResponse { @@ -779,8 +1383,10 @@ class UsersController extends AUserData { // If not permitted $subAdminManager = $this->groupManager->getSubAdmin(); - if (!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) { - throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED); + $isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID()); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($currentLoggedInUser->getUID()); + if (!$isAdmin && !($isDelegatedAdmin && !$this->groupManager->isInGroup($targetUser->getUID(), 'admin')) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) { + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } // enable/disable the user now @@ -789,22 +1395,28 @@ class UsersController extends AUserData { } /** - * @NoAdminRequired * @NoSubAdminRequired * - * @param string $userId - * @return DataResponse + * Get a list of groups the user belongs to + * + * @param string $userId ID of the user + * @return DataResponse<Http::STATUS_OK, array{groups: list<string>}, array{}> * @throws OCSException + * + * 200: Users groups returned */ + #[NoAdminRequired] public function getUsersGroups(string $userId): DataResponse { $loggedInUser = $this->userSession->getUser(); $targetUser = $this->userManager->get($userId); if ($targetUser === null) { - throw new OCSException('', \OCP\API::RESPOND_NOT_FOUND); + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } - if ($targetUser->getUID() === $loggedInUser->getUID() || $this->groupManager->isAdmin($loggedInUser->getUID())) { + $isAdmin = $this->groupManager->isAdmin($loggedInUser->getUID()); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($loggedInUser->getUID()); + if ($targetUser->getUID() === $loggedInUser->getUID() || $isAdmin || $isDelegatedAdmin) { // Self lookup or admin lookup return new DataResponse([ 'groups' => $this->groupManager->getUserGroupIds($targetUser) @@ -815,32 +1427,151 @@ class UsersController extends AUserData { // Looking up someone else if ($subAdminManager->isUserAccessible($loggedInUser, $targetUser)) { // Return the group that the method caller is subadmin of for the user in question - /** @var IGroup[] $getSubAdminsGroups */ - $getSubAdminsGroups = $subAdminManager->getSubAdminsGroups($loggedInUser); - foreach ($getSubAdminsGroups as $key => $group) { - $getSubAdminsGroups[$key] = $group->getGID(); - } - $groups = array_intersect( - $getSubAdminsGroups, + $groups = array_values(array_intersect( + array_map(static fn (IGroup $group) => $group->getGID(), $subAdminManager->getSubAdminsGroups($loggedInUser)), $this->groupManager->getUserGroupIds($targetUser) - ); + )); return new DataResponse(['groups' => $groups]); } else { // Not permitted - throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED); + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } } } /** - * @PasswordConfirmationRequired - * @NoAdminRequired + * @NoSubAdminRequired * - * @param string $userId - * @param string $groupid - * @return DataResponse + * Get a list of groups with details + * + * @param string $userId ID of the user + * @return DataResponse<Http::STATUS_OK, array{groups: list<Provisioning_APIGroupDetails>}, array{}> + * @throws OCSException + * + * 200: Users groups returned + */ + #[NoAdminRequired] + public function getUsersGroupsDetails(string $userId): DataResponse { + $loggedInUser = $this->userSession->getUser(); + + $targetUser = $this->userManager->get($userId); + if ($targetUser === null) { + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); + } + + $isAdmin = $this->groupManager->isAdmin($loggedInUser->getUID()); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($loggedInUser->getUID()); + if ($targetUser->getUID() === $loggedInUser->getUID() || $isAdmin || $isDelegatedAdmin) { + // Self lookup or admin lookup + $groups = array_map( + function (Group $group) { + return [ + 'id' => $group->getGID(), + 'displayname' => $group->getDisplayName(), + 'usercount' => $group->count(), + 'disabled' => $group->countDisabled(), + 'canAdd' => $group->canAddUser(), + 'canRemove' => $group->canRemoveUser(), + ]; + }, + array_values($this->groupManager->getUserGroups($targetUser)), + ); + return new DataResponse([ + 'groups' => $groups, + ]); + } else { + $subAdminManager = $this->groupManager->getSubAdmin(); + + // Looking up someone else + if ($subAdminManager->isUserAccessible($loggedInUser, $targetUser)) { + // Return the group that the method caller is subadmin of for the user in question + $gids = array_values(array_intersect( + array_map( + static fn (IGroup $group) => $group->getGID(), + $subAdminManager->getSubAdminsGroups($loggedInUser), + ), + $this->groupManager->getUserGroupIds($targetUser) + )); + $groups = array_map( + function (string $gid) { + $group = $this->groupManager->get($gid); + return [ + 'id' => $group->getGID(), + 'displayname' => $group->getDisplayName(), + 'usercount' => $group->count(), + 'disabled' => $group->countDisabled(), + 'canAdd' => $group->canAddUser(), + 'canRemove' => $group->canRemoveUser(), + ]; + }, + $gids, + ); + return new DataResponse([ + 'groups' => $groups, + ]); + } else { + // Not permitted + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); + } + } + } + + /** + * @NoSubAdminRequired + * + * Get a list of the groups the user is a subadmin of, with details + * + * @param string $userId ID of the user + * @return DataResponse<Http::STATUS_OK, array{groups: list<Provisioning_APIGroupDetails>}, array{}> * @throws OCSException + * + * 200: Users subadmin groups returned */ + #[NoAdminRequired] + public function getUserSubAdminGroupsDetails(string $userId): DataResponse { + $loggedInUser = $this->userSession->getUser(); + + $targetUser = $this->userManager->get($userId); + if ($targetUser === null) { + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); + } + + $isAdmin = $this->groupManager->isAdmin($loggedInUser->getUID()); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($loggedInUser->getUID()); + if ($targetUser->getUID() === $loggedInUser->getUID() || $isAdmin || $isDelegatedAdmin) { + $subAdminManager = $this->groupManager->getSubAdmin(); + $groups = array_map( + function (IGroup $group) { + return [ + 'id' => $group->getGID(), + 'displayname' => $group->getDisplayName(), + 'usercount' => $group->count(), + 'disabled' => $group->countDisabled(), + 'canAdd' => $group->canAddUser(), + 'canRemove' => $group->canRemoveUser(), + ]; + }, + array_values($subAdminManager->getSubAdminsGroups($targetUser)), + ); + return new DataResponse([ + 'groups' => $groups, + ]); + } + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); + } + + /** + * Add a user to a group + * + * @param string $userId ID of the user + * @param string $groupid ID of the group + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> + * @throws OCSException + * + * 200: User added to group successfully + */ + #[PasswordConfirmationRequired] + #[NoAdminRequired] public function addToGroup(string $userId, string $groupid = ''): DataResponse { if ($groupid === '') { throw new OCSException('', 101); @@ -858,7 +1589,9 @@ class UsersController extends AUserData { // If they're not an admin, check they are a subadmin of the group in question $loggedInUser = $this->userSession->getUser(); $subAdminManager = $this->groupManager->getSubAdmin(); - if (!$this->groupManager->isAdmin($loggedInUser->getUID()) && !$subAdminManager->isSubAdminOfGroup($loggedInUser, $group)) { + $isAdmin = $this->groupManager->isAdmin($loggedInUser->getUID()); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($loggedInUser->getUID()); + if (!$isAdmin && !($isDelegatedAdmin && $groupid !== 'admin') && !$subAdminManager->isSubAdminOfGroup($loggedInUser, $group)) { throw new OCSException('', 104); } @@ -868,14 +1601,17 @@ class UsersController extends AUserData { } /** - * @PasswordConfirmationRequired - * @NoAdminRequired + * Remove a user from a group * - * @param string $userId - * @param string $groupid - * @return DataResponse + * @param string $userId ID of the user + * @param string $groupid ID of the group + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> * @throws OCSException + * + * 200: User removed from group successfully */ + #[PasswordConfirmationRequired] + #[NoAdminRequired] public function removeFromGroup(string $userId, string $groupid): DataResponse { $loggedInUser = $this->userSession->getUser(); @@ -895,21 +1631,23 @@ class UsersController extends AUserData { // If they're not an admin, check they are a subadmin of the group in question $subAdminManager = $this->groupManager->getSubAdmin(); - if (!$this->groupManager->isAdmin($loggedInUser->getUID()) && !$subAdminManager->isSubAdminOfGroup($loggedInUser, $group)) { + $isAdmin = $this->groupManager->isAdmin($loggedInUser->getUID()); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($loggedInUser->getUID()); + if (!$isAdmin && !($isDelegatedAdmin && $groupid !== 'admin') && !$subAdminManager->isSubAdminOfGroup($loggedInUser, $group)) { throw new OCSException('', 104); } // Check they aren't removing themselves from 'admin' or their 'subadmin; group if ($targetUser->getUID() === $loggedInUser->getUID()) { - if ($this->groupManager->isAdmin($loggedInUser->getUID())) { + if ($isAdmin || $isDelegatedAdmin) { if ($group->getGID() === 'admin') { - throw new OCSException('Cannot remove yourself from the admin group', 105); + throw new OCSException($this->l10n->t('Cannot remove yourself from the admin group'), 105); } } else { // Not an admin, so the user must be a subadmin of this group, but that is not allowed. - throw new OCSException('Cannot remove yourself from this group as you are a SubAdmin', 105); + throw new OCSException($this->l10n->t('Cannot remove yourself from this group as you are a sub-admin'), 105); } - } elseif (!$this->groupManager->isAdmin($loggedInUser->getUID())) { + } elseif (!($isAdmin || $isDelegatedAdmin)) { /** @var IGroup[] $subAdminGroups */ $subAdminGroups = $subAdminManager->getSubAdminsGroups($loggedInUser); $subAdminGroups = array_map(function (IGroup $subAdminGroup) { @@ -920,7 +1658,7 @@ class UsersController extends AUserData { if (count($userSubAdminGroups) <= 1) { // Subadmin must not be able to remove a user from all their subadmin groups. - throw new OCSException('Not viable to remove user from the last group you are SubAdmin of', 105); + throw new OCSException($this->l10n->t('Not viable to remove user from the last group you are sub-admin of'), 105); } } @@ -930,30 +1668,32 @@ class UsersController extends AUserData { } /** - * Creates a subadmin + * Make a user a subadmin of a group * - * @PasswordConfirmationRequired - * - * @param string $userId - * @param string $groupid - * @return DataResponse + * @param string $userId ID of the user + * @param string $groupid ID of the group + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> * @throws OCSException + * + * 200: User added as group subadmin successfully */ + #[AuthorizedAdminSetting(settings:Users::class)] + #[PasswordConfirmationRequired] public function addSubAdmin(string $userId, string $groupid): DataResponse { $group = $this->groupManager->get($groupid); $user = $this->userManager->get($userId); // Check if the user exists if ($user === null) { - throw new OCSException('User does not exist', 101); + throw new OCSException($this->l10n->t('User does not exist'), 101); } // Check if group exists if ($group === null) { - throw new OCSException('Group does not exist', 102); + throw new OCSException($this->l10n->t('Group does not exist'), 102); } // Check if trying to make subadmin of admin group if ($group->getGID() === 'admin') { - throw new OCSException('Cannot create subadmins for admin group', 103); + throw new OCSException($this->l10n->t('Cannot create sub-admins for admin group'), 103); } $subAdminManager = $this->groupManager->getSubAdmin(); @@ -968,15 +1708,17 @@ class UsersController extends AUserData { } /** - * Removes a subadmin from a group + * Remove a user from the subadmins of a group * - * @PasswordConfirmationRequired - * - * @param string $userId - * @param string $groupid - * @return DataResponse + * @param string $userId ID of the user + * @param string $groupid ID of the group + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> * @throws OCSException + * + * 200: User removed as group subadmin successfully */ + #[AuthorizedAdminSetting(settings:Users::class)] + #[PasswordConfirmationRequired] public function removeSubAdmin(string $userId, string $groupid): DataResponse { $group = $this->groupManager->get($groupid); $user = $this->userManager->get($userId); @@ -984,15 +1726,15 @@ class UsersController extends AUserData { // Check if the user exists if ($user === null) { - throw new OCSException('User does not exist', 101); + throw new OCSException($this->l10n->t('User does not exist'), 101); } // Check if the group exists if ($group === null) { - throw new OCSException('Group does not exist', 101); + throw new OCSException($this->l10n->t('Group does not exist'), 101); } // Check if they are a subadmin of this said group if (!$subAdminManager->isSubAdminOfGroup($user, $group)) { - throw new OCSException('User is not a subadmin of this group', 102); + throw new OCSException($this->l10n->t('User is not a sub-admin of this group'), 102); } // Go @@ -1003,56 +1745,71 @@ class UsersController extends AUserData { /** * Get the groups a user is a subadmin of * - * @param string $userId - * @return DataResponse + * @param string $userId ID if the user + * @return DataResponse<Http::STATUS_OK, list<string>, array{}> * @throws OCSException + * + * 200: User subadmin groups returned */ + #[AuthorizedAdminSetting(settings:Users::class)] public function getUserSubAdminGroups(string $userId): DataResponse { $groups = $this->getUserSubAdminGroupsData($userId); return new DataResponse($groups); } /** - * @NoAdminRequired - * @PasswordConfirmationRequired + * Resend the welcome message * - * resend welcome message - * - * @param string $userId - * @return DataResponse + * @param string $userId ID if the user + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> * @throws OCSException + * + * 200: Resent welcome message successfully */ + #[PasswordConfirmationRequired] + #[NoAdminRequired] public function resendWelcomeMessage(string $userId): DataResponse { $currentLoggedInUser = $this->userSession->getUser(); $targetUser = $this->userManager->get($userId); if ($targetUser === null) { - throw new OCSException('', \OCP\API::RESPOND_NOT_FOUND); + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } // Check if admin / subadmin $subAdminManager = $this->groupManager->getSubAdmin(); - if (!$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser) - && !$this->groupManager->isAdmin($currentLoggedInUser->getUID())) { + $isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID()); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($currentLoggedInUser->getUID()); + if ( + !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser) + && !($isAdmin || $isDelegatedAdmin) + ) { // No rights - throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED); + throw new OCSException('', OCSController::RESPOND_NOT_FOUND); } $email = $targetUser->getEMailAddress(); if ($email === '' || $email === null) { - throw new OCSException('Email address not available', 101); + throw new OCSException($this->l10n->t('Email address not available'), 101); } try { - $emailTemplate = $this->newUserMailHelper->generateTemplate($targetUser, false); + if ($this->config->getUserValue($targetUser->getUID(), 'core', 'lostpassword')) { + $emailTemplate = $this->newUserMailHelper->generateTemplate($targetUser, true); + } else { + $emailTemplate = $this->newUserMailHelper->generateTemplate($targetUser, false); + } + $this->newUserMailHelper->sendMail($targetUser, $emailTemplate); } catch (\Exception $e) { - $this->logger->logException($e, [ - 'message' => "Can't send new user mail to $email", - 'level' => ILogger::ERROR, - 'app' => 'settings', - ]); - throw new OCSException('Sending email failed', 102); + $this->logger->error( + "Can't send new user mail to $email", + [ + 'app' => 'settings', + 'exception' => $e, + ] + ); + throw new OCSException($this->l10n->t('Sending email failed'), 102); } return new DataResponse(); diff --git a/apps/provisioning_api/lib/Controller/VerificationController.php b/apps/provisioning_api/lib/Controller/VerificationController.php new file mode 100644 index 00000000000..70535c4906c --- /dev/null +++ b/apps/provisioning_api/lib/Controller/VerificationController.php @@ -0,0 +1,125 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\Provisioning_API\Controller; + +use InvalidArgumentException; +use OC\Security\Crypto; +use OCP\Accounts\IAccountManager; +use OCP\AppFramework\Controller; +use OCP\AppFramework\Http\Attribute\BruteForceProtection; +use OCP\AppFramework\Http\Attribute\NoAdminRequired; +use OCP\AppFramework\Http\Attribute\NoCSRFRequired; +use OCP\AppFramework\Http\Attribute\OpenAPI; +use OCP\AppFramework\Http\TemplateResponse; +use OCP\IL10N; +use OCP\IRequest; +use OCP\IUserManager; +use OCP\IUserSession; +use OCP\Security\VerificationToken\InvalidTokenException; +use OCP\Security\VerificationToken\IVerificationToken; + +#[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)] +class VerificationController extends Controller { + + /** @var Crypto */ + private $crypto; + + public function __construct( + string $appName, + IRequest $request, + private IVerificationToken $verificationToken, + private IUserManager $userManager, + private IL10N $l10n, + private IUserSession $userSession, + private IAccountManager $accountManager, + Crypto $crypto, + ) { + parent::__construct($appName, $request); + $this->crypto = $crypto; + } + + /** + * @NoSubAdminRequired + */ + #[NoAdminRequired] + #[NoCSRFRequired] + public function showVerifyMail(string $token, string $userId, string $key): TemplateResponse { + if ($this->userSession->getUser()->getUID() !== $userId) { + // not a public page, hence getUser() must return an IUser + throw new InvalidArgumentException('Logged in account is not mail address owner'); + } + $email = $this->crypto->decrypt($key); + + return new TemplateResponse( + 'core', 'confirmation', [ + 'title' => $this->l10n->t('Email confirmation'), + 'message' => $this->l10n->t('To enable the email address %s please click the button below.', [$email]), + 'action' => $this->l10n->t('Confirm'), + ], TemplateResponse::RENDER_AS_GUEST); + } + + /** + * @NoSubAdminRequired + */ + #[NoAdminRequired] + #[BruteForceProtection(action: 'emailVerification')] + public function verifyMail(string $token, string $userId, string $key): TemplateResponse { + $throttle = false; + try { + if ($this->userSession->getUser()->getUID() !== $userId) { + throw new InvalidArgumentException('Logged in account is not mail address owner'); + } + $email = $this->crypto->decrypt($key); + $ref = \substr(hash('sha256', $email), 0, 8); + + $user = $this->userManager->get($userId); + $this->verificationToken->check($token, $user, 'verifyMail' . $ref, $email); + + $userAccount = $this->accountManager->getAccount($user); + $emailProperty = $userAccount->getPropertyCollection(IAccountManager::COLLECTION_EMAIL) + ->getPropertyByValue($email); + + if ($emailProperty === null) { + throw new InvalidArgumentException($this->l10n->t('Email was already removed from account and cannot be confirmed anymore.')); + } + $emailProperty->setLocallyVerified(IAccountManager::VERIFIED); + $this->accountManager->updateAccount($userAccount); + $this->verificationToken->delete($token, $user, 'verifyMail' . $ref); + } catch (InvalidTokenException $e) { + if ($e->getCode() === InvalidTokenException::TOKEN_EXPIRED) { + $error = $this->l10n->t('Could not verify mail because the token is expired.'); + } else { + $throttle = true; + $error = $this->l10n->t('Could not verify mail because the token is invalid.'); + } + } catch (InvalidArgumentException $e) { + $error = $e->getMessage(); + } catch (\Exception $e) { + $error = $this->l10n->t('An unexpected error occurred. Please contact your admin.'); + } + + if (isset($error)) { + $response = new TemplateResponse( + 'core', 'error', [ + 'errors' => [['error' => $error]] + ], TemplateResponse::RENDER_AS_GUEST); + if ($throttle) { + $response->throttle(); + } + return $response; + } + + return new TemplateResponse( + 'core', 'success', [ + 'title' => $this->l10n->t('Email confirmation successful'), + 'message' => $this->l10n->t('Email confirmation successful'), + ], TemplateResponse::RENDER_AS_GUEST); + } +} diff --git a/apps/provisioning_api/lib/FederatedShareProviderFactory.php b/apps/provisioning_api/lib/FederatedShareProviderFactory.php index 0b0cfc5bd22..3da76102c4a 100644 --- a/apps/provisioning_api/lib/FederatedShareProviderFactory.php +++ b/apps/provisioning_api/lib/FederatedShareProviderFactory.php @@ -1,29 +1,11 @@ <?php -/** - * @copyright 2018, Roeland Jago Douma <roeland@famdouma.nl> - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * - */ + declare(strict_types=1); +/** + * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ namespace OCA\Provisioning_API; use OCA\FederatedFileSharing\FederatedShareProvider; @@ -31,11 +13,9 @@ use OCP\IServerContainer; class FederatedShareProviderFactory { - /** @var IServerContainer */ - private $serverContainer; - - public function __construct(IServerContainer $serverContainer) { - $this->serverContainer = $serverContainer; + public function __construct( + private IServerContainer $serverContainer, + ) { } public function get(): FederatedShareProvider { diff --git a/apps/provisioning_api/lib/Listener/UserDeletedListener.php b/apps/provisioning_api/lib/Listener/UserDeletedListener.php new file mode 100644 index 00000000000..099b5593ed7 --- /dev/null +++ b/apps/provisioning_api/lib/Listener/UserDeletedListener.php @@ -0,0 +1,40 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\Provisioning_API\Listener; + +use OC\KnownUser\KnownUserService; +use OCP\EventDispatcher\Event; +use OCP\EventDispatcher\IEventListener; +use OCP\User\Events\UserDeletedEvent; + +/** @template-implements IEventListener<UserDeletedEvent> */ +class UserDeletedListener implements IEventListener { + + /** @var KnownUserService */ + private $service; + + public function __construct(KnownUserService $service) { + $this->service = $service; + } + + public function handle(Event $event): void { + if (!($event instanceof UserDeletedEvent)) { + // Unrelated + return; + } + + $user = $event->getUser(); + + // Delete all entries of this user + $this->service->deleteKnownTo($user->getUID()); + + // Delete all entries that other users know this user + $this->service->deleteByContactUserId($user->getUID()); + } +} diff --git a/apps/provisioning_api/lib/Middleware/Exceptions/NotSubAdminException.php b/apps/provisioning_api/lib/Middleware/Exceptions/NotSubAdminException.php index 04e9fa33578..b014d6a1495 100644 --- a/apps/provisioning_api/lib/Middleware/Exceptions/NotSubAdminException.php +++ b/apps/provisioning_api/lib/Middleware/Exceptions/NotSubAdminException.php @@ -1,33 +1,15 @@ <?php + /** - * - * - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\Provisioning_API\Middleware\Exceptions; use OCP\AppFramework\Http; class NotSubAdminException extends \Exception { public function __construct() { - parent::__construct('Logged in user must be at least a sub admin', Http::STATUS_FORBIDDEN); + parent::__construct('Logged in account must be at least a sub admin', Http::STATUS_FORBIDDEN); } } diff --git a/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php b/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php index e5a93fc402a..1989ef5d4c1 100644 --- a/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php +++ b/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php @@ -3,33 +3,14 @@ declare(strict_types=1); /** - * - * - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\Provisioning_API\Middleware; use OCA\Provisioning_API\Middleware\Exceptions\NotSubAdminException; use OCP\AppFramework\Controller; +use OCP\AppFramework\Http; use OCP\AppFramework\Http\Response; use OCP\AppFramework\Middleware; use OCP\AppFramework\OCS\OCSException; @@ -37,15 +18,6 @@ use OCP\AppFramework\Utility\IControllerMethodReflector; class ProvisioningApiMiddleware extends Middleware { - /** @var IControllerMethodReflector */ - private $reflector; - - /** @var bool */ - private $isAdmin; - - /** @var bool */ - private $isSubAdmin; - /** * ProvisioningApiMiddleware constructor. * @@ -54,12 +26,10 @@ class ProvisioningApiMiddleware extends Middleware { * @param bool $isSubAdmin */ public function __construct( - IControllerMethodReflector $reflector, - bool $isAdmin, - bool $isSubAdmin) { - $this->reflector = $reflector; - $this->isAdmin = $isAdmin; - $this->isSubAdmin = $isSubAdmin; + private IControllerMethodReflector $reflector, + private bool $isAdmin, + private bool $isSubAdmin, + ) { } /** @@ -69,7 +39,8 @@ class ProvisioningApiMiddleware extends Middleware { * @throws NotSubAdminException */ public function beforeController($controller, $methodName) { - if (!$this->isAdmin && !$this->reflector->hasAnnotation('NoSubAdminRequired') && !$this->isSubAdmin) { + // If AuthorizedAdminSetting, the check will be done in the SecurityMiddleware + if (!$this->isAdmin && !$this->reflector->hasAnnotation('NoSubAdminRequired') && !$this->isSubAdmin && !$this->reflector->hasAnnotation('AuthorizedAdminSetting')) { throw new NotSubAdminException(); } } @@ -83,7 +54,7 @@ class ProvisioningApiMiddleware extends Middleware { */ public function afterException($controller, $methodName, \Exception $exception) { if ($exception instanceof NotSubAdminException) { - throw new OCSException($exception->getMessage(), \OCP\API::RESPOND_UNAUTHORISED); + throw new OCSException($exception->getMessage(), Http::STATUS_FORBIDDEN); } throw $exception; diff --git a/apps/provisioning_api/lib/ResponseDefinitions.php b/apps/provisioning_api/lib/ResponseDefinitions.php new file mode 100644 index 00000000000..62ae4ca577b --- /dev/null +++ b/apps/provisioning_api/lib/ResponseDefinitions.php @@ -0,0 +1,86 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\Provisioning_API; + +/** + * @psalm-type Provisioning_APIUserDetailsQuota = array{ + * free?: float|int, + * quota?: float|int|string, + * relative?: float|int, + * total?: float|int, + * used?: float|int, + * } + * + * @psalm-type Provisioning_APIUserDetailsScope = 'v2-private'|'v2-local'|'v2-federated'|'v2-published'|'private'|'contacts'|'public' + * + * @psalm-type Provisioning_APIUserDetails = array{ + * additional_mail: list<string>, + * additional_mailScope?: list<Provisioning_APIUserDetailsScope>, + * address: string, + * addressScope?: Provisioning_APIUserDetailsScope, + * avatarScope?: Provisioning_APIUserDetailsScope, + * backend: string, + * backendCapabilities: array{ + * setDisplayName: bool, + * setPassword: bool + * }, + * biography: string, + * biographyScope?: Provisioning_APIUserDetailsScope, + * display-name: string, + * displayname: string, + * displaynameScope?: Provisioning_APIUserDetailsScope, + * email: ?string, + * emailScope?: Provisioning_APIUserDetailsScope, + * enabled?: bool, + * fediverse: string, + * fediverseScope?: Provisioning_APIUserDetailsScope, + * groups: list<string>, + * headline: string, + * headlineScope?: Provisioning_APIUserDetailsScope, + * id: string, + * language: string, + * firstLoginTimestamp: int, + * lastLoginTimestamp: int, + * lastLogin: int, + * locale: string, + * manager: string, + * notify_email: ?string, + * organisation: string, + * organisationScope?: Provisioning_APIUserDetailsScope, + * phone: string, + * phoneScope?: Provisioning_APIUserDetailsScope, + * profile_enabled: string, + * profile_enabledScope?: Provisioning_APIUserDetailsScope, + * pronouns: string, + * pronounsScope?: Provisioning_APIUserDetailsScope, + * quota: Provisioning_APIUserDetailsQuota, + * role: string, + * roleScope?: Provisioning_APIUserDetailsScope, + * storageLocation?: string, + * subadmin: list<string>, + * twitter: string, + * twitterScope?: Provisioning_APIUserDetailsScope, + * bluesky: string, + * blueskyScope?: Provisioning_APIUserDetailsScope, + * website: string, + * websiteScope?: Provisioning_APIUserDetailsScope, + * } + * + * @psalm-type Provisioning_APIGroupDetails = array{ + * id: string, + * displayname: string, + * usercount: bool|int, + * disabled: bool|int, + * canAdd: bool, + * canRemove: bool, + * } + */ +class ResponseDefinitions { +} |