5 files changed, 63 insertions, 59 deletions
diff --git a/lib/private/Group/Backend.php b/lib/private/Group/Backend.php
index f6844308a15..f4a90018b5a 100644
--- a/lib/private/Group/Backend.php
+++ b/lib/private/Group/Backend.php
@@ -71,7 +71,7 @@ abstract class Backend implements \OCP\GroupInterface {
 	/**
 	 * Get all groups a user belongs to
 	 * @param string $uid Name of the user
-	 * @return array an array of group names
+	 * @return list<string> an array of group names
 	 *
 	 * This function fetches all groups a user belongs to. It does not check
 	 * if the user exists at all.
diff --git a/lib/private/Group/Database.php b/lib/private/Group/Database.php
index 925b5bb0bdd..0cb571a3935 100644
--- a/lib/private/Group/Database.php
+++ b/lib/private/Group/Database.php
@@ -44,15 +44,15 @@ class Database extends ABackend implements
 	INamedBackend {
 	/** @var array<string, array{gid: string, displayname: string}> */
 	private $groupCache = [];
-	private ?IDBConnection $dbConn;
 
 	/**
 	 * \OC\Group\Database constructor.
 	 *
 	 * @param IDBConnection|null $dbConn
 	 */
-	public function __construct(?IDBConnection $dbConn = null) {
-		$this->dbConn = $dbConn;
+	public function __construct(
+		private ?IDBConnection $dbConn = null,
+	) {
 	}
 
 	/**
@@ -102,19 +102,19 @@ class Database extends ABackend implements
 		$qb = $this->dbConn->getQueryBuilder();
 		$qb->delete('groups')
 			->where($qb->expr()->eq('gid', $qb->createNamedParameter($gid)))
-			->execute();
+			->executeStatement();
 
 		// Delete the group-user relation
 		$qb = $this->dbConn->getQueryBuilder();
 		$qb->delete('group_user')
 			->where($qb->expr()->eq('gid', $qb->createNamedParameter($gid)))
-			->execute();
+			->executeStatement();
 
 		// Delete the group-groupadmin relation
 		$qb = $this->dbConn->getQueryBuilder();
 		$qb->delete('group_admin')
 			->where($qb->expr()->eq('gid', $qb->createNamedParameter($gid)))
-			->execute();
+			->executeStatement();
 
 		// Delete from cache
 		unset($this->groupCache[$gid]);
@@ -139,7 +139,7 @@ class Database extends ABackend implements
 			->from('group_user')
 			->where($qb->expr()->eq('gid', $qb->createNamedParameter($gid)))
 			->andWhere($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
-			->execute();
+			->executeQuery();
 
 		$result = $cursor->fetch();
 		$cursor->closeCursor();
@@ -164,7 +164,7 @@ class Database extends ABackend implements
 			$qb->insert('group_user')
 				->setValue('uid', $qb->createNamedParameter($uid))
 				->setValue('gid', $qb->createNamedParameter($gid))
-				->execute();
+				->executeStatement();
 			return true;
 		} else {
 			return false;
@@ -186,7 +186,7 @@ class Database extends ABackend implements
 		$qb->delete('group_user')
 			->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
 			->andWhere($qb->expr()->eq('gid', $qb->createNamedParameter($gid)))
-			->execute();
+			->executeStatement();
 
 		return true;
 	}
@@ -194,7 +194,7 @@ class Database extends ABackend implements
 	/**
 	 * Get all groups a user belongs to
 	 * @param string $uid Name of the user
-	 * @return array an array of group names
+	 * @return list<string> an array of group names
 	 *
 	 * This function fetches all groups a user belongs to. It does not check
 	 * if the user exists at all.
@@ -213,7 +213,7 @@ class Database extends ABackend implements
 			->from('group_user', 'gu')
 			->leftJoin('gu', 'groups', 'g', $qb->expr()->eq('gu.gid', 'g.gid'))
 			->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
-			->execute();
+			->executeQuery();
 
 		$groups = [];
 		while ($row = $cursor->fetch()) {
@@ -260,7 +260,7 @@ class Database extends ABackend implements
 		if ($offset > 0) {
 			$query->setFirstResult($offset);
 		}
-		$result = $query->execute();
+		$result = $query->executeQuery();
 
 		$groups = [];
 		while ($row = $result->fetch()) {
@@ -292,7 +292,7 @@ class Database extends ABackend implements
 		$cursor = $qb->select('gid', 'displayname')
 			->from('groups')
 			->where($qb->expr()->eq('gid', $qb->createNamedParameter($gid)))
-			->execute();
+			->executeQuery();
 		$result = $cursor->fetch();
 		$cursor->closeCursor();
 
@@ -325,8 +325,8 @@ class Database extends ABackend implements
 
 		$qb = $this->dbConn->getQueryBuilder();
 		$qb->select('gid', 'displayname')
-				->from('groups')
-				->where($qb->expr()->in('gid', $qb->createParameter('ids')));
+			->from('groups')
+			->where($qb->expr()->in('gid', $qb->createParameter('ids')));
 		foreach (array_chunk($notFoundGids, 1000) as $chunk) {
 			$qb->setParameter('ids', $chunk, IQueryBuilder::PARAM_STR_ARRAY);
 			$result = $qb->executeQuery();
@@ -423,7 +423,7 @@ class Database extends ABackend implements
 			)));
 		}
 
-		$result = $query->execute();
+		$result = $query->executeQuery();
 		$count = $result->fetchOne();
 		$result->closeCursor();
 
@@ -455,7 +455,7 @@ class Database extends ABackend implements
 			->andWhere($query->expr()->eq('configvalue', $query->createNamedParameter('false'), IQueryBuilder::PARAM_STR))
 			->andWhere($query->expr()->eq('gid', $query->createNamedParameter($gid), IQueryBuilder::PARAM_STR));
 
-		$result = $query->execute();
+		$result = $query->executeQuery();
 		$count = $result->fetchOne();
 		$result->closeCursor();
 
@@ -484,11 +484,11 @@ class Database extends ABackend implements
 			->from('groups')
 			->where($query->expr()->eq('gid', $query->createNamedParameter($gid)));
 
-		$result = $query->execute();
+		$result = $query->executeQuery();
 		$displayName = $result->fetchOne();
 		$result->closeCursor();
 
-		return (string) $displayName;
+		return (string)$displayName;
 	}
 
 	public function getGroupDetails(string $gid): array {
@@ -507,6 +507,8 @@ class Database extends ABackend implements
 		$notFoundGids = [];
 		$details = [];
 
+		$this->fixDI();
+
 		// In case the data is already locally accessible, not need to do SQL query
 		// or do a SQL query but with a smaller in clause
 		foreach ($gids as $gid) {
@@ -553,7 +555,7 @@ class Database extends ABackend implements
 		$query->update('groups')
 			->set('displayname', $query->createNamedParameter($displayName))
 			->where($query->expr()->eq('gid', $query->createNamedParameter($gid)));
-		$query->execute();
+		$query->executeStatement();
 
 		return true;
 	}
diff --git a/lib/private/Group/Group.php b/lib/private/Group/Group.php
index dcda7c29bb5..6e42fad8b9f 100644
--- a/lib/private/Group/Group.php
+++ b/lib/private/Group/Group.php
@@ -30,7 +30,7 @@ use OCP\IUser;
 use OCP\IUserManager;
 
 class Group implements IGroup {
-	/** @var null|string  */
+	/** @var null|string */
 	protected $displayName;
 
 	/** @var string */
@@ -46,7 +46,7 @@ class Group implements IGroup {
 	private $backends;
 	/** @var IEventDispatcher */
 	private $dispatcher;
-	/** @var \OC\User\Manager|IUserManager  */
+	/** @var \OC\User\Manager|IUserManager */
 	private $userManager;
 	/** @var PublicEmitter */
 	private $emitter;
@@ -377,7 +377,7 @@ class Group implements IGroup {
 	 */
 	public function hideFromCollaboration(): bool {
 		return array_reduce($this->backends, function (bool $hide, GroupInterface $backend) {
-			return $hide | ($backend instanceof IHideFromCollaborationBackend && $backend->hideGroup($this->gid));
+			return $hide || ($backend instanceof IHideFromCollaborationBackend && $backend->hideGroup($this->gid));
 		}, false);
 	}
 }
diff --git a/lib/private/Group/Manager.php b/lib/private/Group/Manager.php
index 0ab64907c8b..e58a1fe6585 100644
--- a/lib/private/Group/Manager.php
+++ b/lib/private/Group/Manager.php
@@ -8,6 +8,7 @@
 namespace OC\Group;
 
 use OC\Hooks\PublicEmitter;
+use OC\Settings\AuthorizedGroupMapper;
 use OCP\EventDispatcher\IEventDispatcher;
 use OCP\Group\Backend\IBatchMethodsBackend;
 use OCP\Group\Backend\ICreateNamedGroupBackend;
@@ -19,6 +20,7 @@ use OCP\ICacheFactory;
 use OCP\IGroup;
 use OCP\IGroupManager;
 use OCP\IUser;
+use OCP\Security\Ip\IRemoteAddress;
 use Psr\Log\LoggerInterface;
 use function is_string;
 
@@ -41,11 +43,6 @@ class Manager extends PublicEmitter implements IGroupManager {
 	/** @var GroupInterface[] */
 	private $backends = [];
 
-	/** @var \OC\User\Manager */
-	private $userManager;
-	private IEventDispatcher $dispatcher;
-	private LoggerInterface $logger;
-
 	/** @var array<string, IGroup> */
 	private $cachedGroups = [];
 
@@ -59,13 +56,13 @@ class Manager extends PublicEmitter implements IGroupManager {
 
 	private const MAX_GROUP_LENGTH = 255;
 
-	public function __construct(\OC\User\Manager $userManager,
-		IEventDispatcher $dispatcher,
-		LoggerInterface $logger,
-		ICacheFactory $cacheFactory) {
-		$this->userManager = $userManager;
-		$this->dispatcher = $dispatcher;
-		$this->logger = $logger;
+	public function __construct(
+		private \OC\User\Manager $userManager,
+		private IEventDispatcher $dispatcher,
+		private LoggerInterface $logger,
+		ICacheFactory $cacheFactory,
+		private IRemoteAddress $remoteAddress,
+	) {
 		$this->displayNameCache = new DisplayNameCache($cacheFactory, $this);
 
 		$this->listen('\OC\Group', 'postDelete', function (IGroup $group): void {
@@ -241,7 +238,7 @@ class Manager extends PublicEmitter implements IGroupManager {
 		} elseif ($group = $this->get($gid)) {
 			return $group;
 		} elseif (mb_strlen($gid) > self::MAX_GROUP_LENGTH) {
-			throw new \Exception('Group name is limited to '. self::MAX_GROUP_LENGTH.' characters');
+			throw new \Exception('Group name is limited to ' . self::MAX_GROUP_LENGTH . ' characters');
 		} else {
 			$this->dispatcher->dispatchTyped(new BeforeGroupCreatedEvent($gid));
 			$this->emit('\OC\Group', 'preCreate', [$gid]);
@@ -325,6 +322,10 @@ class Manager extends PublicEmitter implements IGroupManager {
 	 * @return bool if admin
 	 */
 	public function isAdmin($userId) {
+		if (!$this->remoteAddress->allowsAdminActions()) {
+			return false;
+		}
+
 		foreach ($this->backends as $backend) {
 			if (is_string($userId) && $backend->implementsActions(Backend::IS_ADMIN) && $backend->isAdmin($userId)) {
 				return true;
@@ -333,6 +334,18 @@ class Manager extends PublicEmitter implements IGroupManager {
 		return $this->isInGroup($userId, 'admin');
 	}
 
+	public function isDelegatedAdmin(string $userId): bool {
+		if (!$this->remoteAddress->allowsAdminActions()) {
+			return false;
+		}
+
+		// Check if the user as admin delegation for users listing
+		$authorizedGroupMapper = \OCP\Server::get(AuthorizedGroupMapper::class);
+		$user = $this->userManager->get($userId);
+		$authorizedClasses = $authorizedGroupMapper->findAllClassesForUser($user);
+		return in_array(\OCA\Settings\Settings\Admin\Users::class, $authorizedClasses, true);
+	}
+
 	/**
 	 * Checks if a userId is in a group
 	 *
@@ -348,7 +361,7 @@ class Manager extends PublicEmitter implements IGroupManager {
 	 * get a list of group ids for a user
 	 *
 	 * @param IUser $user
-	 * @return string[] with group ids
+	 * @return list<string> with group ids
 	 */
 	public function getUserGroupIds(IUser $user): array {
 		return $this->getUserIdGroupIds($user->getUID());
@@ -356,7 +369,7 @@ class Manager extends PublicEmitter implements IGroupManager {
 
 	/**
 	 * @param string $uid the user id
-	 * @return string[]
+	 * @return list<string>
 	 */
 	private function getUserIdGroupIds(string $uid): array {
 		if (!isset($this->cachedUserGroups[$uid])) {
@@ -439,7 +452,7 @@ class Manager extends PublicEmitter implements IGroupManager {
 
 		$matchingUsers = [];
 		foreach ($groupUsers as $groupUser) {
-			$matchingUsers[(string) $groupUser->getUID()] = $groupUser->getDisplayName();
+			$matchingUsers[(string)$groupUser->getUID()] = $groupUser->getDisplayName();
 		}
 		return $matchingUsers;
 	}
diff --git a/lib/private/Group/MetaData.php b/lib/private/Group/MetaData.php
index 638dc184812..77432eea5ff 100644
--- a/lib/private/Group/MetaData.php
+++ b/lib/private/Group/MetaData.php
@@ -17,33 +17,22 @@ class MetaData {
 	public const SORT_USERCOUNT = 1; // May have performance issues on LDAP backends
 	public const SORT_GROUPNAME = 2;
 
-	/** @var string */
-	protected $user;
-	/** @var bool */
-	protected $isAdmin;
 	/** @var array */
 	protected $metaData = [];
-	/** @var GroupManager */
-	protected $groupManager;
 	/** @var int */
 	protected $sorting = self::SORT_NONE;
-	/** @var IUserSession */
-	protected $userSession;
 
 	/**
 	 * @param string $user the uid of the current user
 	 * @param bool $isAdmin whether the current users is an admin
 	 */
 	public function __construct(
-		string $user,
-		bool $isAdmin,
-		IGroupManager $groupManager,
-		IUserSession $userSession
+		private string $user,
+		private bool $isAdmin,
+		private bool $isDelegatedAdmin,
+		private IGroupManager $groupManager,
+		private IUserSession $userSession,
 	) {
-		$this->user = $user;
-		$this->isAdmin = $isAdmin;
-		$this->groupManager = $groupManager;
-		$this->userSession = $userSession;
 	}
 
 	/**
@@ -52,7 +41,7 @@ class MetaData {
 	 * [0] array containing meta data about admin groups
 	 * [1] array containing meta data about unprivileged groups
 	 * @param string $groupSearch only effective when instance was created with
-	 * isAdmin being true
+	 *                            isAdmin being true
 	 * @param string $userSearch the pattern users are search for
 	 */
 	public function get(string $groupSearch = '', string $userSearch = ''): array {
@@ -162,11 +151,11 @@ class MetaData {
 	 * @return IGroup[]
 	 */
 	public function getGroups(string $search = ''): array {
-		if ($this->isAdmin) {
+		if ($this->isAdmin || $this->isDelegatedAdmin) {
 			return $this->groupManager->search($search);
 		} else {
 			$userObject = $this->userSession->getUser();
-			if ($userObject !== null) {
+			if ($userObject !== null && $this->groupManager instanceof GroupManager) {
 				$groups = $this->groupManager->getSubAdmin()->getSubAdminsGroups($userObject);
 			} else {
 				$groups = [];