From 67d8c3653781e095982a750dd434dcd429268383 Mon Sep 17 00:00:00 2001
From: Christoph Wurst <christoph@winzerhof-wurst.at>
Date: Wed, 24 May 2023 22:27:51 +0200
Subject: fix(carddav): Don't show system address book cards to guests

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
---
 .../tests/unit/CardDAV/SystemAddressBookTest.php   | 78 ++++++++++++++++++++++
 1 file changed, 78 insertions(+)

(limited to 'apps/dav/tests')

diff --git a/apps/dav/tests/unit/CardDAV/SystemAddressBookTest.php b/apps/dav/tests/unit/CardDAV/SystemAddressBookTest.php
index 325b1120e8b..97bb92ad9bc 100644
--- a/apps/dav/tests/unit/CardDAV/SystemAddressBookTest.php
+++ b/apps/dav/tests/unit/CardDAV/SystemAddressBookTest.php
@@ -90,6 +90,46 @@ class SystemAddressBookTest extends TestCase {
 		);
 	}
 
+	public function testGetChildrenAsGuest(): void {
+		$this->config->expects(self::exactly(3))
+			->method('getAppValue')
+			->willReturnMap([
+				['core', 'shareapi_allow_share_dialog_user_enumeration', 'yes', 'yes'],
+				['core', 'shareapi_restrict_user_enumeration_to_group', 'no', 'no'],
+				['core', 'shareapi_restrict_user_enumeration_to_phone', 'no', 'no'],
+			]);
+		$user = $this->createMock(IUser::class);
+		$user->method('getUID')->willReturn('user');
+		$user->method('getBackendClassName')->willReturn('Guests');
+		$this->userSession->expects(self::once())
+			->method('getUser')
+			->willReturn($user);
+		$vcfWithScopes = <<<VCF
+BEGIN:VCARD
+VERSION:3.0
+PRODID:-//Sabre//Sabre VObject 4.4.2//EN
+UID:admin
+FN;X-NC-SCOPE=v2-federated:admin
+N;X-NC-SCOPE=v2-federated:admin;;;;
+ADR;TYPE=OTHER;X-NC-SCOPE=v2-local:Testing test test test;;;;;;
+EMAIL;TYPE=OTHER;X-NC-SCOPE=v2-federated:miau_lalala@gmx.net
+TEL;TYPE=OTHER;X-NC-SCOPE=v2-local:+435454454544
+CLOUD:admin@http://localhost
+END:VCARD
+VCF;
+		$originalCard = [
+			'carddata' => $vcfWithScopes,
+		];
+		$this->cardDavBackend->expects(self::once())
+			->method('getCard')
+			->with(123, 'Guests:user.vcf')
+			->willReturn($originalCard);
+
+		$children = $this->addressBook->getChildren();
+
+		self::assertCount(1, $children);
+	}
+
 	public function testGetFilteredChildForFederation(): void {
 		$this->config->expects(self::exactly(3))
 			->method('getAppValue')
@@ -172,6 +212,24 @@ VCF;
 		$this->addressBook->getChild("LDAP:user.vcf");
 	}
 
+	public function testGetChildAsGuest(): void {
+		$this->config->expects(self::exactly(3))
+			->method('getAppValue')
+			->willReturnMap([
+				['core', 'shareapi_allow_share_dialog_user_enumeration', 'yes', 'yes'],
+				['core', 'shareapi_restrict_user_enumeration_to_group', 'no', 'no'],
+				['core', 'shareapi_restrict_user_enumeration_to_phone', 'no', 'no'],
+			]);
+		$user = $this->createMock(IUser::class);
+		$user->method('getBackendClassName')->willReturn('Guests');
+		$this->userSession->expects(self::once())
+			->method('getUser')
+			->willReturn($user);
+		$this->expectException(Forbidden::class);
+
+		$this->addressBook->getChild("LDAP:user.vcf");
+	}
+
 	public function testGetChildWithGroupEnumerationRestriction(): void {
 		$this->config->expects(self::exactly(3))
 			->method('getAppValue')
@@ -322,6 +380,26 @@ VCF;
 		self::assertCount(2, $cards);
 	}
 
+	public function testGetMultipleChildrenAsGuest(): void {
+		$this->config
+			->method('getAppValue')
+			->willReturnMap([
+				['core', 'shareapi_allow_share_dialog_user_enumeration', 'yes', 'yes'],
+				['core', 'shareapi_restrict_user_enumeration_to_group', 'no', 'no'],
+				['core', 'shareapi_restrict_user_enumeration_to_phone', 'no', 'no'],
+			]);
+		$user = $this->createMock(IUser::class);
+		$user->method('getUID')->willReturn('user');
+		$user->method('getBackendClassName')->willReturn('Guests');
+		$this->userSession->expects(self::once())
+			->method('getUser')
+			->willReturn($user);
+
+		$cards = $this->addressBook->getMultipleChildren(['Database:user1.vcf', 'LDAP:user2.vcf']);
+
+		self::assertEmpty($cards);
+	}
+
 	public function testGetMultipleChildren(): void {
 		$this->config
 			->method('getAppValue')
-- 
cgit v1.2.3