diff options
Diffstat (limited to 'apps/provisioning_api/lib/Controller/AppConfigController.php')
| -rw-r--r-- | apps/provisioning_api/lib/Controller/AppConfigController.php | 66 |
1 files changed, 65 insertions, 1 deletions
diff --git a/apps/provisioning_api/lib/Controller/AppConfigController.php b/apps/provisioning_api/lib/Controller/AppConfigController.php index cd8dba9e5b8..12b6a7d1370 100644 --- a/apps/provisioning_api/lib/Controller/AppConfigController.php +++ b/apps/provisioning_api/lib/Controller/AppConfigController.php @@ -26,12 +26,19 @@ declare(strict_types=1); */ namespace OCA\Provisioning_API\Controller; +use OC\AppFramework\Middleware\Security\Exceptions\NotAdminException; use OCP\AppFramework\Http; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\OCSController; use OCP\IAppConfig; use OCP\IConfig; +use OCP\IGroupManager; +use OCP\IL10N; use OCP\IRequest; +use OCP\IUser; +use OCP\IUserSession; +use OCP\Settings\IDelegatedSettings; +use OCP\Settings\IManager; class AppConfigController extends OCSController { @@ -41,6 +48,18 @@ class AppConfigController extends OCSController { /** @var IAppConfig */ protected $appConfig; + /** @var IUserSession */ + private $userSession; + + /** @var IL10N */ + private $l10n; + + /** @var IGroupManager */ + private $groupManager; + + /** @var IManager */ + private $settingManager; + /** * @param string $appName * @param IRequest $request @@ -50,10 +69,18 @@ class AppConfigController extends OCSController { public function __construct(string $appName, IRequest $request, IConfig $config, - IAppConfig $appConfig) { + IAppConfig $appConfig, + IUserSession $userSession, + IL10N $l10n, + IGroupManager $groupManager, + IManager $settingManager) { parent::__construct($appName, $request); $this->config = $config; $this->appConfig = $appConfig; + $this->userSession = $userSession; + $this->l10n = $l10n; + $this->groupManager = $groupManager; + $this->settingManager = $settingManager; } /** @@ -99,12 +126,23 @@ class AppConfigController extends OCSController { /** * @PasswordConfirmationRequired + * @NoSubAdminRequired + * @NoAdminRequired * @param string $app * @param string $key * @param string $value * @return DataResponse */ public function setValue(string $app, string $key, string $value): DataResponse { + $user = $this->userSession->getUser(); + if ($user === null) { + throw new \Exception("User is not logged in."); // Should not happen, since method is guarded by middleware + } + + if (!$this->isAllowedToChangedKey($user, $app, $key)) { + throw new NotAdminException($this->l10n->t('Logged in user must be an admin or have authorization to edit this setting.')); + } + try { $this->verifyAppId($app); $this->verifyConfigKey($app, $key, $value); @@ -170,4 +208,30 @@ class AppConfigController extends OCSController { throw new \InvalidArgumentException('The given key can not be set, unlimited quota is forbidden on this instance'); } } + + private function isAllowedToChangedKey(IUser $user, string $app, string $key): bool { + // Admin right verification + $isAdmin = $this->groupManager->isAdmin($user->getUID()); + if ($isAdmin) { + return true; + } + + $settings = $this->settingManager->getAllAllowedAdminSettings($user); + foreach ($settings as $setting) { + if (!($setting instanceof IDelegatedSettings)) { + continue; + } + $allowedKeys = $setting->getAuthorizedAppConfig(); + if (!array_key_exists($app, $allowedKeys)) { + continue; + } + foreach ($allowedKeys[$app] as $regex) { + if ($regex === $key + || (str_starts_with($regex, '/') && preg_match($regex, $key) === 1)) { + return true; + } + } + } + return false; + } } |