Merge pull request #5417 from nextcloud/backport/5416/stable33

[stable33] fix: Properly annotate settings controller

Author: elzody

.github/workflows/integration.yml

@@ -57,8 +57,8 @@ jobs:
         code-image: [ 'release' ]
         php-versions: ['8.2']
         databases: ['sqlite']
-        server-versions: ['master']
-        scenarios: ['wopi', 'direct', 'federation', 'api']
+        server-versions: ['stable33']
+        scenarios: ['wopi', 'direct', 'federation', 'api', 'secure-view', 'admin-settings']
 
     name: integration-${{ matrix.code-image }}-${{ matrix.scenarios }}-${{ matrix.php-versions }}-${{ matrix.databases }}-${{ matrix.server-versions }}
 
@@ -125,8 +125,8 @@ jobs:
       matrix:
         php-versions: ['8.2']
         databases: ['mysql']
-        server-versions: ['master']
-        scenarios: ['wopi', 'direct', 'federation', 'api']
+        server-versions: ['stable33']
+        scenarios: ['wopi', 'direct', 'federation', 'api', 'secure-view', 'admin-settings']
 
     name: integration-${{ matrix.scenarios }}-${{ matrix.php-versions }}-${{ matrix.databases }}-${{ matrix.server-versions }}
 
@@ -201,7 +201,7 @@ jobs:
         php-versions: ['8.2']
         databases: ['pgsql']
         server-versions: ['stable33']
-        scenarios: ['wopi', 'direct', 'federation', 'api']
+        scenarios: ['wopi', 'direct', 'federation', 'api', 'secure-view', 'admin-settings']
 
     name: integration-${{ matrix.scenarios }}-${{ matrix.php-versions }}-${{ matrix.databases }}-${{ matrix.server-versions }}
 
@@ -277,8 +277,8 @@ jobs:
       matrix:
         php-versions: ['8.2']
         databases: ['oci']
-        server-versions: ['master']
-        scenarios: ['wopi', 'direct', 'federation', 'api']
+        server-versions: ['stable33']
+        scenarios: ['wopi', 'direct', 'federation', 'api', 'secure-view', 'admin-settings']
 
     name: integration-${{ matrix.scenarios }}-${{ matrix.php-versions }}-${{ matrix.databases }}-${{ matrix.server-versions }}
 

lib/Controller/SettingsController.php

@@ -99,7 +99,6 @@ public function demoServers(): DataResponse {
 		return new DataResponse([], Http::STATUS_NOT_FOUND);
 	}
 
-	#[NoAdminRequired]
 	public function getSettings(): JSONResponse {
 		return new JSONResponse($this->getSettingsData());
 	}

tests/config/behat.yml

@@ -22,6 +22,7 @@ default:
         - DirectContext
         - FederationContext
         - ApiContext
+        - SettingsContext
 
 
   extensions:

tests/features/admin-settings.feature

@@ -0,0 +1,12 @@
+Feature: Admin Settings
+
+Background:
+  Given user "user1" exists
+
+  Scenario: Normal user cannot retrieve admin settings
+    When the admin settings are requested by a user
+    Then the admin settings are forbidden
+
+  Scenario: Admin can retrieve admin settings
+    When the admin settings are requested by an admin
+    Then the admin settings are returned

tests/features/bootstrap/SettingsContext.php

@@ -0,0 +1,81 @@
+<?php
+
+declare(strict_types = 1);
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+use Behat\Behat\Context\Context;
+use Behat\Behat\Hook\Scope\BeforeScenarioScope;
+use Behat\Hook\AfterScenario;
+use Behat\Hook\BeforeScenario;
+use Behat\Step\Then;
+use Behat\Step\When;
+use JuliusHaertl\NextcloudBehat\Context\ServerContext;
+use PHPUnit\Framework\Assert;
+
+class SettingsContext implements Context {
+	/** @var ServerContext */
+	private $serverContext;
+
+	/** @var GuzzleHttp\Client */
+	private $http;
+
+	/** @var Psr\Http\Message\ResponseInterface */
+	private $httpResponse;
+
+	public function __construct() {
+
+	}
+
+	#[BeforeScenario]
+	public function gatherContexts(BeforeScenarioScope $scope) {
+		$this->serverContext = $scope->getEnvironment()->getContext(ServerContext::class);
+
+		$this->http = new GuzzleHttp\Client([
+			'base_uri' => $this->serverContext->getBaseUrl() . 'index.php/apps/richdocuments/',
+			'http_errors' => false,
+		]);
+	}
+
+	#[AfterScenario]
+	public function cleanup() {
+		$this->httpResponse = null;
+	}
+
+	#[When('the admin settings are requested by a user')]
+	public function userRequestAdminSettings() {
+		$this->serverContext->actingAsUser('user1');
+
+		$options = $this->serverContext->getWebOptions();
+		$this->httpResponse = $this->http->get('ajax/settings.php', $options);
+	}
+
+	#[When('the admin settings are requested by an admin')]
+	public function adminRequestAdminSettings() {
+		$this->serverContext->actAsAdmin(function () {
+			$options = $this->serverContext->getWebOptions();
+			$this->httpResponse = $this->http->get('ajax/settings.php', $options);
+		});
+	}
+
+	#[Then('the admin settings are forbidden')]
+	public function adminSettingsRequestForbidden() {
+		Assert::assertEquals(403, $this->httpResponse->getStatusCode());
+
+		Assert::assertJsonStringEqualsJsonString(
+			'{"message":"Logged in account must be an admin"}',
+			$this->httpResponse->getBody()->getContents(),
+		);
+	}
+
+	#[Then('the admin settings are returned')]
+	public function adminSettingsRequestReturned() {
+		Assert::assertEquals(200, $this->httpResponse->getStatusCode());
+		Assert::assertJsonStringNotEqualsJsonString(
+			'{}',
+			$this->httpResponse->getBody()->getContents(),
+		);
+	}
+}