Merge pull request #5422 from nextcloud/backport/5420/stable33

elzody · web-flow · commit d21b74d25a93 · 2026-02-19T19:38:06.000-05:00
[stable33] fix: non-admins cannot upload/delete system config settings
diff --git a/lib/Controller/WopiController.php b/lib/Controller/WopiController.php
@@ -442,13 +442,19 @@ public function getSettings(string $type, string $access_token): JSONResponse {
 	public function uploadSettingsFile(string $fileId, string $access_token): JSONResponse {
 		try {
 			$wopi = $this->wopiMapper->getWopiForToken($access_token);
-
 			$userId = $wopi->getEditorUid();
 
 			if (empty($userId)) {
 				throw new \Exception('UserID is empty');
 			}
 
+			$isUserAdmin = $this->groupManager->isAdmin($userId);
+			// Use the fileId as a file path URL (e.g., "/settings/systemconfig/wordbook/en_US%20(1).dic")
+			$settingsUrl = new SettingsUrl($fileId);
+			if ($settingsUrl->isSystemConfig() && !$isUserAdmin) {
+				throw new NotPermittedException();
+			}
+
 			$content = fopen('php://input', 'rb');
 			if (!$content) {
 				throw new \Exception('Failed to read input stream.');
@@ -457,8 +463,7 @@ public function uploadSettingsFile(string $fileId, string $access_token): JSONRe
 			$fileContent = stream_get_contents($content);
 			fclose($content);
 
-			// Use the fileId as a file path URL (e.g., "/settings/systemconfig/wordbook/en_US%20(1).dic")
-			$settingsUrl = new SettingsUrl($fileId);
+
 			$result = $this->settingsService->uploadFile($settingsUrl, $fileContent, $userId);
 
 			return new JSONResponse([
@@ -470,6 +475,8 @@ public function uploadSettingsFile(string $fileId, string $access_token): JSONRe
 		} catch (UnknownTokenException $e) {
 			$this->logger->debug($e->getMessage(), ['exception' => $e]);
 			return new JSONResponse(['error' => 'Invalid token'], Http::STATUS_FORBIDDEN);
+		} catch (NotPermittedException $e) {
+			return new JSONResponse(['error' => 'Not permitted'], Http::STATUS_FORBIDDEN);
 		} catch (\Exception $e) {
 			$this->logger->error($e->getMessage(), ['exception' => $e]);
 			return new JSONResponse(['error' => $e->getMessage()], Http::STATUS_INTERNAL_SERVER_ERROR);
@@ -493,6 +500,11 @@ public function deleteSettingsFile(string $fileId, string $access_token): JSONRe
 			$category = $settingsUrl->getCategory();
 			$fileName = $settingsUrl->getFileName();
 			$userId = $wopi->getEditorUid();
+			$isUserAdmin = $this->groupManager->isAdmin($userId);
+
+			if ($settingsUrl->isSystemConfig() && !$isUserAdmin) {
+				throw new NotPermittedException();
+			}
 
 			$this->settingsService->deleteSettingsFile($type, $category, $fileName, $userId);
 
diff --git a/lib/WOPI/SettingsUrl.php b/lib/WOPI/SettingsUrl.php
@@ -100,4 +100,13 @@ public function getFileName(): string {
 	public function getRawUrl(): string {
 		return $this->rawUrl;
 	}
+
+	/**
+	 * Determines if this Settings URL leads to a system config file
+	 *
+	 * @return bool
+	 */
+	public function isSystemConfig(): bool {
+		return $this->getType() === 'systemconfig';
+	}
 }
diff --git a/tests/features/admin-settings.feature b/tests/features/admin-settings.feature
@@ -10,3 +10,20 @@ Background:
   Scenario: Admin can retrieve admin settings
     When the admin settings are requested by an admin
     Then the admin settings are returned
+
+  Scenario: Normal user cannot upload a system config file
+    When a user uploads a system configuration file
+    Then the system configuration upload is forbidden
+
+  Scenario: Admin can upload a system config file
+    When an admin uploads a system configuration file
+    Then the system configuration upload is allowed
+
+  Scenario: Normal user cannot delete a system config file
+    When a user deletes a system configuration file
+    Then the system configuration deletion is forbidden
+
+  Scenario: Admin can delete a system config file
+    When an admin deletes a system configuration file
+    Then the system configuration deletion is allowed
+
diff --git a/tests/features/bootstrap/SettingsContext.php b/tests/features/bootstrap/SettingsContext.php
@@ -78,4 +78,104 @@ public function adminSettingsRequestReturned() {
 			$this->httpResponse->getBody()->getContents(),
 		);
 	}
+
+	#[When('a user uploads a system configuration file')]
+	public function userUploadsSystemConfigFile() {
+		$this->serverContext->actingAsUser('user1');
+
+		$settingsAccessToken = $this->getSettingsAccessToken('user');
+		$postOptions = [
+			'query' => [
+				'access_token' => $settingsAccessToken,
+				'fileId' => '/settings/systemconfig/wordbook/poc.dic',
+			],
+			'body' => 'fake dictionary',
+		];
+
+		$options = array_merge($this->serverContext->getWebOptions(), $postOptions);
+
+		$this->httpResponse = $this->http->post('wopi/settings/upload', $options);
+	}
+
+	#[When('an admin uploads a system configuration file')]
+	public function adminUploadsSystemConfigFile() {
+		$this->serverContext->actAsAdmin(function () {
+			$settingsAccessToken = $this->getSettingsAccessToken('admin');
+			$postOptions = [
+				'query' => [
+					'access_token' => $settingsAccessToken,
+					'fileId' => '/settings/systemconfig/wordbook/poc.dic',
+				],
+				'body' => 'fake dictionary',
+			];
+
+			$options = array_merge($this->serverContext->getWebOptions(), $postOptions);
+
+			$this->httpResponse = $this->http->post('wopi/settings/upload', $options);
+		});
+	}
+
+	#[When('a user deletes a system configuration file')]
+	public function userDeletesSystemConfigFile() {
+		$this->serverContext->actingAsUser('user1');
+
+		$settingsAccessToken = $this->getSettingsAccessToken('user');
+		$deleteOptions = [
+			'query' => [
+				'access_token' => $settingsAccessToken,
+				'fileId' => '/settings/systemconfig/wordbook/poc.dic',
+			],
+		];
+
+		$options = array_merge($this->serverContext->getWebOptions(), $deleteOptions);
+
+		$this->httpResponse = $this->http->delete('wopi/settings', $options);
+	}
+
+	#[When('an admin deletes a system configuration file')]
+	public function adminDeletesSystemConfigFile() {
+		$this->serverContext->actAsAdmin(function () {
+			$settingsAccessToken = $this->getSettingsAccessToken('admin');
+			$deleteOptions = [
+				'query' => [
+					'access_token' => $settingsAccessToken,
+					'fileId' => '/settings/systemconfig/wordbook/poc.dic',
+				],
+			];
+
+			$options = array_merge($this->serverContext->getWebOptions(), $deleteOptions);
+
+			$this->httpResponse = $this->http->delete('wopi/settings', $options);
+		});
+	}
+
+	#[Then('the system configuration upload is forbidden')]
+	public function systemConfigUploadForbidden() {
+		Assert::assertEquals(403, $this->httpResponse->getStatusCode());
+	}
+
+	#[Then('the system configuration upload is allowed')]
+	public function systemConfigUploadAllowed() {
+		Assert::assertEquals(200, $this->httpResponse->getStatusCode());
+	}
+
+	#[Then('the system configuration deletion is forbidden')]
+	public function systemConfigDeletionForbidden() {
+		Assert::assertEquals(403, $this->httpResponse->getStatusCode());
+	}
+
+	#[Then('the system configuration deletion is allowed')]
+	public function systemConfigDeletionAllowed() {
+		Assert::assertEquals(200, $this->httpResponse->getStatusCode());
+	}
+
+	private function getSettingsAccessToken(string $type) {
+		$options = $this->serverContext->getWebOptions();
+
+		$response = $this->http->get("settings/generateToken/$type", $options);
+		$responseBody = $response->getBody()->getContents();
+		$responseJson = json_decode($responseBody, true);
+
+		return $responseJson['token'];
+	}
 }

Original file line number	Diff line number	Diff line change
`@@ -100,4 +100,13 @@ public function getFileName(): string {`
`100`	`100`	`public function getRawUrl(): string {`
`101`	`101`	`return $this->rawUrl;`
`102`	`102`	`}`
	`103`	`+`
	`104`	`+ /**`
	`105`	`+ * Determines if this Settings URL leads to a system config file`
	`106`	`+ *`
	`107`	`+ * @return bool`
	`108`	`+ */`
	`109`	`+ public function isSystemConfig(): bool {`
	`110`	`+ return $this->getType() === 'systemconfig';`
	`111`	`+ }`
`103`	`112`	`}`