fix(accounts): enforce per-property scope restrictions in AccountManager

Adds `UNPUBLISHED_PROPERTIES` to `IAccountManager` for profile fields
that must never be federated or published to the global lookup server
(biography, birthdate, headline, organisation, role), matching the
frontend's `UNPUBLISHED_READABLE_PROPERTIES` constant.

Enforces two new constraints in `testPropertyScope`:
- `UNPUBLISHED_PROPERTIES` may not use `SCOPE_FEDERATED` or
  `SCOPE_PUBLISHED`, even when set via the API.
- `SCOPE_PUBLISHED` is rejected for all properties unless the admin
  has enabled lookup server upload (`files_sharing.lookupServerUploadEnabled`).

Previously the `PUT /ocs/v2.php/cloud/users/<uid>` endpoint accepted any
valid scope value regardless of these restrictions, allowing users to
bypass the visibility limits enforced by the frontend UI.

Fixes #59225

Signed-off-by: Anna Larch <anna@nextcloud.com>
AI-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: miaulalala

lib/private/Accounts/AccountManager.php

@@ -120,6 +120,30 @@ protected function testPropertyScope(IAccountProperty $property, array $allowedS
 			throw new InvalidArgumentException('scope');
 		}
 
+		// Properties that are local-only must not be set to FEDERATED or PUBLISHED scope.
+		if (
+			in_array($property->getName(), self::UNPUBLISHED_PROPERTIES, true)
+			&& in_array($property->getScope(), [self::SCOPE_FEDERATED, self::SCOPE_PUBLISHED], true)
+		) {
+			if ($throwOnData) {
+				throw new InvalidArgumentException('scope');
+			} else {
+				$property->setScope(self::SCOPE_LOCAL);
+			}
+		}
+
+		// PUBLISHED scope requires the lookup server upload to be enabled by the admin.
+		if ($property->getScope() === self::SCOPE_PUBLISHED) {
+			$lookupServerUploadEnabled = $this->config->getAppValue('files_sharing', 'lookupServerUploadEnabled', 'no') === 'yes';
+			if (!$lookupServerUploadEnabled) {
+				if ($throwOnData) {
+					throw new InvalidArgumentException('scope');
+				} else {
+					$property->setScope(self::SCOPE_LOCAL);
+				}
+			}
+		}
+
 		if (
 			$property->getScope() === self::SCOPE_PRIVATE
 			&& in_array($property->getName(), [self::PROPERTY_DISPLAYNAME, self::PROPERTY_EMAIL])

lib/public/Accounts/IAccountManager.php

@@ -146,6 +146,21 @@ interface IAccountManager {
 	 */
 	public const PROPERTY_PRONOUNS = 'pronouns';
 
+	/**
+	 * Properties that are only visible within the local instance and must not be
+	 * published to the global lookup server or shared via federation.
+	 * This matches the frontend's UNPUBLISHED_READABLE_PROPERTIES constant.
+	 *
+	 * @since 32.0.0
+	 */
+	public const UNPUBLISHED_PROPERTIES = [
+		self::PROPERTY_BIOGRAPHY,
+		self::PROPERTY_BIRTHDATE,
+		self::PROPERTY_HEADLINE,
+		self::PROPERTY_ORGANISATION,
+		self::PROPERTY_ROLE,
+	];
+
 	/**
 	 * The list of allowed properties
 	 *

tests/lib/Accounts/AccountManagerTest.php

@@ -1062,4 +1062,59 @@ public function testSetDefaultPropertyScopes(array $propertyScopes, array $expec
 			$this->assertEquals($expectedResultScopeValue, $resultScope, "The result scope doesn't follow the value set into the config or defaults correctly.");
 		}
 	}
+
+	public static function dataUpdateAccountRejectsInvalidScopeForUnpublishedProperty(): array {
+		$cases = [];
+		foreach (IAccountManager::UNPUBLISHED_PROPERTIES as $property) {
+			$cases[] = [$property, IAccountManager::SCOPE_FEDERATED];
+			$cases[] = [$property, IAccountManager::SCOPE_PUBLISHED];
+		}
+		return $cases;
+	}
+
+	#[\PHPUnit\Framework\Attributes\DataProvider('dataUpdateAccountRejectsInvalidScopeForUnpublishedProperty')]
+	public function testUpdateAccountRejectsInvalidScopeForUnpublishedProperty(string $property, string $scope): void {
+		$user = $this->createMock(IUser::class);
+		$account = new Account($user);
+		$account->setProperty($property, 'some value', $scope, IAccountManager::NOT_VERIFIED);
+
+		$manager = $this->getInstance(['getUser', 'updateUser']);
+		$manager->method('getUser')->with($user, false)->willReturn([]);
+
+		$this->expectException(\InvalidArgumentException::class);
+		$this->expectExceptionMessage('scope');
+		$manager->updateAccount($account);
+	}
+
+	public function testUpdateAccountRejectsPublishedScopeWhenLookupServerDisabled(): void {
+		$user = $this->createMock(IUser::class);
+		$account = new Account($user);
+		$account->setProperty(IAccountManager::PROPERTY_WEBSITE, 'https://example.com', IAccountManager::SCOPE_PUBLISHED, IAccountManager::NOT_VERIFIED);
+
+		$manager = $this->getInstance(['getUser', 'updateUser']);
+		$manager->method('getUser')->with($user, false)->willReturn([]);
+		$this->config->method('getAppValue')
+			->with('files_sharing', 'lookupServerUploadEnabled', 'no')
+			->willReturn('no');
+
+		$this->expectException(\InvalidArgumentException::class);
+		$this->expectExceptionMessage('scope');
+		$manager->updateAccount($account);
+	}
+
+	public function testUpdateAccountAllowsPublishedScopeWhenLookupServerEnabled(): void {
+		$user = $this->createMock(IUser::class);
+		$account = new Account($user);
+		$account->setProperty(IAccountManager::PROPERTY_WEBSITE, 'https://example.com', IAccountManager::SCOPE_PUBLISHED, IAccountManager::NOT_VERIFIED);
+
+		$manager = $this->getInstance(['getUser', 'updateUser']);
+		$manager->method('getUser')->with($user, false)->willReturn([]);
+		$this->config->method('getSystemValueString')->willReturn('');
+		$this->config->method('getAppValue')
+			->with('files_sharing', 'lookupServerUploadEnabled', 'no')
+			->willReturn('yes');
+		$manager->expects($this->once())->method('updateUser');
+
+		$manager->updateAccount($account);
+	}
 }