Skip to content

Commit e6f6711

Browse files
tanyakatanyaka
committed
feat(files_external): allow delegated admins to save global credentials
Signed-off-by: Tatjana Kaschperko Lindt <kaschperko-lindt@strato.de>
1 parent 88aac18 commit e6f6711

2 files changed

Lines changed: 77 additions & 1 deletion

File tree

apps/files_external/lib/Controller/AjaxController.php

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,10 @@
77
*/
88
namespace OCA\Files_External\Controller;
99

10+
use OC\Settings\AuthorizedGroupMapper;
1011
use OCA\Files_External\Lib\Auth\Password\GlobalAuth;
1112
use OCA\Files_External\Lib\Auth\PublicKey\RSA;
13+
use OCA\Files_External\Settings\Admin;
1214
use OCP\AppFramework\Controller;
1315
use OCP\AppFramework\Http;
1416
use OCP\AppFramework\Http\Attribute\NoAdminRequired;
@@ -36,6 +38,7 @@ public function __construct(
3638
private IUserSession $userSession,
3739
private IGroupManager $groupManager,
3840
private IL10N $l10n,
41+
private AuthorizedGroupMapper $authorizedGroupMapper,
3942
) {
4043
parent::__construct($appName, $request);
4144
}
@@ -87,9 +90,10 @@ public function saveGlobalCredentials($uid, $user, $password): JSONResponse {
8790
}
8891

8992
// Non-admins can only edit their own credentials
90-
// Admin can edit global credentials
93+
// Admin or delegated admin can edit global credentials
9194
$allowedToEdit = $uid === ''
9295
? $this->groupManager->isAdmin($currentUser->getUID())
96+
|| in_array(Admin::class, $this->authorizedGroupMapper->findAllClassesForUser($currentUser), true)
9397
: $currentUser->getUID() === $uid;
9498

9599
if ($allowedToEdit) {

apps/files_external/tests/Controller/AjaxControllerTest.php

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,11 @@
77
*/
88
namespace OCA\Files_External\Tests\Controller;
99

10+
use OC\Settings\AuthorizedGroupMapper;
1011
use OCA\Files_External\Controller\AjaxController;
1112
use OCA\Files_External\Lib\Auth\Password\GlobalAuth;
1213
use OCA\Files_External\Lib\Auth\PublicKey\RSA;
14+
use OCA\Files_External\Settings\Admin;
1315
use OCP\AppFramework\Http\JSONResponse;
1416
use OCP\IGroupManager;
1517
use OCP\IL10N;
@@ -26,6 +28,7 @@ class AjaxControllerTest extends TestCase {
2628
private IUserSession&MockObject $userSession;
2729
private IGroupManager&MockObject $groupManager;
2830
private IL10N&MockObject $l10n;
31+
private AuthorizedGroupMapper&MockObject $authorizedGroupMapper;
2932
private AjaxController $ajaxController;
3033

3134
protected function setUp(): void {
@@ -35,6 +38,7 @@ protected function setUp(): void {
3538
$this->userSession = $this->createMock(IUserSession::class);
3639
$this->groupManager = $this->createMock(IGroupManager::class);
3740
$this->l10n = $this->createMock(IL10N::class);
41+
$this->authorizedGroupMapper = $this->createMock(AuthorizedGroupMapper::class);
3842

3943
$this->ajaxController = new AjaxController(
4044
'files_external',
@@ -44,6 +48,7 @@ protected function setUp(): void {
4448
$this->userSession,
4549
$this->groupManager,
4650
$this->l10n,
51+
$this->authorizedGroupMapper,
4752
);
4853

4954
$this->l10n->expects($this->any())
@@ -149,4 +154,71 @@ public function testSaveGlobalCredentialsAsNormalUserForAnotherUser(): void {
149154
$this->assertSame($response->getStatus(), 403);
150155
$this->assertSame('Permission denied', $response->getData()['message']);
151156
}
157+
158+
public function testSaveGlobalCredentialsAsAdminForGlobal(): void {
159+
$user = $this->createMock(IUser::class);
160+
$user->method('getUID')->willReturn('MyAdminUid');
161+
$this->userSession->method('getUser')->willReturn($user);
162+
$this->groupManager
163+
->expects($this->once())
164+
->method('isAdmin')
165+
->with('MyAdminUid')
166+
->willReturn(true);
167+
$this->authorizedGroupMapper
168+
->expects($this->never())
169+
->method('findAllClassesForUser');
170+
$this->globalAuth
171+
->expects($this->once())
172+
->method('saveAuth')
173+
->with('', 'test', 'password');
174+
175+
$response = $this->ajaxController->saveGlobalCredentials('', 'test', 'password');
176+
$this->assertSame(200, $response->getStatus());
177+
}
178+
179+
public function testSaveGlobalCredentialsAsDelegatedAdminForGlobal(): void {
180+
$user = $this->createMock(IUser::class);
181+
$user->method('getUID')->willReturn('DelegatedUid');
182+
$this->userSession->method('getUser')->willReturn($user);
183+
$this->groupManager
184+
->expects($this->once())
185+
->method('isAdmin')
186+
->with('DelegatedUid')
187+
->willReturn(false);
188+
$this->authorizedGroupMapper
189+
->expects($this->once())
190+
->method('findAllClassesForUser')
191+
->with($user)
192+
->willReturn([Admin::class]);
193+
$this->globalAuth
194+
->expects($this->once())
195+
->method('saveAuth')
196+
->with('', 'test', 'password');
197+
198+
$response = $this->ajaxController->saveGlobalCredentials('', 'test', 'password');
199+
$this->assertSame(200, $response->getStatus());
200+
}
201+
202+
public function testSaveGlobalCredentialsAsNormalUserForGlobal(): void {
203+
$user = $this->createMock(IUser::class);
204+
$user->method('getUID')->willReturn('NormalUid');
205+
$this->userSession->method('getUser')->willReturn($user);
206+
$this->groupManager
207+
->expects($this->once())
208+
->method('isAdmin')
209+
->with('NormalUid')
210+
->willReturn(false);
211+
$this->authorizedGroupMapper
212+
->expects($this->once())
213+
->method('findAllClassesForUser')
214+
->with($user)
215+
->willReturn([]);
216+
$this->globalAuth
217+
->expects($this->never())
218+
->method('saveAuth');
219+
220+
$response = $this->ajaxController->saveGlobalCredentials('', 'test', 'password');
221+
$this->assertSame(403, $response->getStatus());
222+
$this->assertSame('Permission denied', $response->getData()['message']);
223+
}
152224
}

0 commit comments

Comments
 (0)