fix: move backend checks to a different place

jvillafanez · jvillafanez · commit b6dd4785e16d · 2026-05-07T14:49:49.000+02:00
diff --git a/apps/files_external/lib/Controller/GlobalStoragesController.php b/apps/files_external/lib/Controller/GlobalStoragesController.php
@@ -86,15 +86,6 @@ public function create(
 		$applicableGroups,
 		$priority
 	) {
-		$canCreateNewLocalStorage = \OC::$server->getConfig()->getSystemValue('files_external_allow_create_new_local', false);
-
-		if (($backend === 'local' || $backend === '\OC\Files\Storage\Local') && $canCreateNewLocalStorage === false) {
-			return new DataResponse(
-				null,
-				Http::STATUS_FORBIDDEN
-			);
-		}
-
 		$newStorage = $this->createStorage(
 			$mountPoint,
 			$backend,
diff --git a/apps/files_external/lib/Controller/StoragesController.php b/apps/files_external/lib/Controller/StoragesController.php
@@ -183,7 +183,7 @@ protected function validate(IStorageConfig $storage) {
 						$backend->getIdentifier()
 					])
 				],
-				Http::STATUS_UNPROCESSABLE_ENTITY
+				Http::STATUS_FORBIDDEN
 			);
 		}
 		if (!$authMechanism->isVisibleFor($this->service->getVisibilityType())) {
@@ -194,7 +194,7 @@ protected function validate(IStorageConfig $storage) {
 						$authMechanism->getIdentifier()
 					])
 				],
-				Http::STATUS_UNPROCESSABLE_ENTITY
+				Http::STATUS_FORBIDDEN
 			);
 		}
 
diff --git a/apps/files_external/lib/Controller/UserStoragesController.php b/apps/files_external/lib/Controller/UserStoragesController.php
@@ -128,14 +128,6 @@ public function create(
 				Http::STATUS_FORBIDDEN
 			);
 		}
-		$canCreateNewLocalStorage = \OC::$server->getConfig()->getSystemValue('files_external_allow_create_new_local', false);
-		if (($backend === 'local' || $backend === '\OC\Files\Storage\Local') && $canCreateNewLocalStorage === false) {
-			return new DataResponse(
-				null,
-				Http::STATUS_FORBIDDEN
-			);
-		}
-
 		$newStorage = $this->createStorage(
 			$mountPoint,
 			$backend,
diff --git a/lib/private/Files/External/StoragesBackendChecker.php b/lib/private/Files/External/StoragesBackendChecker.php
@@ -0,0 +1,67 @@
+<?php
+
+namespace OC\Files\External;
+
+use OCP\IConfig;
+use OCP\Files\External\Backend\Backend;
+
+class StoragesBackendChecker {
+	/** @var IConfig */
+	private IConfig $config;
+	/** @var bool */
+	private $allowUserMounting = null;
+	/** @var array */
+	private $userMountingBackends = null;
+
+	/**
+	 * @param IConfig $config
+	 */
+	public function __construct(IConfig $config) {
+		$this->config = $config;
+	}
+
+	/**
+	 * Checks if the regular users are allowed to mount external storages
+	 * @return bool
+	 */
+	public function isUserMountingAllowed() {
+		if ($this->allowUserMounting === null) {
+			$this->allowUserMounting = $this->config->getAppValue('files_external', 'allow_user_mounting', 'no') === 'yes';
+			// if no backend is in the list an empty string is in the array and user mounting is disabled
+			if ($this->allowedBackendsForUsers() === ['']) {
+				$this->allowUserMounting = false;
+			}
+		}
+		return $this->allowUserMounting;
+	}
+
+	private function allowedBackendsForUsers() {
+		if ($this->userMountingBackends === null) {
+			$user_mounting_backends = $this->config->getAppValue('files_external', 'user_mounting_backends', '');
+			$this->userMountingBackends = \explode(
+				',',
+				$user_mounting_backends
+			);
+		}
+		return $this->userMountingBackends;
+	}
+
+	/**
+	 * Checks if the regular users are allowed to mount the specified backend.
+	 * Note that the admin might still mount the backend.
+	 * @return bool
+	 */
+	public function isAllowedUserBackend(Backend $backend) {
+		$blacklistedBackendsForUsers = ['\OC\Files\Storage\Local'];
+		if (in_array($backend->getStorageClass(), $blacklistedBackendsForUsers, true)) {
+			return false;
+		}
+
+		if ($this->isUserMountingAllowed() &&
+			\array_intersect($backend->getIdentifierAliases(), $this->allowedBackendsForUsers()))
+		{
+			return true;
+		}
+		return false;
+	}
+}
diff --git a/lib/private/Files/External/StoragesBackendService.php b/lib/private/Files/External/StoragesBackendService.php
@@ -25,6 +25,7 @@
 
 use OCP\IConfig;
 
+use OC\Files\External\StoragesBackendChecker;
 use OCP\Files\External\Backend\Backend;
 use OCP\Files\External\Auth\AuthMechanism;
 use OCP\Files\External\Config\IBackendProvider;
@@ -35,14 +36,8 @@
  * Service class to manage backend definitions
  */
 class StoragesBackendService implements IStoragesBackendService {
-	/** @var IConfig */
-	protected $config;
-
-	/** @var bool */
-	private $userMountingAllowed = true;
-
-	/** @var string[] */
-	private $userMountingBackends = [];
+	/** @var StoragesBackendChecker */
+	protected $storagesBackendChecker;
 
 	/** @var Backend[] */
 	private $backends = [];
@@ -57,27 +52,12 @@ class StoragesBackendService implements IStoragesBackendService {
 	private $authMechanismProviders = [];
 
 	/**
-	 * @param IConfig $config
+	 * @param StoragesBackendChecker $storagesBackendChecker
 	 */
 	public function __construct(
-		IConfig $config
+		StoragesBackendChecker $storagesBackendChecker
 	) {
-		$this->config = $config;
-
-		// Load config values
-		if ($this->config->getAppValue('files_external', 'allow_user_mounting', 'no') !== 'yes') {
-			$this->userMountingAllowed = false;
-		}
-		$user_mounting_backends = $this->config->getAppValue('files_external', 'user_mounting_backends', '');
-		$this->userMountingBackends = \explode(
-			',',
-			$user_mounting_backends
-		);
-
-		// if no backend is in the list an empty string is in the array and user mounting is disabled
-		if ($this->userMountingBackends === ['']) {
-			$this->userMountingAllowed = false;
-		}
+		$this->storagesBackendChecker = $storagesBackendChecker;
 	}
 
 	/**
@@ -244,7 +224,7 @@ public function getAuthMechanism($identifier) {
 	 * @return bool
 	 */
 	public function isUserMountingAllowed() {
-		return $this->userMountingAllowed;
+		return $this->storagesBackendChecker->isUserMountingAllowed();
 	}
 
 	/**
@@ -254,12 +234,7 @@ public function isUserMountingAllowed() {
 	 * @return bool
 	 */
 	protected function isAllowedUserBackend(Backend $backend) {
-		if ($this->userMountingAllowed &&
-			\array_intersect($backend->getIdentifierAliases(), $this->userMountingBackends)
-		) {
-			return true;
-		}
-		return false;
+		return $this->storagesBackendChecker->isAllowedUserBackend($backend);
 	}
 
 	/**
diff --git a/lib/private/Server.php b/lib/private/Server.php
@@ -114,6 +114,7 @@
 use Symfony\Component\EventDispatcher\EventDispatcher;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use OC\Files\External\StoragesBackendService;
+use OC\Files\External\StoragesBackendChecker;
 use OC\Files\External\Service\UserStoragesService;
 use OC\Files\External\Service\UserGlobalStoragesService;
 use OC\Files\External\Service\GlobalStoragesService;
@@ -844,7 +845,7 @@ public function __construct($webRoot, \OC\Config $config) {
 			);
 		});
 		$this->registerService('StoragesBackendService', function (Server $c) {
-			$service = new StoragesBackendService($c->query('AllConfig'));
+			$service = new StoragesBackendService($c->query(StoragesBackendChecker::class));
 
 			// register auth mechanisms provided by core
 			$provider = new \OC\Files\External\Auth\CoreAuthMechanismProvider($c, [
