Merge pull request #9108 from nextcloud/ocs-api-subadmins-quota-adduser

Allow user creation with subadmins and quota
This commit is contained in:
Morris Jobke 2018-04-09 22:54:57 +02:00 committed by GitHub
commit 0327ef1044
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 77 additions and 43 deletions

View File

@ -126,7 +126,7 @@ class UsersController extends AUserData {
// Admin? Or SubAdmin? // Admin? Or SubAdmin?
$uid = $user->getUID(); $uid = $user->getUID();
$subAdminManager = $this->groupManager->getSubAdmin(); $subAdminManager = $this->groupManager->getSubAdmin();
if($this->groupManager->isAdmin($uid)){ if ($this->groupManager->isAdmin($uid)){
$users = $this->userManager->search($search, $limit, $offset); $users = $this->userManager->search($search, $limit, $offset);
} else if ($subAdminManager->isSubAdmin($user)) { } else if ($subAdminManager->isSubAdmin($user)) {
$subAdminOfGroups = $subAdminManager->getSubAdminsGroups($user); $subAdminOfGroups = $subAdminManager->getSubAdminsGroups($user);
@ -159,7 +159,7 @@ class UsersController extends AUserData {
// Admin? Or SubAdmin? // Admin? Or SubAdmin?
$uid = $user->getUID(); $uid = $user->getUID();
$subAdminManager = $this->groupManager->getSubAdmin(); $subAdminManager = $this->groupManager->getSubAdmin();
if($this->groupManager->isAdmin($uid)){ if ($this->groupManager->isAdmin($uid)){
$users = $this->userManager->search($search, $limit, $offset); $users = $this->userManager->search($search, $limit, $offset);
} else if ($subAdminManager->isSubAdmin($user)) { } else if ($subAdminManager->isSubAdmin($user)) {
$subAdminOfGroups = $subAdminManager->getSubAdminsGroups($user); $subAdminOfGroups = $subAdminManager->getSubAdminsGroups($user);
@ -178,7 +178,7 @@ class UsersController extends AUserData {
foreach ($users as $key => $userId) { foreach ($users as $key => $userId) {
$userData = $this->getUserData($userId); $userData = $this->getUserData($userId);
// Do not insert empty entry // Do not insert empty entry
if(!empty($userData)) { if (!empty($userData)) {
$usersDetails[$userId] = $userData; $usersDetails[$userId] = $userData;
} }
} }
@ -196,34 +196,61 @@ class UsersController extends AUserData {
* @param string $password * @param string $password
* @param string $email * @param string $email
* @param array $groups * @param array $groups
* @param array $subadmins
* @param string $quota
* @return DataResponse * @return DataResponse
* @throws OCSException * @throws OCSException
*/ */
public function addUser(string $userid, string $password = '', string $email='', array $groups = []): DataResponse { public function addUser(string $userid,
string $password = '',
string $email = '',
array $groups = [],
array $subadmin = [],
string $quota = ''): DataResponse {
$user = $this->userSession->getUser(); $user = $this->userSession->getUser();
$isAdmin = $this->groupManager->isAdmin($user->getUID()); $isAdmin = $this->groupManager->isAdmin($user->getUID());
$subAdminManager = $this->groupManager->getSubAdmin(); $subAdminManager = $this->groupManager->getSubAdmin();
if($this->userManager->userExists($userid)) { if ($this->userManager->userExists($userid)) {
$this->logger->error('Failed addUser attempt: User already exists.', ['app' => 'ocs_api']); $this->logger->error('Failed addUser attempt: User already exists.', ['app' => 'ocs_api']);
throw new OCSException('User already exists', 102); throw new OCSException('User already exists', 102);
} }
if($groups !== []) { if ($groups !== []) {
foreach ($groups as $group) { foreach ($groups as $group) {
if(!$this->groupManager->groupExists($group)) { if (!$this->groupManager->groupExists($group)) {
throw new OCSException('group '.$group.' does not exist', 104); throw new OCSException('group '.$group.' does not exist', 104);
} }
if(!$isAdmin && !$subAdminManager->isSubAdminOfGroup($user, $this->groupManager->get($group))) { if (!$isAdmin && !$subAdminManager->isSubAdminOfGroup($user, $this->groupManager->get($group))) {
throw new OCSException('insufficient privileges for group '. $group, 105); throw new OCSException('insufficient privileges for group '. $group, 105);
} }
} }
} else { } else {
if(!$isAdmin) { if (!$isAdmin) {
throw new OCSException('no group specified (required for subadmins)', 106); throw new OCSException('no group specified (required for subadmins)', 106);
} }
} }
$subadminGroups = [];
if ($subadmin !== []) {
foreach ($subadmin as $groupid) {
$group = $this->groupManager->get($groupid);
// Check if group exists
if ($group === null) {
throw new OCSException('Subadmin group does not exist', 102);
}
// Check if trying to make subadmin of admin group
if ($group->getGID() === 'admin') {
throw new OCSException('Cannot create subadmins for admin group', 103);
}
// Check if has permission to promote subadmins
if (!$subAdminManager->isSubAdminOfGroup($user, $group) && !$isAdmin) {
throw new OCSForbiddenException('No permissions to promote subadmins');
}
$subadminGroups[] = $group;
}
}
$generatePasswordResetToken = false; $generatePasswordResetToken = false;
if ($password === '') { if ($password === '') {
if ($email === '') { if ($email === '') {
@ -244,6 +271,13 @@ class UsersController extends AUserData {
$this->groupManager->get($group)->addUser($newUser); $this->groupManager->get($group)->addUser($newUser);
$this->logger->info('Added userid ' . $userid . ' to group ' . $group, ['app' => 'ocs_api']); $this->logger->info('Added userid ' . $userid . ' to group ' . $group, ['app' => 'ocs_api']);
} }
foreach ($subadminGroups as $group) {
$subAdminManager->createSubAdmin($newUser, $group);
}
if ($quota !== '') {
$this->editUser($userid, 'quota', $quota);
}
// Send new user mail only if a mail is set // Send new user mail only if a mail is set
if ($email !== '') { if ($email !== '') {
@ -293,7 +327,7 @@ class UsersController extends AUserData {
public function getUser(string $userId): DataResponse { public function getUser(string $userId): DataResponse {
$data = $this->getUserData($userId); $data = $this->getUserData($userId);
// getUserData returns empty array if not enough permissions // getUserData returns empty array if not enough permissions
if(empty($data)) { if (empty($data)) {
throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED); throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
} }
return new DataResponse($data); return new DataResponse($data);
@ -367,12 +401,12 @@ class UsersController extends AUserData {
$currentLoggedInUser = $this->userSession->getUser(); $currentLoggedInUser = $this->userSession->getUser();
$targetUser = $this->userManager->get($userId); $targetUser = $this->userManager->get($userId);
if($targetUser === null) { if ($targetUser === null) {
throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED); throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
} }
$permittedFields = []; $permittedFields = [];
if($targetUser->getUID() === $currentLoggedInUser->getUID()) { if ($targetUser->getUID() === $currentLoggedInUser->getUID()) {
// Editing self (display, email) // Editing self (display, email)
if ($this->config->getSystemValue('allow_user_to_change_display_name', true) !== false) { if ($this->config->getSystemValue('allow_user_to_change_display_name', true) !== false) {
$permittedFields[] = 'display'; $permittedFields[] = 'display';
@ -398,13 +432,13 @@ class UsersController extends AUserData {
} }
// If admin they can edit their own quota // If admin they can edit their own quota
if($this->groupManager->isAdmin($currentLoggedInUser->getUID())) { if ($this->groupManager->isAdmin($currentLoggedInUser->getUID())) {
$permittedFields[] = 'quota'; $permittedFields[] = 'quota';
} }
} else { } else {
// Check if admin / subadmin // Check if admin / subadmin
$subAdminManager = $this->groupManager->getSubAdmin(); $subAdminManager = $this->groupManager->getSubAdmin();
if($subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser) if ($subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)
|| $this->groupManager->isAdmin($currentLoggedInUser->getUID())) { || $this->groupManager->isAdmin($currentLoggedInUser->getUID())) {
// They have permissions over the user // They have permissions over the user
$permittedFields[] = 'display'; $permittedFields[] = 'display';
@ -423,7 +457,7 @@ class UsersController extends AUserData {
} }
} }
// Check if permitted to edit this field // Check if permitted to edit this field
if(!in_array($key, $permittedFields)) { if (!in_array($key, $permittedFields)) {
throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED); throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
} }
// Process the edit // Process the edit
@ -434,7 +468,7 @@ class UsersController extends AUserData {
break; break;
case 'quota': case 'quota':
$quota = $value; $quota = $value;
if($quota !== 'none' && $quota !== 'default') { if ($quota !== 'none' && $quota !== 'default') {
if (is_numeric($quota)) { if (is_numeric($quota)) {
$quota = (float) $quota; $quota = (float) $quota;
} else { } else {
@ -443,9 +477,9 @@ class UsersController extends AUserData {
if ($quota === false) { if ($quota === false) {
throw new OCSException('Invalid quota value '.$value, 103); throw new OCSException('Invalid quota value '.$value, 103);
} }
if($quota === 0) { if ($quota === 0) {
$quota = 'default'; $quota = 'default';
}else if($quota === -1) { }else if ($quota === -1) {
$quota = 'none'; $quota = 'none';
} else { } else {
$quota = \OCP\Util::humanFileSize($quota); $quota = \OCP\Util::humanFileSize($quota);
@ -464,7 +498,7 @@ class UsersController extends AUserData {
$this->config->setUserValue($targetUser->getUID(), 'core', 'lang', $value); $this->config->setUserValue($targetUser->getUID(), 'core', 'lang', $value);
break; break;
case AccountManager::PROPERTY_EMAIL: case AccountManager::PROPERTY_EMAIL:
if(filter_var($value, FILTER_VALIDATE_EMAIL) || $value === '') { if (filter_var($value, FILTER_VALIDATE_EMAIL) || $value === '') {
$targetUser->setEMailAddress($value); $targetUser->setEMailAddress($value);
} else { } else {
throw new OCSException('', 102); throw new OCSException('', 102);
@ -499,18 +533,18 @@ class UsersController extends AUserData {
$targetUser = $this->userManager->get($userId); $targetUser = $this->userManager->get($userId);
if($targetUser === null || $targetUser->getUID() === $currentLoggedInUser->getUID()) { if ($targetUser === null || $targetUser->getUID() === $currentLoggedInUser->getUID()) {
throw new OCSException('', 101); throw new OCSException('', 101);
} }
// If not permitted // If not permitted
$subAdminManager = $this->groupManager->getSubAdmin(); $subAdminManager = $this->groupManager->getSubAdmin();
if(!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) { if (!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) {
throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED); throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
} }
// Go ahead with the delete // Go ahead with the delete
if($targetUser->delete()) { if ($targetUser->delete()) {
return new DataResponse(); return new DataResponse();
} else { } else {
throw new OCSException('', 101); throw new OCSException('', 101);
@ -553,13 +587,13 @@ class UsersController extends AUserData {
$currentLoggedInUser = $this->userSession->getUser(); $currentLoggedInUser = $this->userSession->getUser();
$targetUser = $this->userManager->get($userId); $targetUser = $this->userManager->get($userId);
if($targetUser === null || $targetUser->getUID() === $currentLoggedInUser->getUID()) { if ($targetUser === null || $targetUser->getUID() === $currentLoggedInUser->getUID()) {
throw new OCSException('', 101); throw new OCSException('', 101);
} }
// If not permitted // If not permitted
$subAdminManager = $this->groupManager->getSubAdmin(); $subAdminManager = $this->groupManager->getSubAdmin();
if(!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) { if (!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) {
throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED); throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
} }
@ -580,11 +614,11 @@ class UsersController extends AUserData {
$loggedInUser = $this->userSession->getUser(); $loggedInUser = $this->userSession->getUser();
$targetUser = $this->userManager->get($userId); $targetUser = $this->userManager->get($userId);
if($targetUser === null) { if ($targetUser === null) {
throw new OCSException('', \OCP\API::RESPOND_NOT_FOUND); throw new OCSException('', \OCP\API::RESPOND_NOT_FOUND);
} }
if($targetUser->getUID() === $loggedInUser->getUID() || $this->groupManager->isAdmin($loggedInUser->getUID())) { if ($targetUser->getUID() === $loggedInUser->getUID() || $this->groupManager->isAdmin($loggedInUser->getUID())) {
// Self lookup or admin lookup // Self lookup or admin lookup
return new DataResponse([ return new DataResponse([
'groups' => $this->groupManager->getUserGroupIds($targetUser) 'groups' => $this->groupManager->getUserGroupIds($targetUser)
@ -593,7 +627,7 @@ class UsersController extends AUserData {
$subAdminManager = $this->groupManager->getSubAdmin(); $subAdminManager = $this->groupManager->getSubAdmin();
// Looking up someone else // Looking up someone else
if($subAdminManager->isUserAccessible($loggedInUser, $targetUser)) { if ($subAdminManager->isUserAccessible($loggedInUser, $targetUser)) {
// Return the group that the method caller is subadmin of for the user in question // Return the group that the method caller is subadmin of for the user in question
/** @var IGroup[] $getSubAdminsGroups */ /** @var IGroup[] $getSubAdminsGroups */
$getSubAdminsGroups = $subAdminManager->getSubAdminsGroups($loggedInUser); $getSubAdminsGroups = $subAdminManager->getSubAdminsGroups($loggedInUser);
@ -623,16 +657,16 @@ class UsersController extends AUserData {
* @throws OCSException * @throws OCSException
*/ */
public function addToGroup(string $userId, string $groupid = ''): DataResponse { public function addToGroup(string $userId, string $groupid = ''): DataResponse {
if($groupid === '') { if ($groupid === '') {
throw new OCSException('', 101); throw new OCSException('', 101);
} }
$group = $this->groupManager->get($groupid); $group = $this->groupManager->get($groupid);
$targetUser = $this->userManager->get($userId); $targetUser = $this->userManager->get($userId);
if($group === null) { if ($group === null) {
throw new OCSException('', 102); throw new OCSException('', 102);
} }
if($targetUser === null) { if ($targetUser === null) {
throw new OCSException('', 103); throw new OCSException('', 103);
} }
@ -660,17 +694,17 @@ class UsersController extends AUserData {
public function removeFromGroup(string $userId, string $groupid): DataResponse { public function removeFromGroup(string $userId, string $groupid): DataResponse {
$loggedInUser = $this->userSession->getUser(); $loggedInUser = $this->userSession->getUser();
if($groupid === null || trim($groupid) === '') { if ($groupid === null || trim($groupid) === '') {
throw new OCSException('', 101); throw new OCSException('', 101);
} }
$group = $this->groupManager->get($groupid); $group = $this->groupManager->get($groupid);
if($group === null) { if ($group === null) {
throw new OCSException('', 102); throw new OCSException('', 102);
} }
$targetUser = $this->userManager->get($userId); $targetUser = $this->userManager->get($userId);
if($targetUser === null) { if ($targetUser === null) {
throw new OCSException('', 103); throw new OCSException('', 103);
} }
@ -726,15 +760,15 @@ class UsersController extends AUserData {
$user = $this->userManager->get($userId); $user = $this->userManager->get($userId);
// Check if the user exists // Check if the user exists
if($user === null) { if ($user === null) {
throw new OCSException('User does not exist', 101); throw new OCSException('User does not exist', 101);
} }
// Check if group exists // Check if group exists
if($group === null) { if ($group === null) {
throw new OCSException('Group does not exist', 102); throw new OCSException('Group does not exist', 102);
} }
// Check if trying to make subadmin of admin group // Check if trying to make subadmin of admin group
if($group->getGID() === 'admin') { if ($group->getGID() === 'admin') {
throw new OCSException('Cannot create subadmins for admin group', 103); throw new OCSException('Cannot create subadmins for admin group', 103);
} }
@ -745,7 +779,7 @@ class UsersController extends AUserData {
return new DataResponse(); return new DataResponse();
} }
// Go // Go
if($subAdminManager->createSubAdmin($user, $group)) { if ($subAdminManager->createSubAdmin($user, $group)) {
return new DataResponse(); return new DataResponse();
} else { } else {
throw new OCSException('Unknown error occurred', 103); throw new OCSException('Unknown error occurred', 103);
@ -768,20 +802,20 @@ class UsersController extends AUserData {
$subAdminManager = $this->groupManager->getSubAdmin(); $subAdminManager = $this->groupManager->getSubAdmin();
// Check if the user exists // Check if the user exists
if($user === null) { if ($user === null) {
throw new OCSException('User does not exist', 101); throw new OCSException('User does not exist', 101);
} }
// Check if the group exists // Check if the group exists
if($group === null) { if ($group === null) {
throw new OCSException('Group does not exist', 101); throw new OCSException('Group does not exist', 101);
} }
// Check if they are a subadmin of this said group // Check if they are a subadmin of this said group
if(!$subAdminManager->isSubAdminOfGroup($user, $group)) { if (!$subAdminManager->isSubAdminOfGroup($user, $group)) {
throw new OCSException('User is not a subadmin of this group', 102); throw new OCSException('User is not a subadmin of this group', 102);
} }
// Go // Go
if($subAdminManager->deleteSubAdmin($user, $group)) { if ($subAdminManager->deleteSubAdmin($user, $group)) {
return new DataResponse(); return new DataResponse();
} else { } else {
throw new OCSException('Unknown error occurred', 103); throw new OCSException('Unknown error occurred', 103);
@ -814,13 +848,13 @@ class UsersController extends AUserData {
$currentLoggedInUser = $this->userSession->getUser(); $currentLoggedInUser = $this->userSession->getUser();
$targetUser = $this->userManager->get($userId); $targetUser = $this->userManager->get($userId);
if($targetUser === null) { if ($targetUser === null) {
throw new OCSException('', \OCP\API::RESPOND_NOT_FOUND); throw new OCSException('', \OCP\API::RESPOND_NOT_FOUND);
} }
// Check if admin / subadmin // Check if admin / subadmin
$subAdminManager = $this->groupManager->getSubAdmin(); $subAdminManager = $this->groupManager->getSubAdmin();
if(!$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser) if (!$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)
&& !$this->groupManager->isAdmin($currentLoggedInUser->getUID())) { && !$this->groupManager->isAdmin($currentLoggedInUser->getUID())) {
// No rights // No rights
throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED); throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);