Don't allow the user to set fields they can't see

Signed-off-by: Joas Schilling <coding@schilljs.com>
This commit is contained in:
Joas Schilling 2017-06-02 10:09:42 +02:00 committed by Morris Jobke
parent 477f4965ca
commit ce34db22d7
2 changed files with 33 additions and 9 deletions

View File

@ -32,6 +32,7 @@ namespace OCA\Provisioning_API\Controller;
use OC\Accounts\AccountManager; use OC\Accounts\AccountManager;
use OC\Settings\Mailer\NewUserMailHelper; use OC\Settings\Mailer\NewUserMailHelper;
use OC_Helper; use OC_Helper;
use OCP\App\IAppManager;
use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\Http\DataResponse;
use OCP\AppFramework\OCS\OCSException; use OCP\AppFramework\OCS\OCSException;
use OCP\AppFramework\OCS\OCSForbiddenException; use OCP\AppFramework\OCS\OCSForbiddenException;
@ -52,6 +53,8 @@ class UsersController extends OCSController {
private $userManager; private $userManager;
/** @var IConfig */ /** @var IConfig */
private $config; private $config;
/** @var IAppManager */
private $appManager;
/** @var IGroupManager|\OC\Group\Manager */ // FIXME Requires a method that is not on the interface /** @var IGroupManager|\OC\Group\Manager */ // FIXME Requires a method that is not on the interface
private $groupManager; private $groupManager;
/** @var IUserSession */ /** @var IUserSession */
@ -70,6 +73,7 @@ class UsersController extends OCSController {
* @param IRequest $request * @param IRequest $request
* @param IUserManager $userManager * @param IUserManager $userManager
* @param IConfig $config * @param IConfig $config
* @param IAppManager $appManager
* @param IGroupManager $groupManager * @param IGroupManager $groupManager
* @param IUserSession $userSession * @param IUserSession $userSession
* @param AccountManager $accountManager * @param AccountManager $accountManager
@ -81,6 +85,7 @@ class UsersController extends OCSController {
IRequest $request, IRequest $request,
IUserManager $userManager, IUserManager $userManager,
IConfig $config, IConfig $config,
IAppManager $appManager,
IGroupManager $groupManager, IGroupManager $groupManager,
IUserSession $userSession, IUserSession $userSession,
AccountManager $accountManager, AccountManager $accountManager,
@ -91,6 +96,7 @@ class UsersController extends OCSController {
$this->userManager = $userManager; $this->userManager = $userManager;
$this->config = $config; $this->config = $config;
$this->appManager = $appManager;
$this->groupManager = $groupManager; $this->groupManager = $groupManager;
$this->userSession = $userSession; $this->userSession = $userSession;
$this->accountManager = $accountManager; $this->accountManager = $accountManager;
@ -309,14 +315,25 @@ class UsersController extends OCSController {
$permittedFields = []; $permittedFields = [];
if($targetUser->getUID() === $currentLoggedInUser->getUID()) { if($targetUser->getUID() === $currentLoggedInUser->getUID()) {
// Editing self (display, email) // Editing self (display, email)
$permittedFields[] = 'display'; if ($this->config->getSystemValue('allow_user_to_change_display_name', true) !== false) {
$permittedFields[] = AccountManager::PROPERTY_DISPLAYNAME; $permittedFields[] = 'display';
$permittedFields[] = AccountManager::PROPERTY_EMAIL; $permittedFields[] = AccountManager::PROPERTY_DISPLAYNAME;
$permittedFields[] = AccountManager::PROPERTY_EMAIL;
}
$permittedFields[] = 'password'; $permittedFields[] = 'password';
$permittedFields[] = AccountManager::PROPERTY_PHONE;
$permittedFields[] = AccountManager::PROPERTY_ADDRESS; if ($this->appManager->isEnabledForUser('federatedfilesharing')) {
$permittedFields[] = AccountManager::PROPERTY_WEBSITE; $federatedFileSharing = new \OCA\FederatedFileSharing\AppInfo\Application();
$permittedFields[] = AccountManager::PROPERTY_TWITTER; $shareProvider = $federatedFileSharing->getFederatedShareProvider();
if ($shareProvider->isLookupServerUploadEnabled()) {
$permittedFields[] = AccountManager::PROPERTY_PHONE;
$permittedFields[] = AccountManager::PROPERTY_ADDRESS;
$permittedFields[] = AccountManager::PROPERTY_WEBSITE;
$permittedFields[] = AccountManager::PROPERTY_TWITTER;
}
}
// If admin they can edit their own quota // If admin they can edit their own quota
if($this->groupManager->isAdmin($currentLoggedInUser->getUID())) { if($this->groupManager->isAdmin($currentLoggedInUser->getUID())) {
$permittedFields[] = 'quota'; $permittedFields[] = 'quota';

View File

@ -32,6 +32,7 @@ namespace OCA\Provisioning_API\Tests\Controller;
use Exception; use Exception;
use OC\Accounts\AccountManager; use OC\Accounts\AccountManager;
use OC\Group\Manager; use OC\Group\Manager;
use OCP\App\IAppManager;
use OCP\Mail\IEMailTemplate; use OCP\Mail\IEMailTemplate;
use OC\Settings\Mailer\NewUserMailHelper; use OC\Settings\Mailer\NewUserMailHelper;
use OC\SubAdmin; use OC\SubAdmin;
@ -58,6 +59,8 @@ class UsersControllerTest extends TestCase {
protected $userManager; protected $userManager;
/** @var IConfig|PHPUnit_Framework_MockObject_MockObject */ /** @var IConfig|PHPUnit_Framework_MockObject_MockObject */
protected $config; protected $config;
/** @var IAppManager|PHPUnit_Framework_MockObject_MockObject */
protected $appManager;
/** @var Manager|PHPUnit_Framework_MockObject_MockObject */ /** @var Manager|PHPUnit_Framework_MockObject_MockObject */
protected $groupManager; protected $groupManager;
/** @var IUserSession|PHPUnit_Framework_MockObject_MockObject */ /** @var IUserSession|PHPUnit_Framework_MockObject_MockObject */
@ -66,9 +69,9 @@ class UsersControllerTest extends TestCase {
protected $logger; protected $logger;
/** @var UsersController|PHPUnit_Framework_MockObject_MockObject */ /** @var UsersController|PHPUnit_Framework_MockObject_MockObject */
protected $api; protected $api;
/** @var AccountManager|PHPUnit_Framework_MockObject_MockObject */ /** @var AccountManager|PHPUnit_Framework_MockObject_MockObject */
protected $accountManager; protected $accountManager;
/** @var IRequest|PHPUnit_Framework_MockObject_MockObject */ /** @var IRequest|PHPUnit_Framework_MockObject_MockObject */
protected $request; protected $request;
/** @var IFactory|PHPUnit_Framework_MockObject_MockObject */ /** @var IFactory|PHPUnit_Framework_MockObject_MockObject */
private $l10nFactory; private $l10nFactory;
@ -80,6 +83,7 @@ class UsersControllerTest extends TestCase {
$this->userManager = $this->createMock(IUserManager::class); $this->userManager = $this->createMock(IUserManager::class);
$this->config = $this->createMock(IConfig::class); $this->config = $this->createMock(IConfig::class);
$this->appManager = $this->createMock(IAppManager::class);
$this->groupManager = $this->createMock(Manager::class); $this->groupManager = $this->createMock(Manager::class);
$this->userSession = $this->createMock(IUserSession::class); $this->userSession = $this->createMock(IUserSession::class);
$this->logger = $this->createMock(ILogger::class); $this->logger = $this->createMock(ILogger::class);
@ -94,6 +98,7 @@ class UsersControllerTest extends TestCase {
$this->request, $this->request,
$this->userManager, $this->userManager,
$this->config, $this->config,
$this->appManager,
$this->groupManager, $this->groupManager,
$this->userSession, $this->userSession,
$this->accountManager, $this->accountManager,
@ -2647,6 +2652,7 @@ class UsersControllerTest extends TestCase {
$this->request, $this->request,
$this->userManager, $this->userManager,
$this->config, $this->config,
$this->appManager,
$this->groupManager, $this->groupManager,
$this->userSession, $this->userSession,
$this->accountManager, $this->accountManager,
@ -2707,6 +2713,7 @@ class UsersControllerTest extends TestCase {
$this->request, $this->request,
$this->userManager, $this->userManager,
$this->config, $this->config,
$this->appManager,
$this->groupManager, $this->groupManager,
$this->userSession, $this->userSession,
$this->accountManager, $this->accountManager,