Skip to content

Comments

feat(users): Add users and group management to admin delegation#46418

Merged
artonge merged 6 commits intomasterfrom
artonge/feat/user_admin_delegation
Jul 24, 2024
Merged

feat(users): Add users and group management to admin delegation#46418
artonge merged 6 commits intomasterfrom
artonge/feat/user_admin_delegation

Conversation

@artonge
Copy link
Contributor

@artonge artonge commented Jul 10, 2024
edited
Loading

Done

  • Fix some error handling in the front end
  • Create a IDelegatedSettings for users management
  • Show the 'Accounts' menu to delegated admins
  • Add the AuthorizedAdminSetting annotation to endpoints that are admin restricted
  • Tweak the inner permissions conditions in endpoints that are not admin restricted
  • Hide the 'Admins' section to delegated admins

I suspect the most critical part is to not let delegated admins escalate privileges to full admins. I tried to ensure that this is not possible. So a delegated admin cannot:

  • Create a user with admin rights
  • Delete, edit, wipe devices, disable an admin
  • Add a user to the admin group
  • Remove an admin from the admin group

But a delegated admin can:

  • Escalate admin settings delegation by adding himself to a group

But I might have missed a scenario.

@artonge artonge marked this pull request as draft July 10, 2024 15:56
@artonge artonge self-assigned this Jul 10, 2024
@artonge artonge added enhancement 2. developing Work in progress php Pull requests that update Php code labels Jul 10, 2024
@artonge artonge added this to the Nextcloud 30 milestone Jul 10, 2024
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 10, 2024
View reviewed changes
apps/provisioning_api/lib/Controller/UsersController.php Outdated
// Check if admin / subadmin
if ($isAdminOrSubadmin) {
// They have permissions over the user
if ($isAdminOrSubadmin || $isDelegatedAdmin && !$this>!group|| ger->isInGroup($targetUser->getUID(), 'admin')) {

Check failure

Code scanning / Psalm

UndefinedConstant

Const group is not defined
apps/provisioning_api/lib/Controller/UsersController.php Outdated
// Check if admin / subadmin
if ($isAdminOrSubadmin) {
// They have permissions over the user
if ($isAdminOrSubadmin || $isDelegatedAdmin && !$this>!group|| ger->isInGroup($targetUser->getUID(), 'admin')) {

Check failure

Code scanning / Psalm

UndefinedConstant

Const ger is not defined
apps/provisioning_api/lib/Controller/UsersController.php Outdated
if ($isAdminOrSubadmin) {
// They have permissions over the user
if ($isAdminOrSubadmin || $isDelegatedAdmin && !$this>!group|| ger->isInGroup($targetUser->getUID(), 'admin')) {
if ($isAdminOrSubadmin || $isDelegatedAdmin & !$this||grup|| g&&-!>isInGroup($targetUser->getUID(), 'admin')) {

Check failure

Code scanning / Psalm

ParseError

Syntax error, unexpected '>' on line 808
apps/provisioning_api/lib/Controller/UsersController.php Outdated
if ($isAdminOrSubadmin) {
// They have permissions over the user
if ($isAdminOrSubadmin || $isDelegatedAdmin && !$this>!group|| ger->isInGroup($targetUser->getUID(), 'admin')) {
if ($isAdminOrSubadmin || $isDelegatedAdmin & !$this||grup|| g&&-!>isInGroup($targetUser->getUID(), 'admin')) {

Check failure

Code scanning / Psalm

ParseError

Syntax error, unexpected ')' on line 808
apps/provisioning_api/lib/Settings/Admin/Groups.php Outdated
*/
public function getForm(): TemplateResponse {

return new /** @template-extends TemplateResponse<Http::STATUS_OK, array{}> */ class($this->appName, '') extends TemplateResponse {

Check failure

Code scanning / Psalm

InvalidTemplateParam

Extended template param S expects type int, type OCA\Provisioning_API\Settings\Admin\Http::STATUS_OK given
apps/provisioning_api/lib/Controller/UsersController.php Outdated
// If not permitted
$subAdminManager = $this->groupManager->getSubAdmin();
if (!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) {
$isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID()) || $this->groupManager->isDelegatedAdmin($currentLoggedInUser->getUID());

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
apps/provisioning_api/lib/Controller/UsersController.php Outdated
}

if ($targetUser->getUID() === $loggedInUser->getUID() || $this->groupManager->isAdmin($loggedInUser->getUID())) {
$isAdmin = $this->groupManager->isAdmin($loggedInUser->getUID()) || $this->groupManager->isDelegatedAdmin($loggedInUser->getUID());

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
apps/provisioning_api/lib/Controller/UsersController.php
$loggedInUser = $this->userSession->getUser();
$subAdminManager = $this->groupManager->getSubAdmin();
if (!$this->groupManager->isAdmin($loggedInUser->getUID()) && !$subAdminManager->isSubAdminOfGroup($loggedInUser, $group)) {
$isAdmin = $this->groupManager->isAdmin($loggedInUser->getUID());

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
apps/provisioning_api/lib/Controller/UsersController.php
// If they're not an admin, check they are a subadmin of the group in question
$subAdminManager = $this->groupManager->getSubAdmin();
if (!$this->groupManager->isAdmin($loggedInUser->getUID()) && !$subAdminManager->isSubAdminOfGroup($loggedInUser, $group)) {
$isAdmin = $this->groupManager->isAdmin($loggedInUser->getUID());

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
apps/provisioning_api/lib/Controller/UsersController.php Outdated

// Check if admin / subadmin
$subAdminManager = $this->groupManager->getSubAdmin();
$isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID()) || $this->groupManager->isDelegatedAdmin($currentLoggedInUser->getUID());

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
@artonge artonge force-pushed the artonge/feat/user_admin_delegation branch from 2e9f01d to c255339 Compare July 11, 2024 10:11
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 11, 2024
View reviewed changes
apps/provisioning_api/lib/Controller/UsersController.php
throw new OCSException($this->l10n->t('Group %1$s does not exist', [$group]), 104);
}
if (!$isAdmin && !$subAdminManager->isSubAdminOfGroup($user, $this->groupManager->get($group))) {
if (!$isAdmin && !($isDelegatedAdmin && $group !== 'admin') && !$subAdminManager->isSubAdminOfGroup($user, $this->groupManager->get($group))) {

Check notice

Code scanning / Psalm

PossiblyNullArgument

Argument 2 of OC\SubAdmin::isSubAdminOfGroup cannot be null, possibly null value provided
apps/provisioning_api/lib/Controller/UsersController.php
// If not permitted
$subAdminManager = $this->groupManager->getSubAdmin();
if (!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) {
$isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID());

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
apps/provisioning_api/lib/Controller/UsersController.php
// If not permitted
$subAdminManager = $this->groupManager->getSubAdmin();
if (!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) {
$isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID());

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
apps/provisioning_api/lib/Controller/UsersController.php
// If they're not an admin, check they are a subadmin of the group in question
$subAdminManager = $this->groupManager->getSubAdmin();
if (!$this->groupManager->isAdmin($loggedInUser->getUID()) && !$subAdminManager->isSubAdminOfGroup($loggedInUser, $group)) {
$isAdmin = $this->groupManager->isAdmin($loggedInUser->getUID());

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
apps/provisioning_api/lib/Controller/UsersController.php

// Check if admin / subadmin
$subAdminManager = $this->groupManager->getSubAdmin();
$isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID());

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
@artonge artonge force-pushed the artonge/feat/user_admin_delegation branch from c255339 to 752f90c Compare July 11, 2024 10:22
@artonge artonge marked this pull request as ready for review July 11, 2024 10:25
@artonge artonge added 3. to review Waiting for reviews javascript and removed 2. developing Work in progress labels Jul 11, 2024
@artonge artonge force-pushed the artonge/feat/user_admin_delegation branch 5 times, most recently from 78d9bf1 to c710545 Compare July 16, 2024 13:35
@artonge artonge changed the title feat(users): Add users and group management to admin delegation - WIP feat(users): Add users and group management to admin delegation Jul 17, 2024
@artonge artonge force-pushed the artonge/feat/user_admin_delegation branch from e62a668 to 1c5d27c Compare July 17, 2024 10:27
@sorbaugh sorbaugh requested a review from Altahrim July 17, 2024 12:55
@artonge artonge requested a review from Pytal July 22, 2024 11:18
@artonge artonge force-pushed the artonge/feat/user_admin_delegation branch from 544bfd4 to a2b98a7 Compare July 22, 2024 13:42
@artonge artonge mentioned this pull request Jul 22, 2024
Merged
@artonge artonge force-pushed the artonge/feat/user_admin_delegation branch 3 times, most recently from 28c2575 to fb37346 Compare July 22, 2024 14:18
@artonge artonge force-pushed the artonge/feat/user_admin_delegation branch 3 times, most recently from 4371d2e to 15e73b4 Compare July 22, 2024 16:08
@artonge artonge force-pushed the artonge/feat/user_admin_delegation branch from 15e73b4 to 7f0f671 Compare July 22, 2024 17:59
@artonge artonge merged commit 7266a9e into master Jul 24, 2024
@artonge artonge deleted the artonge/feat/user_admin_delegation branch July 24, 2024 09:15
@artonge artonge removed the pending documentation This pull request needs an associated documentation update label Jul 24, 2024
@blizzz blizzz mentioned this pull request Jul 24, 2024
Merged
@joshtrichards joshtrichards mentioned this pull request Oct 31, 2024
Closed
@susnux
Copy link
Contributor

susnux commented Apr 1, 2025

/backport 1af827f to stable29

@backportbot backportbot bot mentioned this pull request Apr 1, 2025
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ChristophWurst ChristophWurst ChristophWurst left review comments

@Pytal Pytal Pytal approved these changes

@Altahrim Altahrim Awaiting requested review from Altahrim

@come-nc come-nc Awaiting requested review from come-nc

@icewind1991 icewind1991 Awaiting requested review from icewind1991

@blizzz blizzz Awaiting requested review from blizzz

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl

@skjnldsv skjnldsv Awaiting requested review from skjnldsv

+1 more reviewer

@yemkareems yemkareems yemkareems approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@artonge artonge

Labels

3. to review Waiting for reviews enhancement feature: settings feature: users and groups javascript php Pull requests that update Php code

Projects

None yet

Milestone

Nextcloud 30

Development

Successfully merging this pull request may close these issues.

7 participants

@artonge @nickvergessen @susnux @ChristophWurst @blizzz @yemkareems @Pytal