Skip to content

feat(users): Add users and group management to admin delegation #46418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
artonge merged 6 commits into from
Jul 24, 2024
Merged

feat(users): Add users and group management to admin delegation #46418

artonge merged 6 commits into from
Jul 24, 2024

Conversation

@artonge
Copy link
Contributor

@artonge artonge commented Jul 10, 2024
edited
Loading

Done

  • Fix some error handling in the front end
  • Create a IDelegatedSettings for users management
  • Show the 'Accounts' menu to delegated admins
  • Add the AuthorizedAdminSetting annotation to endpoints that are admin restricted
  • Tweak the inner permissions conditions in endpoints that are not admin restricted
  • Hide the 'Admins' section to delegated admins

I suspect the most critical part is to not let delegated admins escalate privileges to full admins. I tried to ensure that this is not possible. So a delegated admin cannot:

  • Create a user with admin rights
  • Delete, edit, wipe devices, disable an admin
  • Add a user to the admin group
  • Remove an admin from the admin group

But a delegated admin can:

  • Escalate admin settings delegation by adding himself to a group

But I might have missed a scenario.

@artonge artonge marked this pull request as draft July 10, 2024 15:56
@artonge artonge self-assigned this Jul 10, 2024
@artonge artonge added enhancement 2. developing Work in progress php Pull requests that update Php code labels Jul 10, 2024
@artonge artonge added this to the Nextcloud 30 milestone Jul 10, 2024
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 10, 2024
View reviewed changes
apps/provisioning_api/lib/Controller/UsersController.php Outdated
// Check if admin / subadmin
if ($isAdminOrSubadmin) {
// They have permissions over the user
if ($isAdminOrSubadmin || $isDelegatedAdmin && !$this>!group|| ger->isInGroup($targetUser->getUID(), 'admin')) {

Check failure

Code scanning / Psalm

UndefinedConstant

Const group is not defined
apps/provisioning_api/lib/Controller/UsersController.php Outdated
// Check if admin / subadmin
if ($isAdminOrSubadmin) {
// They have permissions over the user
if ($isAdminOrSubadmin || $isDelegatedAdmin && !$this>!group|| ger->isInGroup($targetUser->getUID(), 'admin')) {

Check failure

Code scanning / Psalm

UndefinedConstant

Const ger is not defined
apps/provisioning_api/lib/Controller/UsersController.php Outdated
if ($isAdminOrSubadmin) {
// They have permissions over the user
if ($isAdminOrSubadmin || $isDelegatedAdmin && !$this>!group|| ger->isInGroup($targetUser->getUID(), 'admin')) {
if ($isAdminOrSubadmin || $isDelegatedAdmin & !$this||grup|| g&&-!>isInGroup($targetUser->getUID(), 'admin')) {

Check failure

Code scanning / Psalm

ParseError

Syntax error, unexpected '>' on line 808
apps/provisioning_api/lib/Controller/UsersController.php Outdated
if ($isAdminOrSubadmin) {
// They have permissions over the user
if ($isAdminOrSubadmin || $isDelegatedAdmin && !$this>!group|| ger->isInGroup($targetUser->getUID(), 'admin')) {
if ($isAdminOrSubadmin || $isDelegatedAdmin & !$this||grup|| g&&-!>isInGroup($targetUser->getUID(), 'admin')) {

Check failure

Code scanning / Psalm

ParseError

Syntax error, unexpected ')' on line 808
apps/provisioning_api/lib/Settings/Admin/Groups.php Outdated
*/
public function getForm(): TemplateResponse {

return new /** @template-extends TemplateResponse<Http::STATUS_OK, array{}> */ class($this->appName, '') extends TemplateResponse {

Check failure

Code scanning / Psalm

InvalidTemplateParam

Extended template param S expects type int, type OCA\Provisioning_API\Settings\Admin\Http::STATUS_OK given
apps/provisioning_api/lib/Controller/UsersController.php Outdated
// If not permitted
$subAdminManager = $this->groupManager->getSubAdmin();
if (!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) {
$isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID()) || $this->groupManager->isDelegatedAdmin($currentLoggedInUser->getUID());

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
apps/provisioning_api/lib/Controller/UsersController.php Outdated
}

if ($targetUser->getUID() === $loggedInUser->getUID() || $this->groupManager->isAdmin($loggedInUser->getUID())) {
$isAdmin = $this->groupManager->isAdmin($loggedInUser->getUID()) || $this->groupManager->isDelegatedAdmin($loggedInUser->getUID());

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
apps/provisioning_api/lib/Controller/UsersController.php
$loggedInUser = $this->userSession->getUser();
$subAdminManager = $this->groupManager->getSubAdmin();
if (!$this->groupManager->isAdmin($loggedInUser->getUID()) && !$subAdminManager->isSubAdminOfGroup($loggedInUser, $group)) {
$isAdmin = $this->groupManager->isAdmin($loggedInUser->getUID());

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
apps/provisioning_api/lib/Controller/UsersController.php
// If they're not an admin, check they are a subadmin of the group in question
$subAdminManager = $this->groupManager->getSubAdmin();
if (!$this->groupManager->isAdmin($loggedInUser->getUID()) && !$subAdminManager->isSubAdminOfGroup($loggedInUser, $group)) {
$isAdmin = $this->groupManager->isAdmin($loggedInUser->getUID());

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
apps/provisioning_api/lib/Controller/UsersController.php Outdated

// Check if admin / subadmin
$subAdminManager = $this->groupManager->getSubAdmin();
$isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID()) || $this->groupManager->isDelegatedAdmin($currentLoggedInUser->getUID());

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
@artonge artonge force-pushed the artonge/feat/user_admin_delegation branch from 2e9f01d to c255339 Compare July 11, 2024 10:11
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 11, 2024
View reviewed changes
apps/provisioning_api/lib/Controller/UsersController.php
throw new OCSException($this->l10n->t('Group %1$s does not exist', [$group]), 104);
}
if (!$isAdmin && !$subAdminManager->isSubAdminOfGroup($user, $this->groupManager->get($group))) {
if (!$isAdmin && !($isDelegatedAdmin && $group !== 'admin') && !$subAdminManager->isSubAdminOfGroup($user, $this->groupManager->get($group))) {

Check notice

Code scanning / Psalm

PossiblyNullArgument

Argument 2 of OC\SubAdmin::isSubAdminOfGroup cannot be null, possibly null value provided
apps/provisioning_api/lib/Controller/UsersController.php
// If not permitted
$subAdminManager = $this->groupManager->getSubAdmin();
if (!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) {
$isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID());

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
apps/provisioning_api/lib/Controller/UsersController.php
// If not permitted
$subAdminManager = $this->groupManager->getSubAdmin();
if (!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) {
$isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID());

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
apps/provisioning_api/lib/Controller/UsersController.php
// If they're not an admin, check they are a subadmin of the group in question
$subAdminManager = $this->groupManager->getSubAdmin();
if (!$this->groupManager->isAdmin($loggedInUser->getUID()) && !$subAdminManager->isSubAdminOfGroup($loggedInUser, $group)) {
$isAdmin = $this->groupManager->isAdmin($loggedInUser->getUID());

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
apps/provisioning_api/lib/Controller/UsersController.php

// Check if admin / subadmin
$subAdminManager = $this->groupManager->getSubAdmin();
$isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID());

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
@artonge artonge force-pushed the artonge/feat/user_admin_delegation branch from c255339 to 752f90c Compare July 11, 2024 10:22
@artonge artonge marked this pull request as ready for review July 11, 2024 10:25
@artonge artonge added 3. to review Waiting for reviews javascript and removed 2. developing Work in progress labels Jul 11, 2024
@artonge artonge force-pushed the artonge/feat/user_admin_delegation branch 5 times, most recently from 78d9bf1 to c710545 Compare July 16, 2024 13:35
@artonge artonge changed the title feat(users): Add users and group management to admin delegation - WIP feat(users): Add users and group management to admin delegation Jul 17, 2024
@artonge artonge force-pushed the artonge/feat/user_admin_delegation branch from e62a668 to 1c5d27c Compare July 17, 2024 10:27
@sorbaugh sorbaugh requested a review from Altahrim July 17, 2024 12:55
@artonge artonge requested a review from Pytal July 22, 2024 11:18
@artonge artonge force-pushed the artonge/feat/user_admin_delegation branch from 544bfd4 to a2b98a7 Compare July 22, 2024 13:42
@artonge artonge mentioned this pull request Jul 22, 2024
Merged
@artonge artonge force-pushed the artonge/feat/user_admin_delegation branch 3 times, most recently from 28c2575 to fb37346 Compare July 22, 2024 14:18
@artonge artonge force-pushed the artonge/feat/user_admin_delegation branch 3 times, most recently from 4371d2e to 15e73b4 Compare July 22, 2024 16:08
@artonge artonge force-pushed the artonge/feat/user_admin_delegation branch from 15e73b4 to 7f0f671 Compare July 22, 2024 17:59
@artonge artonge merged commit 7266a9e into master Jul 24, 2024
@artonge artonge deleted the artonge/feat/user_admin_delegation branch July 24, 2024 09:15
@artonge artonge removed the pending documentation This pull request needs an associated documentation update label Jul 24, 2024
@blizzz blizzz mentioned this pull request Jul 24, 2024
Merged
@joshtrichards joshtrichards mentioned this pull request Oct 31, 2024
Closed
@susnux
Copy link
Contributor

susnux commented Apr 1, 2025

/backport 1af827f to stable29

@backportbot backportbot bot mentioned this pull request Apr 1, 2025
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ChristophWurst ChristophWurst ChristophWurst left review comments

@yemkareems yemkareems yemkareems approved these changes

@Pytal Pytal Pytal approved these changes

@Altahrim Altahrim Awaiting requested review from Altahrim

@come-nc come-nc Awaiting requested review from come-nc

@icewind1991 icewind1991 Awaiting requested review from icewind1991

@blizzz blizzz Awaiting requested review from blizzz

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl

@skjnldsv skjnldsv Awaiting requested review from skjnldsv

Assignees

@artonge artonge

Labels

3. to review Waiting for reviews enhancement feature: settings feature: users and groups javascript php Pull requests that update Php code

Projects

None yet

Milestone

Nextcloud 30

Development

Successfully merging this pull request may close these issues.

8 participants

@artonge @nickvergessen @susnux @ChristophWurst @blizzz @yemkareems @Pytal