You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
All three group-assignment endpoints are annotated @NoAdminRequired with no further authorisation check. Any authenticated user can promote arbitrary Nextcloud groups to super-user or organisation-admin status.
Scenario:
POST /api/settings/user-groups/super-user
{"groups":["users"]}
Sent as any non-admin user → the entire users group is now marked as super-users.
Suggested fix:
Drop @NoAdminRequired from all three endpoints.
Add a service-layer isAdmin() guard before persisting group changes.
Severity: CRITICAL
Location:
lib/Controller/SettingsController.phplines 2399–2435 (setOrganizationAdminGroups,setSuperUserGroups,setGenericUserGroups)Description:
All three group-assignment endpoints are annotated
@NoAdminRequiredwith no further authorisation check. Any authenticated user can promote arbitrary Nextcloud groups to super-user or organisation-admin status.Scenario:
Sent as any non-admin user → the entire
usersgroup is now marked as super-users.Suggested fix:
@NoAdminRequiredfrom all three endpoints.isAdmin()guard before persisting group changes.Source: deep team-reviewer pass 2026-05-27