Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 79 additions & 15 deletions lib/Controller/ContactpersonenController.php
Original file line number Diff line number Diff line change
Expand Up @@ -264,7 +264,6 @@ function ($group) {
*
* @return JSONResponse Result of user creation.
*
* @NoAdminRequired
* @NoCSRFRequired
*
* @SuppressWarnings(PHPMD.CyclomaticComplexity)
Expand All @@ -274,21 +273,30 @@ function ($group) {
*/
public function convertToUser(string $contactpersoonId): JSONResponse
{
if ($this->userSession->getUser() === null) {
$currentUser = $this->userSession->getUser();
if ($currentUser === null) {
return new JSONResponse(['message' => 'Not authenticated'], Http::STATUS_UNAUTHORIZED);
}

// Only admins and org-admins may create user accounts.
$isAdmin = $this->groupManager->isAdmin($currentUser->getUID());
$isOrgAdmin = $this->groupManager->isInGroup($currentUser->getUID(), 'gebruik-beheerder')
|| $this->groupManager->isInGroup($currentUser->getUID(), 'aanbod-beheerder');
if ($isAdmin === false && $isOrgAdmin === false) {
return new JSONResponse(['message' => 'Insufficient permissions'], Http::STATUS_FORBIDDEN);
}

try {
// Get object service.
$objectService = \OC::$server->get('OCA\OpenRegister\Service\ObjectService');

// Find the contactpersoon object.
// Find the contactpersoon object — bind to current tenant.
$contactpersoonObject = $objectService->find(
id: $contactpersoonId,
register: 'voorzieningen',
schema: 'contactpersoon',
_rbac: false,
_multitenancy: false
_rbac: true,
_multitenancy: true
);

if ($contactpersoonObject === null) {
Expand Down Expand Up @@ -493,21 +501,59 @@ public function convertToUser(string $contactpersoonId): JSONResponse
/**
* Change user password.
*
* @param string $username The username.
* @param string $newPassword The new password.
* Admins may change any user's password. Regular users may only change their
* own password, and must supply the current password for confirmation.
*
* @param string $username The username.
* @param string $newPassword The new password.
* @param string $currentPassword The current password (required for self-service resets).
*
* @return JSONResponse Result of password change.
*
* @NoAdminRequired
* @NoCSRFRequired
* @spec openspec/changes/retrofit-2026-05-26-contactpersonen-api/tasks.md#task-3
*/
public function changePassword(string $username, string $newPassword): JSONResponse
public function changePassword(string $username, string $newPassword, string $currentPassword=''): JSONResponse
{
if ($this->userSession->getUser() === null) {
$currentUser = $this->userSession->getUser();
if ($currentUser === null) {
return new JSONResponse(['message' => 'Not authenticated'], Http::STATUS_UNAUTHORIZED);
}

$isAdmin = $this->groupManager->isAdmin($currentUser->getUID());
$isSelfReset = $currentUser->getUID() === $username;

// Non-admins may only change their own password.
if ($isAdmin === false && $isSelfReset === false) {
return new JSONResponse(['message' => 'Insufficient permissions'], Http::STATUS_FORBIDDEN);
}

// Self-service resets require current-password confirmation.
if ($isSelfReset === true && $isAdmin === false) {
if (empty($currentPassword) === true) {
return new JSONResponse(
[
'success' => false,
'message' => 'Current password is required for self-service password reset',
],
400
);
}

// Verify current password by checking the user's backend.
$authUser = $this->userManager->checkPassword($username, $currentPassword);
if ($authUser === false) {
return new JSONResponse(
[
'success' => false,
'message' => 'Current password is incorrect',
],
403
);
}
}//end if

try {
$user = $this->userManager->get($username);

Expand Down Expand Up @@ -1011,20 +1057,29 @@ public function getAvailableGroups(): JSONResponse
/**
* Disable a user account.
*
* Requires admin or organisation-admin (gebruik-beheerder / aanbod-beheerder) role.
*
* @param string $contactpersoonId The contactpersoon ID.
*
* @return JSONResponse Result of the disable operation.
*
* @NoAdminRequired
* @NoCSRFRequired
* @spec openspec/changes/retrofit-2026-05-26-contactpersonen-api/tasks.md#task-3
* @spec openspec/changes/retrofit-2026-05-26-contactpersonen-api/tasks.md#task-3
*/
public function disableUser(string $contactpersoonId): JSONResponse
{
if ($this->userSession->getUser() === null) {
$currentUser = $this->userSession->getUser();
if ($currentUser === null) {
return new JSONResponse(['message' => 'Not authenticated'], Http::STATUS_UNAUTHORIZED);
}

$isAdmin = $this->groupManager->isAdmin($currentUser->getUID());
$isOrgAdmin = $this->groupManager->isInGroup($currentUser->getUID(), 'gebruik-beheerder')
|| $this->groupManager->isInGroup($currentUser->getUID(), 'aanbod-beheerder');
if ($isAdmin === false && $isOrgAdmin === false) {
return new JSONResponse(['message' => 'Insufficient permissions'], Http::STATUS_FORBIDDEN);
}

try {
// Delegate to service.
$this->contactSvc->disableUserForContactpersoon($contactpersoonId);
Expand Down Expand Up @@ -1063,20 +1118,29 @@ public function disableUser(string $contactpersoonId): JSONResponse
/**
* Enable a user account.
*
* Requires admin or organisation-admin (gebruik-beheerder / aanbod-beheerder) role.
*
* @param string $contactpersoonId The contactpersoon ID.
*
* @return JSONResponse Result of the enable operation.
*
* @NoAdminRequired
* @NoCSRFRequired
* @spec openspec/changes/retrofit-2026-05-26-contactpersonen-api/tasks.md#task-3
* @spec openspec/changes/retrofit-2026-05-26-contactpersonen-api/tasks.md#task-3
*/
public function enableUser(string $contactpersoonId): JSONResponse
{
if ($this->userSession->getUser() === null) {
$currentUser = $this->userSession->getUser();
if ($currentUser === null) {
return new JSONResponse(['message' => 'Not authenticated'], Http::STATUS_UNAUTHORIZED);
}

$isAdmin = $this->groupManager->isAdmin($currentUser->getUID());
$isOrgAdmin = $this->groupManager->isInGroup($currentUser->getUID(), 'gebruik-beheerder')
|| $this->groupManager->isInGroup($currentUser->getUID(), 'aanbod-beheerder');
if ($isAdmin === false && $isOrgAdmin === false) {
return new JSONResponse(['message' => 'Insufficient permissions'], Http::STATUS_FORBIDDEN);
}

try {
// Delegate to service.
$this->contactSvc->enableUserForContactpersoon($contactpersoonId);
Expand Down
Loading