Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 34 additions & 14 deletions apps/provisioning_api/lib/users.php
Original file line number Diff line number Diff line change
Expand Up @@ -373,6 +373,27 @@ public function getUsersGroups($parameters) {

}

/**
* Returns whether the given user can manage the given group
*
* @param IUser $user user to check access
* @param IGroup|null $group group to check or null
*
* @return true if the user can manage the group
*/
private function canUserManageGroup($user, $group) {
if ($this->groupManager->isAdmin($user->getUID())) {
return true;
}

if ($group !== null) {
$subAdminManager = $this->groupManager->getSubAdmin();
return $subAdminManager->isSubAdminofGroup($user, $group);
}

return false;
}

/**
* @param array $parameters
* @return OC_OCS_Result
Expand All @@ -384,22 +405,22 @@ public function addToGroup($parameters) {
return new OC_OCS_Result(null, \OCP\API::RESPOND_UNAUTHORISED);
}

// Check they're an admin
if(!$this->groupManager->isAdmin($user->getUID())) {
// This user doesn't have rights to add a user to this group
return new OC_OCS_Result(null, \OCP\API::RESPOND_UNAUTHORISED);
}

$groupId = !empty($_POST['groupid']) ? $_POST['groupid'] : null;
if($groupId === null) {
return new OC_OCS_Result(null, 101);
}

$group = $this->groupManager->get($groupId);
$targetUser = $this->userManager->get($parameters['userid']);
if($group === null) {
if ($group === null) {
return new OC_OCS_Result(null, 102);
}

// Check they're an admin or subadmin of the group
if(!$this->canUserManageGroup($user, $group)) {
return new OC_OCS_Result(null, 104);
}

$targetUser = $this->userManager->get($parameters['userid']);
if($targetUser === null) {
return new OC_OCS_Result(null, 103);
}
Expand Down Expand Up @@ -430,16 +451,14 @@ public function removeFromGroup($parameters) {
return new OC_OCS_Result(null, 102);
}

if(!$this->canUserManageGroup($loggedInUser, $group)) {
return new OC_OCS_Result(null, 104);
}

$targetUser = $this->userManager->get($parameters['userid']);
if($targetUser === null) {
return new OC_OCS_Result(null, 103);
}

// If they're not an admin, check they are a subadmin of the group in question
$subAdminManager = $this->groupManager->getSubAdmin();
if(!$this->groupManager->isAdmin($loggedInUser->getUID()) && !$subAdminManager->isSubAdminofGroup($loggedInUser, $group)) {
return new OC_OCS_Result(null, 104);
}
// Check they aren't removing themselves from 'admin' or their 'subadmin; group
if($parameters['userid'] === $loggedInUser->getUID()) {
if($this->groupManager->isAdmin($loggedInUser->getUID())) {
Expand All @@ -448,6 +467,7 @@ public function removeFromGroup($parameters) {
}
} else {
// Not an admin, check they are not removing themself from their subadmin group
$subAdminManager = $this->groupManager->getSubAdmin();
$subAdminGroups = $subAdminManager->getSubAdminsGroups($loggedInUser);
foreach ($subAdminGroups as $key => $group) {
$subAdminGroups[$key] = $group->getGID();
Expand Down
Loading