From 21e478660569aa84239bb0d83809a0c08994bb66 Mon Sep 17 00:00:00 2001 From: Tortue Torche Date: Wed, 1 Apr 2020 16:44:39 +0200 Subject: [PATCH] Add `allow_adding_any_group_members` option to allow or not adding group members from any users Default to `1`. When value is set to `0` it's only possible to add groups where the current user is a member or for global administrators. Fix https://github.com/nextcloud/circles/issues/128 Signed-off-by: Tortue Torche --- lib/Search/LocalGroups.php | 28 +++++++++++++++++++++++++--- lib/Service/ConfigService.php | 19 +++++++++++++++++++ lib/Service/MembersService.php | 16 ++++++++++++++-- 3 files changed, 58 insertions(+), 5 deletions(-) diff --git a/lib/Search/LocalGroups.php b/lib/Search/LocalGroups.php index 7c2e3f202..594490ac8 100644 --- a/lib/Search/LocalGroups.php +++ b/lib/Search/LocalGroups.php @@ -26,26 +26,48 @@ namespace OCA\Circles\Search; +use OC; use OCA\Circles\ISearch; use OCA\Circles\Model\Member; use OCA\Circles\Model\SearchResult; +use OCP\IUser; +use OCA\Circles\Service\ConfigService; class LocalGroups implements ISearch { + /** @var ConfigService */ + private $configService; + + /** + * @param ConfigService $configService + */ + public function __construct(ConfigService $configService) + { + $this->configService = $configService; + } + /** * {@inheritdoc} */ public function search($search) { $result = []; - $groupManager = \OC::$server->getGroupManager(); + $groupManager = OC::$server->getGroupManager(); $groups = $groupManager->search($search); + $user = OC::$server->getUserSession()->getUser(); foreach ($groups as $group) { - $result[] = new SearchResult($group->getGID(), Member::TYPE_GROUP); + if ($this->configService->isAddingAnyGroupMembersAllowed() || + ( + $user instanceof IUser && + ($group->inGroup($user) || $groupManager->isAdmin($user->getUID())) + ) + ) { + $result[] = new SearchResult($group->getGID(), Member::TYPE_GROUP); + } } return $result; } -} \ No newline at end of file +} diff --git a/lib/Service/ConfigService.php b/lib/Service/ConfigService.php index c1497c7ac..8ed8aede1 100644 --- a/lib/Service/ConfigService.php +++ b/lib/Service/ConfigService.php @@ -41,6 +41,7 @@ class ConfigService { const CIRCLES_ALLOW_FEDERATED_CIRCLES = 'allow_federated'; const CIRCLES_MEMBERS_LIMIT = 'members_limit'; const CIRCLES_ACCOUNTS_ONLY = 'accounts_only'; + const CIRCLES_ALLOW_ANY_GROUP_MEMBERS = 'allow_adding_any_group_members'; const CIRCLES_ALLOW_LINKED_GROUPS = 'allow_linked_groups'; const CIRCLES_ALLOW_NON_SSL_LINKS = 'allow_non_ssl_links'; const CIRCLES_NON_SSL_LOCAL = 'local_is_non_ssl'; @@ -66,6 +67,7 @@ class ConfigService { self::CIRCLES_NON_SSL_LOCAL => '0', self::CIRCLES_ACTIVITY_ON_CREATION => '1', self::CIRCLES_SKIP_INVITATION_STEP => '0' + self::CIRCLES_ALLOW_ANY_GROUP_MEMBERS => '1', ]; /** @var string */ @@ -86,6 +88,9 @@ class ConfigService { /** @var int */ private $allowedCircle = -1; + /** @var int */ + private $allowAddingAnyGroupMembers = -1; + /** @var int */ private $allowedLinkedGroups = -1; @@ -139,6 +144,20 @@ public function isCircleAllowed($type) { return ((int)$type & (int)$this->allowedCircle); } + /** + * returns if the current user is allowed to add any group members. + * even if he isn't a member of these groups + * + * @return bool + */ + public function isAddingAnyGroupMembersAllowed() { + if ($this->allowAddingAnyGroupMembers === -1) { + $this->allowAddingAnyGroupMembers = + (int)$this->getAppValue(self::CIRCLES_ALLOW_ANY_GROUP_MEMBERS); + } + + return ($this->allowAddingAnyGroupMembers === 1); + } /** * @return bool diff --git a/lib/Service/MembersService.php b/lib/Service/MembersService.php index c025187e4..d4e48b43a 100644 --- a/lib/Service/MembersService.php +++ b/lib/Service/MembersService.php @@ -48,7 +48,9 @@ use OCA\Circles\Exceptions\ModeratorIsNotHighEnoughException; use OCA\Circles\Model\Circle; use OCA\Circles\Model\Member; +use OCP\IGroup; use OCP\IL10N; +use OCP\IUser; use OCP\IUserManager; @@ -387,8 +389,18 @@ private function verifyIdentContact(&$ident, $type) { */ private function addGroupMembers(Circle $circle, $groupId) { - $group = OC::$server->getGroupManager() - ->get($groupId); + $groupManager = OC::$server->getGroupManager(); + $group = $groupManager->get($groupId); + + $user = OC::$server->getUserSession()->getUser(); + + if (!$this->configService->isAddingAnyGroupMembersAllowed() && + $group instanceof IGroup && $user instanceof IUser && + !$group->inGroup($user) && !$groupManager->isAdmin($user->getUID()) + ) { + $group = null; + } + if ($group === null) { throw new GroupDoesNotExistException($this->l10n->t('This group does not exist')); }