nextcloud/apps/settings/lib/Middleware/SubadminMiddleware.php

<?php

declare(strict_types=1);

/**
 * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors/**
 * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
 * SPDX-License-Identifier: AGPL-3.0-only
 */

namespace OCA\Settings\Middleware;

use OC\AppFramework\Http;
use OC\AppFramework\Middleware\Security\Exceptions\NotAdminException;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\AppFramework\Middleware;
use OCP\Group\ISubAdmin;
use OCP\IL10N;
use OCP\IUserSession;

/**
 * Verifies whether an user has at least subadmin rights.
 * To bypass use the `@NoSubAdminRequired` annotation
 */
class SubadminMiddleware extends Middleware {
	public function __construct(
		protected ControllerMethodReflector $reflector,
		protected IUserSession $userSession,
		protected ISubAdmin $subAdminManager,
		private IL10N $l10n,
	) {
	}

	private function isSubAdmin(): bool {
		$userObject = $this->userSession->getUser();
		if ($userObject === null) {
			return false;
		}
		return $this->subAdminManager->isSubAdmin($userObject);
	}

	/**
	 * Check if sharing is enabled before the controllers is executed
	 * @param Controller $controller
	 * @param string $methodName
	 * @throws \Exception
	 */
	public function beforeController($controller, $methodName) {
		if (!$this->reflector->hasAnnotation('NoSubAdminRequired') && !$this->reflector->hasAnnotation('AuthorizedAdminSetting')) {
			if (!$this->isSubAdmin()) {
				throw new NotAdminException($this->l10n->t('Logged in account must be a sub admin'));
			}
		}
	}

	/**
	 * Return 403 page in case of an exception
	 * @param Controller $controller
	 * @param string $methodName
	 * @param \Exception $exception
	 * @return TemplateResponse
	 * @throws \Exception
	 */
	public function afterException($controller, $methodName, \Exception $exception) {
		if ($exception instanceof NotAdminException) {
			$response = new TemplateResponse('core', '403', [], 'guest');
			$response->setStatus(Http::STATUS_FORBIDDEN);
			return $response;
		}

		throw $exception;
	}
}
Add REST route for user & group management First step of a somewhat testable user management. - I know, the JSON returns are in an ugly format but the JS expects it that way. So let's keep it that way until we have time to fix the JS in the future. 2014-12-04 08:15:55 -05:00			`<?php`
fix(settings): Inject subadmin manager and adapt tests, resolve a FIXME comment Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2025-02-13 06:48:12 -05:00
			`declare(strict_types=1);`

Add REST route for user & group management First step of a somewhat testable user management. - I know, the JSON returns are in an ugly format but the JS expects it that way. So let's keep it that way until we have time to fix the JS in the future. 2014-12-04 08:15:55 -05:00			`/**`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-06-03 04:23:34 -04:00			`* SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors/**`
			`* SPDX-FileCopyrightText: 2016 ownCloud, Inc.`
			`* SPDX-License-Identifier: AGPL-3.0-only`
Add REST route for user & group management First step of a somewhat testable user management. - I know, the JSON returns are in an ugly format but the JS expects it that way. So let's keep it that way until we have time to fix the JS in the future. 2014-12-04 08:15:55 -05:00			`*/`
fix(settings): Inject subadmin manager and adapt tests, resolve a FIXME comment Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2025-02-13 06:48:12 -05:00
Move settings to an app Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> Signed-off-by: npmbuildbot[bot] <npmbuildbot[bot]@users.noreply.github.com> 2019-09-17 10:33:27 -04:00			`namespace OCA\Settings\Middleware;`
Add REST route for user & group management First step of a somewhat testable user management. - I know, the JSON returns are in an ugly format but the JS expects it that way. So let's keep it that way until we have time to fix the JS in the future. 2014-12-04 08:15:55 -05:00
			`use OC\AppFramework\Http;`
Fix inconsistent nameing of AppFramework 2016-04-22 09:28:48 -04:00			`use OC\AppFramework\Middleware\Security\Exceptions\NotAdminException;`
Add REST route for user & group management First step of a somewhat testable user management. - I know, the JSON returns are in an ugly format but the JS expects it that way. So let's keep it that way until we have time to fix the JS in the future. 2014-12-04 08:15:55 -05:00			`use OC\AppFramework\Utility\ControllerMethodReflector;`
Fix middleware implementations signatures Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2017-07-26 03:03:04 -04:00			`use OCP\AppFramework\Controller;`
Add REST route for user & group management First step of a somewhat testable user management. - I know, the JSON returns are in an ugly format but the JS expects it that way. So let's keep it that way until we have time to fix the JS in the future. 2014-12-04 08:15:55 -05:00			`use OCP\AppFramework\Http\TemplateResponse;`
			`use OCP\AppFramework\Middleware;`
fix(settings): Inject subadmin manager and adapt tests, resolve a FIXME comment Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2025-02-13 06:48:12 -05:00			`use OCP\Group\ISubAdmin;`
Provide translated error message for permission error Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2018-02-26 09:32:17 -05:00			`use OCP\IL10N;`
fix(settings): Inject subadmin manager and adapt tests, resolve a FIXME comment Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2025-02-13 06:48:12 -05:00			`use OCP\IUserSession;`
Add REST route for user & group management First step of a somewhat testable user management. - I know, the JSON returns are in an ugly format but the JS expects it that way. So let's keep it that way until we have time to fix the JS in the future. 2014-12-04 08:15:55 -05:00
			`/**`
			`* Verifies whether an user has at least subadmin rights.`
Unify settings middleware with others Signed-off-by: Joas Schilling <coding@schilljs.com> 2020-06-23 14:18:38 -04:00			* To bypass use the `@NoSubAdminRequired` annotation
Add REST route for user & group management First step of a somewhat testable user management. - I know, the JSON returns are in an ugly format but the JS expects it that way. So let's keep it that way until we have time to fix the JS in the future. 2014-12-04 08:15:55 -05:00			`*/`
			`class SubadminMiddleware extends Middleware {`
refactor(apps): Use constructor property promotion when possible Signed-off-by: provokateurin <kate@provokateurin.de> 2024-10-18 06:04:22 -04:00			`public function __construct(`
fix(settings): Inject subadmin manager and adapt tests, resolve a FIXME comment Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2025-02-13 06:48:12 -05:00			`protected ControllerMethodReflector $reflector,`
			`protected IUserSession $userSession,`
			`protected ISubAdmin $subAdminManager,`
refactor(apps): Use constructor property promotion when possible Signed-off-by: provokateurin <kate@provokateurin.de> 2024-10-18 06:04:22 -04:00			`private IL10N $l10n,`
			`) {`
fix(settings): Inject subadmin manager and adapt tests, resolve a FIXME comment Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2025-02-13 06:48:12 -05:00			`}`

			`private function isSubAdmin(): bool {`
			`$userObject = $this->userSession->getUser();`
			`if ($userObject === null) {`
			`return false;`
			`}`
			`return $this->subAdminManager->isSubAdmin($userObject);`
Add REST route for user & group management First step of a somewhat testable user management. - I know, the JSON returns are in an ugly format but the JS expects it that way. So let's keep it that way until we have time to fix the JS in the future. 2014-12-04 08:15:55 -05:00			`}`

			`/**`
			`* Check if sharing is enabled before the controllers is executed`
Fix middleware implementations signatures Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2017-07-26 03:03:04 -04:00			`* @param Controller $controller`
Add REST route for user & group management First step of a somewhat testable user management. - I know, the JSON returns are in an ugly format but the JS expects it that way. So let's keep it that way until we have time to fix the JS in the future. 2014-12-04 08:15:55 -05:00			`* @param string $methodName`
			`* @throws \Exception`
			`*/`
Remove explicit type hints for Controller This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-08-01 11:32:03 -04:00			`public function beforeController($controller, $methodName) {`
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`if (!$this->reflector->hasAnnotation('NoSubAdminRequired') && !$this->reflector->hasAnnotation('AuthorizedAdminSetting')) {`
fix(settings): Inject subadmin manager and adapt tests, resolve a FIXME comment Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2025-02-13 06:48:12 -05:00			`if (!$this->isSubAdmin()) {`
chore(i18n): Aligned grammar Signed-off-by: rakekniven <2069590+rakekniven@users.noreply.github.com> 2025-03-31 09:44:12 -04:00			`throw new NotAdminException($this->l10n->t('Logged in account must be a sub admin'));`
Add REST route for user & group management First step of a somewhat testable user management. - I know, the JSON returns are in an ugly format but the JS expects it that way. So let's keep it that way until we have time to fix the JS in the future. 2014-12-04 08:15:55 -05:00			`}`
			`}`
			`}`

			`/**`
			`* Return 403 page in case of an exception`
Fix middleware implementations signatures Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2017-07-26 03:03:04 -04:00			`* @param Controller $controller`
Add REST route for user & group management First step of a somewhat testable user management. - I know, the JSON returns are in an ugly format but the JS expects it that way. So let's keep it that way until we have time to fix the JS in the future. 2014-12-04 08:15:55 -05:00			`* @param string $methodName`
			`* @param \Exception $exception`
			`* @return TemplateResponse`
Throw normal exceptions instead of eating them Partially addresses https://github.com/owncloud/core/issues/22550 Replaces https://github.com/owncloud/core/pull/20185 2016-02-22 03:41:56 -05:00			`* @throws \Exception`
Add REST route for user & group management First step of a somewhat testable user management. - I know, the JSON returns are in an ugly format but the JS expects it that way. So let's keep it that way until we have time to fix the JS in the future. 2014-12-04 08:15:55 -05:00			`*/`
Remove explicit type hints for Controller This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-08-01 11:32:03 -04:00			`public function afterException($controller, $methodName, \Exception $exception) {`
Format control structures, classes, methods and function To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-04-10 08:19:56 -04:00			`if ($exception instanceof NotAdminException) {`
Use the short array syntax, everywhere Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-03-26 04:30:18 -04:00			`$response = new TemplateResponse('core', '403', [], 'guest');`
Throw normal exceptions instead of eating them Partially addresses https://github.com/owncloud/core/issues/22550 Replaces https://github.com/owncloud/core/pull/20185 2016-02-22 03:41:56 -05:00			`$response->setStatus(Http::STATUS_FORBIDDEN);`
			`return $response;`
			`}`

			`throw $exception;`
Add REST route for user & group management First step of a somewhat testable user management. - I know, the JSON returns are in an ugly format but the JS expects it that way. So let's keep it that way until we have time to fix the JS in the future. 2014-12-04 08:15:55 -05:00			`}`
			`}`