nextcloud/apps/settings/lib/Service/AuthorizedGroupService.php

<?php

declare(strict_types=1);

/**
 * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */
namespace OCA\Settings\Service;

use OC\Settings\AuthorizedGroup;
use OC\Settings\AuthorizedGroupMapper;

use OCP\AppFramework\Db\DoesNotExistException;
use OCP\AppFramework\Db\MultipleObjectsReturnedException;
use OCP\DB\Exception;
use OCP\IGroup;
use Throwable;

readonly class AuthorizedGroupService {
	public function __construct(
		private AuthorizedGroupMapper $mapper,
	) {
	}

	/**
	 * @return AuthorizedGroup[]
	 * @throws Exception
	 */
	public function findAll(): array {
		return $this->mapper->findAll();
	}

	/**
	 * Find AuthorizedGroup by id.
	 * @throws DoesNotExistException
	 * @throws Exception
	 * @throws MultipleObjectsReturnedException
	 */
	public function find(int $id): ?AuthorizedGroup {
		return $this->mapper->find($id);
	}

	/**
	 * @throws NotFoundException
	 * @throws Throwable
	 */
	private function handleException(Throwable $e): void {
		if ($e instanceof DoesNotExistException
			|| $e instanceof MultipleObjectsReturnedException) {
			throw new NotFoundException('AuthorizedGroup not found');
		}

		throw $e;
	}

	/**
	 * Create a new AuthorizedGroup
	 *
	 * @throws Exception
	 * @throws ConflictException
	 * @throws MultipleObjectsReturnedException
	 */
	public function create(string $groupId, string $class): AuthorizedGroup {
		// Check if the group is already assigned to this class
		try {
			$this->mapper->findByGroupIdAndClass($groupId, $class);
			throw new ConflictException('Group is already assigned to this class');
		} catch (DoesNotExistException) {
			// This is expected when no duplicate exists, continue with creation
		}

		$authorizedGroup = new AuthorizedGroup();
		$authorizedGroup->setGroupId($groupId);
		$authorizedGroup->setClass($class);
		return $this->mapper->insert($authorizedGroup);
	}

	/**
	 * @throws NotFoundException
	 * @throws Throwable
	 */
	public function delete(int $id): void {
		try {
			$authorizedGroup = $this->mapper->find($id);
			$this->mapper->delete($authorizedGroup);
		} catch (\Exception $exception) {
			$this->handleException($exception);
		}
	}

	/**
	 * @return list<AuthorizedGroup>
	 */
	public function findExistingGroupsForClass(string $class): array {
		try {
			return $this->mapper->findExistingGroupsForClass($class);
		} catch (\Exception) {
			return [];
		}
	}

	/**
	 * @throws Throwable
	 * @throws NotFoundException
	 */
	public function removeAuthorizationAssociatedTo(IGroup $group): void {
		try {
			$this->mapper->removeGroup($group->getGID());
		} catch (\Exception $exception) {
			$this->handleException($exception);
		}
	}
}
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`<?php`

refactor(settings): Modernize authorized group classes Signed-off-by: provokateurin <kate@provokateurin.de> 2026-02-12 06:24:33 -05:00			`declare(strict_types=1);`

Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`/**`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-06-03 04:23:34 -04:00			`* SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors`
			`* SPDX-License-Identifier: AGPL-3.0-or-later`
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`*/`
			`namespace OCA\Settings\Service;`

			`use OC\Settings\AuthorizedGroup;`
			`use OC\Settings\AuthorizedGroupMapper;`
chore: apply changes from Nextcloud coding standards 1.1.1 Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com> 2023-11-23 04:22:34 -05:00
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`use OCP\AppFramework\Db\DoesNotExistException;`
			`use OCP\AppFramework\Db\MultipleObjectsReturnedException;`
			`use OCP\DB\Exception;`
			`use OCP\IGroup;`
refactor(settings): Modernize authorized group classes Signed-off-by: provokateurin <kate@provokateurin.de> 2026-02-12 06:24:33 -05:00			`use Throwable;`
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00
refactor(settings): Modernize authorized group classes Signed-off-by: provokateurin <kate@provokateurin.de> 2026-02-12 06:24:33 -05:00			`readonly class AuthorizedGroupService {`
refactor(apps): Use constructor property promotion when possible Signed-off-by: provokateurin <kate@provokateurin.de> 2024-10-18 06:04:22 -04:00			`public function __construct(`
			`private AuthorizedGroupMapper $mapper,`
			`) {`
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`}`

			`/**`
			`* @return AuthorizedGroup[]`
refactor(settings): Modernize authorized group classes Signed-off-by: provokateurin <kate@provokateurin.de> 2026-02-12 06:24:33 -05:00			`* @throws Exception`
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`*/`
			`public function findAll(): array {`
			`return $this->mapper->findAll();`
			`}`

			`/**`
			`* Find AuthorizedGroup by id.`
refactor(settings): Modernize authorized group classes Signed-off-by: provokateurin <kate@provokateurin.de> 2026-02-12 06:24:33 -05:00			`* @throws DoesNotExistException`
			`* @throws Exception`
			`* @throws MultipleObjectsReturnedException`
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`*/`
			`public function find(int $id): ?AuthorizedGroup {`
			`return $this->mapper->find($id);`
			`}`

			`/**`
			`* @throws NotFoundException`
refactor(settings): Modernize authorized group classes Signed-off-by: provokateurin <kate@provokateurin.de> 2026-02-12 06:24:33 -05:00			`* @throws Throwable`
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`*/`
refactor(settings): Modernize authorized group classes Signed-off-by: provokateurin <kate@provokateurin.de> 2026-02-12 06:24:33 -05:00			`private function handleException(Throwable $e): void {`
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`if ($e instanceof DoesNotExistException`
			`\|\| $e instanceof MultipleObjectsReturnedException) {`
			`throw new NotFoundException('AuthorizedGroup not found');`
			`}`
refactor(settings): Modernize authorized group classes Signed-off-by: provokateurin <kate@provokateurin.de> 2026-02-12 06:24:33 -05:00
			`throw $e;`
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`}`

			`/**`
			`* Create a new AuthorizedGroup`
			`*`
			`* @throws Exception`
fix(admin-delegation): Prevent delegation to group if delegation already exist Signed-off-by: Misha M.-Kupriyanov <kupriyanov@strato.de> 2025-10-09 10:01:11 -04:00			`* @throws ConflictException`
refactor(settings): Modernize authorized group classes Signed-off-by: provokateurin <kate@provokateurin.de> 2026-02-12 06:24:33 -05:00			`* @throws MultipleObjectsReturnedException`
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`*/`
			`public function create(string $groupId, string $class): AuthorizedGroup {`
fix(admin-delegation): Prevent delegation to group if delegation already exist Signed-off-by: Misha M.-Kupriyanov <kupriyanov@strato.de> 2025-10-09 10:01:11 -04:00			`// Check if the group is already assigned to this class`
			`try {`
refactor(settings): Modernize authorized group classes Signed-off-by: provokateurin <kate@provokateurin.de> 2026-02-12 06:24:33 -05:00			`$this->mapper->findByGroupIdAndClass($groupId, $class);`
			`throw new ConflictException('Group is already assigned to this class');`
			`} catch (DoesNotExistException) {`
fix(admin-delegation): Prevent delegation to group if delegation already exist Signed-off-by: Misha M.-Kupriyanov <kupriyanov@strato.de> 2025-10-09 10:01:11 -04:00			`// This is expected when no duplicate exists, continue with creation`
			`}`

Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`$authorizedGroup = new AuthorizedGroup();`
			`$authorizedGroup->setGroupId($groupId);`
			`$authorizedGroup->setClass($class);`
			`return $this->mapper->insert($authorizedGroup);`
			`}`

			`/**`
			`* @throws NotFoundException`
refactor(settings): Modernize authorized group classes Signed-off-by: provokateurin <kate@provokateurin.de> 2026-02-12 06:24:33 -05:00			`* @throws Throwable`
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`*/`
			`public function delete(int $id): void {`
			`try {`
			`$authorizedGroup = $this->mapper->find($id);`
			`$this->mapper->delete($authorizedGroup);`
refactor(settings): Modernize authorized group classes Signed-off-by: provokateurin <kate@provokateurin.de> 2026-02-12 06:24:33 -05:00			`} catch (\Exception $exception) {`
			`$this->handleException($exception);`
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`}`
			`}`

refactor(settings): Modernize authorized group classes Signed-off-by: provokateurin <kate@provokateurin.de> 2026-02-12 06:24:33 -05:00			`/**`
			`* @return list<AuthorizedGroup>`
			`*/`
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`public function findExistingGroupsForClass(string $class): array {`
			`try {`
refactor(settings): Modernize authorized group classes Signed-off-by: provokateurin <kate@provokateurin.de> 2026-02-12 06:24:33 -05:00			`return $this->mapper->findExistingGroupsForClass($class);`
			`} catch (\Exception) {`
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`return [];`
			`}`
			`}`

refactor(settings): Modernize authorized group classes Signed-off-by: provokateurin <kate@provokateurin.de> 2026-02-12 06:24:33 -05:00			`/**`
			`* @throws Throwable`
			`* @throws NotFoundException`
			`*/`
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`public function removeAuthorizationAssociatedTo(IGroup $group): void {`
			`try {`
			`$this->mapper->removeGroup($group->getGID());`
refactor(settings): Modernize authorized group classes Signed-off-by: provokateurin <kate@provokateurin.de> 2026-02-12 06:24:33 -05:00			`} catch (\Exception $exception) {`
			`$this->handleException($exception);`
Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2021-07-22 05:41:29 -04:00			`}`
			`}`
			`}`