AppConfigController.php 6.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * @copyright Copyright (c) 2016 Joas Schilling <coding@schilljs.com>
  5. *
  6. * @author Joas Schilling <coding@schilljs.com>
  7. * @author Roeland Jago Douma <roeland@famdouma.nl>
  8. *
  9. * @license GNU AGPL version 3 or any later version
  10. *
  11. * This program is free software: you can redistribute it and/or modify
  12. * it under the terms of the GNU Affero General Public License as
  13. * published by the Free Software Foundation, either version 3 of the
  14. * License, or (at your option) any later version.
  15. *
  16. * This program is distributed in the hope that it will be useful,
  17. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  18. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  19. * GNU Affero General Public License for more details.
  20. *
  21. * You should have received a copy of the GNU Affero General Public License
  22. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  23. *
  24. */
  25. namespace OCA\Provisioning_API\Controller;
  26. use OC\AppFramework\Middleware\Security\Exceptions\NotAdminException;
  27. use OCP\AppFramework\Http;
  28. use OCP\AppFramework\Http\DataResponse;
  29. use OCP\AppFramework\OCSController;
  30. use OCP\IAppConfig;
  31. use OCP\IConfig;
  32. use OCP\IGroupManager;
  33. use OCP\IL10N;
  34. use OCP\IRequest;
  35. use OCP\IUser;
  36. use OCP\IUserSession;
  37. use OCP\Settings\IDelegatedSettings;
  38. use OCP\Settings\IManager;
  39. class AppConfigController extends OCSController {
  40. /** @var IConfig */
  41. protected $config;
  42. /** @var IAppConfig */
  43. protected $appConfig;
  44. /** @var IUserSession */
  45. private $userSession;
  46. /** @var IL10N */
  47. private $l10n;
  48. /** @var IGroupManager */
  49. private $groupManager;
  50. /** @var IManager */
  51. private $settingManager;
  52. /**
  53. * @param string $appName
  54. * @param IRequest $request
  55. * @param IConfig $config
  56. * @param IAppConfig $appConfig
  57. */
  58. public function __construct(string $appName,
  59. IRequest $request,
  60. IConfig $config,
  61. IAppConfig $appConfig,
  62. IUserSession $userSession,
  63. IL10N $l10n,
  64. IGroupManager $groupManager,
  65. IManager $settingManager) {
  66. parent::__construct($appName, $request);
  67. $this->config = $config;
  68. $this->appConfig = $appConfig;
  69. $this->userSession = $userSession;
  70. $this->l10n = $l10n;
  71. $this->groupManager = $groupManager;
  72. $this->settingManager = $settingManager;
  73. }
  74. /**
  75. * @return DataResponse
  76. */
  77. public function getApps(): DataResponse {
  78. return new DataResponse([
  79. 'data' => $this->appConfig->getApps(),
  80. ]);
  81. }
  82. /**
  83. * @param string $app
  84. * @return DataResponse
  85. */
  86. public function getKeys(string $app): DataResponse {
  87. try {
  88. $this->verifyAppId($app);
  89. } catch (\InvalidArgumentException $e) {
  90. return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN);
  91. }
  92. return new DataResponse([
  93. 'data' => $this->config->getAppKeys($app),
  94. ]);
  95. }
  96. /**
  97. * @param string $app
  98. * @param string $key
  99. * @param string $defaultValue
  100. * @return DataResponse
  101. */
  102. public function getValue(string $app, string $key, string $defaultValue = ''): DataResponse {
  103. try {
  104. $this->verifyAppId($app);
  105. } catch (\InvalidArgumentException $e) {
  106. return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN);
  107. }
  108. return new DataResponse([
  109. 'data' => $this->config->getAppValue($app, $key, $defaultValue),
  110. ]);
  111. }
  112. /**
  113. * @PasswordConfirmationRequired
  114. * @NoSubAdminRequired
  115. * @NoAdminRequired
  116. * @param string $app
  117. * @param string $key
  118. * @param string $value
  119. * @return DataResponse
  120. */
  121. public function setValue(string $app, string $key, string $value): DataResponse {
  122. $user = $this->userSession->getUser();
  123. if ($user === null) {
  124. throw new \Exception("User is not logged in."); // Should not happen, since method is guarded by middleware
  125. }
  126. if (!$this->isAllowedToChangedKey($user, $app, $key)) {
  127. throw new NotAdminException($this->l10n->t('Logged in user must be an administrator or have authorization to edit this setting.'));
  128. }
  129. try {
  130. $this->verifyAppId($app);
  131. $this->verifyConfigKey($app, $key, $value);
  132. } catch (\InvalidArgumentException $e) {
  133. return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN);
  134. }
  135. $this->config->setAppValue($app, $key, $value);
  136. return new DataResponse();
  137. }
  138. /**
  139. * @PasswordConfirmationRequired
  140. * @param string $app
  141. * @param string $key
  142. * @return DataResponse
  143. */
  144. public function deleteKey(string $app, string $key): DataResponse {
  145. try {
  146. $this->verifyAppId($app);
  147. $this->verifyConfigKey($app, $key, '');
  148. } catch (\InvalidArgumentException $e) {
  149. return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN);
  150. }
  151. $this->config->deleteAppValue($app, $key);
  152. return new DataResponse();
  153. }
  154. /**
  155. * @param string $app
  156. * @throws \InvalidArgumentException
  157. */
  158. protected function verifyAppId(string $app) {
  159. if (\OC_App::cleanAppId($app) !== $app) {
  160. throw new \InvalidArgumentException('Invalid app id given');
  161. }
  162. }
  163. /**
  164. * @param string $app
  165. * @param string $key
  166. * @param string $value
  167. * @throws \InvalidArgumentException
  168. */
  169. protected function verifyConfigKey(string $app, string $key, string $value) {
  170. if (in_array($key, ['installed_version', 'enabled', 'types'])) {
  171. throw new \InvalidArgumentException('The given key can not be set');
  172. }
  173. if ($app === 'core' && $key === 'encryption_enabled' && $value !== 'yes') {
  174. throw new \InvalidArgumentException('The given key can not be set');
  175. }
  176. if ($app === 'core' && (strpos($key, 'public_') === 0 || strpos($key, 'remote_') === 0)) {
  177. throw new \InvalidArgumentException('The given key can not be set');
  178. }
  179. if ($app === 'files'
  180. && $key === 'default_quota'
  181. && $value === 'none'
  182. && $this->config->getAppValue('files', 'allow_unlimited_quota', '1') === '0') {
  183. throw new \InvalidArgumentException('The given key can not be set, unlimited quota is forbidden on this instance');
  184. }
  185. }
  186. private function isAllowedToChangedKey(IUser $user, string $app, string $key): bool {
  187. // Admin right verification
  188. $isAdmin = $this->groupManager->isAdmin($user->getUID());
  189. if ($isAdmin) {
  190. return true;
  191. }
  192. $settings = $this->settingManager->getAllAllowedAdminSettings($user);
  193. foreach ($settings as $setting) {
  194. if (!($setting instanceof IDelegatedSettings)) {
  195. continue;
  196. }
  197. $allowedKeys = $setting->getAuthorizedAppConfig();
  198. if (!array_key_exists($app, $allowedKeys)) {
  199. continue;
  200. }
  201. foreach ($allowedKeys[$app] as $regex) {
  202. if ($regex === $key
  203. || (str_starts_with($regex, '/') && preg_match($regex, $key) === 1)) {
  204. return true;
  205. }
  206. }
  207. }
  208. return false;
  209. }
  210. }