1
0

GroupsController.php 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
  5. * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
  6. * SPDX-License-Identifier: AGPL-3.0-only
  7. */
  8. namespace OCA\Provisioning_API\Controller;
  9. use OCA\Provisioning_API\ResponseDefinitions;
  10. use OCA\Settings\Settings\Admin\Sharing;
  11. use OCA\Settings\Settings\Admin\Users;
  12. use OCP\Accounts\IAccountManager;
  13. use OCP\AppFramework\Http;
  14. use OCP\AppFramework\Http\Attribute\AuthorizedAdminSetting;
  15. use OCP\AppFramework\Http\Attribute\NoAdminRequired;
  16. use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
  17. use OCP\AppFramework\Http\DataResponse;
  18. use OCP\AppFramework\OCS\OCSException;
  19. use OCP\AppFramework\OCS\OCSForbiddenException;
  20. use OCP\AppFramework\OCS\OCSNotFoundException;
  21. use OCP\AppFramework\OCSController;
  22. use OCP\Group\ISubAdmin;
  23. use OCP\IConfig;
  24. use OCP\IGroup;
  25. use OCP\IGroupManager;
  26. use OCP\IRequest;
  27. use OCP\IUser;
  28. use OCP\IUserManager;
  29. use OCP\IUserSession;
  30. use OCP\L10N\IFactory;
  31. use Psr\Log\LoggerInterface;
  32. /**
  33. * @psalm-import-type Provisioning_APIGroupDetails from ResponseDefinitions
  34. * @psalm-import-type Provisioning_APIUserDetails from ResponseDefinitions
  35. */
  36. class GroupsController extends AUserData {
  37. public function __construct(
  38. string $appName,
  39. IRequest $request,
  40. IUserManager $userManager,
  41. IConfig $config,
  42. IGroupManager $groupManager,
  43. IUserSession $userSession,
  44. IAccountManager $accountManager,
  45. ISubAdmin $subAdminManager,
  46. IFactory $l10nFactory,
  47. private LoggerInterface $logger,
  48. ) {
  49. parent::__construct($appName,
  50. $request,
  51. $userManager,
  52. $config,
  53. $groupManager,
  54. $userSession,
  55. $accountManager,
  56. $subAdminManager,
  57. $l10nFactory
  58. );
  59. }
  60. /**
  61. * Get a list of groups
  62. *
  63. * @param string $search Text to search for
  64. * @param ?int $limit Limit the amount of groups returned
  65. * @param int $offset Offset for searching for groups
  66. * @return DataResponse<Http::STATUS_OK, array{groups: list<string>}, array{}>
  67. *
  68. * 200: Groups returned
  69. */
  70. #[NoAdminRequired]
  71. public function getGroups(string $search = '', ?int $limit = null, int $offset = 0): DataResponse {
  72. $groups = $this->groupManager->search($search, $limit, $offset);
  73. $groups = array_values(array_map(function ($group) {
  74. /** @var IGroup $group */
  75. return $group->getGID();
  76. }, $groups));
  77. return new DataResponse(['groups' => $groups]);
  78. }
  79. /**
  80. * Get a list of groups details
  81. *
  82. * @param string $search Text to search for
  83. * @param ?int $limit Limit the amount of groups returned
  84. * @param int $offset Offset for searching for groups
  85. * @return DataResponse<Http::STATUS_OK, array{groups: list<Provisioning_APIGroupDetails>}, array{}>
  86. *
  87. * 200: Groups details returned
  88. */
  89. #[NoAdminRequired]
  90. #[AuthorizedAdminSetting(settings: Sharing::class)]
  91. public function getGroupsDetails(string $search = '', ?int $limit = null, int $offset = 0): DataResponse {
  92. $groups = $this->groupManager->search($search, $limit, $offset);
  93. $groups = array_values(array_map(function ($group) {
  94. /** @var IGroup $group */
  95. return [
  96. 'id' => $group->getGID(),
  97. 'displayname' => $group->getDisplayName(),
  98. 'usercount' => $group->count(),
  99. 'disabled' => $group->countDisabled(),
  100. 'canAdd' => $group->canAddUser(),
  101. 'canRemove' => $group->canRemoveUser(),
  102. ];
  103. }, $groups));
  104. return new DataResponse(['groups' => $groups]);
  105. }
  106. /**
  107. * Get a list of users in the specified group
  108. *
  109. * @param string $groupId ID of the group
  110. * @return DataResponse<Http::STATUS_OK, array{users: list<string>}, array{}>
  111. * @throws OCSException
  112. *
  113. * @deprecated 14 Use getGroupUsers
  114. *
  115. * 200: Group users returned
  116. */
  117. #[NoAdminRequired]
  118. public function getGroup(string $groupId): DataResponse {
  119. return $this->getGroupUsers($groupId);
  120. }
  121. /**
  122. * Get a list of users in the specified group
  123. *
  124. * @param string $groupId ID of the group
  125. * @return DataResponse<Http::STATUS_OK, array{users: list<string>}, array{}>
  126. * @throws OCSException
  127. * @throws OCSNotFoundException Group not found
  128. * @throws OCSForbiddenException Missing permissions to get users in the group
  129. *
  130. * 200: User IDs returned
  131. */
  132. #[NoAdminRequired]
  133. public function getGroupUsers(string $groupId): DataResponse {
  134. $groupId = urldecode($groupId);
  135. $user = $this->userSession->getUser();
  136. $isSubadminOfGroup = false;
  137. // Check the group exists
  138. $group = $this->groupManager->get($groupId);
  139. if ($group !== null) {
  140. $isSubadminOfGroup = $this->groupManager->getSubAdmin()->isSubAdminOfGroup($user, $group);
  141. } else {
  142. throw new OCSNotFoundException('The requested group could not be found');
  143. }
  144. // Check subadmin has access to this group
  145. $isAdmin = $this->groupManager->isAdmin($user->getUID());
  146. $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($user->getUID());
  147. if ($isAdmin || $isDelegatedAdmin || $isSubadminOfGroup) {
  148. $users = $this->groupManager->get($groupId)->getUsers();
  149. $users = array_map(function ($user) {
  150. /** @var IUser $user */
  151. return $user->getUID();
  152. }, $users);
  153. /** @var list<string> $users */
  154. $users = array_values($users);
  155. return new DataResponse(['users' => $users]);
  156. }
  157. throw new OCSForbiddenException();
  158. }
  159. /**
  160. * Get a list of users details in the specified group
  161. *
  162. * @param string $groupId ID of the group
  163. * @param string $search Text to search for
  164. * @param int|null $limit Limit the amount of groups returned
  165. * @param int $offset Offset for searching for groups
  166. *
  167. * @return DataResponse<Http::STATUS_OK, array{users: array<string, Provisioning_APIUserDetails|array{id: string}>}, array{}>
  168. * @throws OCSException
  169. *
  170. * 200: Group users details returned
  171. */
  172. #[NoAdminRequired]
  173. public function getGroupUsersDetails(string $groupId, string $search = '', ?int $limit = null, int $offset = 0): DataResponse {
  174. $groupId = urldecode($groupId);
  175. $currentUser = $this->userSession->getUser();
  176. // Check the group exists
  177. $group = $this->groupManager->get($groupId);
  178. if ($group !== null) {
  179. $isSubadminOfGroup = $this->groupManager->getSubAdmin()->isSubAdminOfGroup($currentUser, $group);
  180. } else {
  181. throw new OCSException('The requested group could not be found', OCSController::RESPOND_NOT_FOUND);
  182. }
  183. // Check subadmin has access to this group
  184. $isAdmin = $this->groupManager->isAdmin($currentUser->getUID());
  185. $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($currentUser->getUID());
  186. if ($isAdmin || $isDelegatedAdmin || $isSubadminOfGroup) {
  187. $users = $group->searchUsers($search, $limit, $offset);
  188. // Extract required number
  189. $usersDetails = [];
  190. foreach ($users as $user) {
  191. try {
  192. /** @var IUser $user */
  193. $userId = (string)$user->getUID();
  194. $userData = $this->getUserData($userId);
  195. // Do not insert empty entry
  196. if ($userData !== null) {
  197. $usersDetails[$userId] = $userData;
  198. } else {
  199. // Logged user does not have permissions to see this user
  200. // only showing its id
  201. $usersDetails[$userId] = ['id' => $userId];
  202. }
  203. } catch (OCSNotFoundException $e) {
  204. // continue if a users ceased to exist.
  205. }
  206. }
  207. return new DataResponse(['users' => $usersDetails]);
  208. }
  209. throw new OCSException('The requested group could not be found', OCSController::RESPOND_NOT_FOUND);
  210. }
  211. /**
  212. * Create a new group
  213. *
  214. * @param string $groupid ID of the group
  215. * @param string $displayname Display name of the group
  216. * @return DataResponse<Http::STATUS_OK, list<empty>, array{}>
  217. * @throws OCSException
  218. *
  219. * 200: Group created successfully
  220. */
  221. #[AuthorizedAdminSetting(settings:Users::class)]
  222. #[PasswordConfirmationRequired]
  223. public function addGroup(string $groupid, string $displayname = ''): DataResponse {
  224. // Validate name
  225. if (empty($groupid)) {
  226. $this->logger->error('Group name not supplied', ['app' => 'provisioning_api']);
  227. throw new OCSException('Invalid group name', 101);
  228. }
  229. // Check if it exists
  230. if ($this->groupManager->groupExists($groupid)) {
  231. throw new OCSException('group exists', 102);
  232. }
  233. $group = $this->groupManager->createGroup($groupid);
  234. if ($group === null) {
  235. throw new OCSException('Not supported by backend', 103);
  236. }
  237. if ($displayname !== '') {
  238. $group->setDisplayName($displayname);
  239. }
  240. return new DataResponse();
  241. }
  242. /**
  243. * Update a group
  244. *
  245. * @param string $groupId ID of the group
  246. * @param string $key Key to update, only 'displayname'
  247. * @param string $value New value for the key
  248. * @return DataResponse<Http::STATUS_OK, list<empty>, array{}>
  249. * @throws OCSException
  250. *
  251. * 200: Group updated successfully
  252. */
  253. #[AuthorizedAdminSetting(settings:Users::class)]
  254. #[PasswordConfirmationRequired]
  255. public function updateGroup(string $groupId, string $key, string $value): DataResponse {
  256. $groupId = urldecode($groupId);
  257. if ($key === 'displayname') {
  258. $group = $this->groupManager->get($groupId);
  259. if ($group === null) {
  260. throw new OCSException('Group does not exist', OCSController::RESPOND_NOT_FOUND);
  261. }
  262. if ($group->setDisplayName($value)) {
  263. return new DataResponse();
  264. }
  265. throw new OCSException('Not supported by backend', 101);
  266. } else {
  267. throw new OCSException('', OCSController::RESPOND_UNKNOWN_ERROR);
  268. }
  269. }
  270. /**
  271. * Delete a group
  272. *
  273. * @param string $groupId ID of the group
  274. * @return DataResponse<Http::STATUS_OK, list<empty>, array{}>
  275. * @throws OCSException
  276. *
  277. * 200: Group deleted successfully
  278. */
  279. #[AuthorizedAdminSetting(settings:Users::class)]
  280. #[PasswordConfirmationRequired]
  281. public function deleteGroup(string $groupId): DataResponse {
  282. $groupId = urldecode($groupId);
  283. // Check it exists
  284. if (!$this->groupManager->groupExists($groupId)) {
  285. throw new OCSException('', 101);
  286. } elseif ($groupId === 'admin' || !$this->groupManager->get($groupId)->delete()) {
  287. // Cannot delete admin group
  288. throw new OCSException('', 102);
  289. }
  290. return new DataResponse();
  291. }
  292. /**
  293. * Get the list of user IDs that are a subadmin of the group
  294. *
  295. * @param string $groupId ID of the group
  296. * @return DataResponse<Http::STATUS_OK, list<string>, array{}>
  297. * @throws OCSException
  298. *
  299. * 200: Sub admins returned
  300. */
  301. #[AuthorizedAdminSetting(settings:Users::class)]
  302. public function getSubAdminsOfGroup(string $groupId): DataResponse {
  303. // Check group exists
  304. $targetGroup = $this->groupManager->get($groupId);
  305. if ($targetGroup === null) {
  306. throw new OCSException('Group does not exist', 101);
  307. }
  308. /** @var IUser[] $subadmins */
  309. $subadmins = $this->groupManager->getSubAdmin()->getGroupsSubAdmins($targetGroup);
  310. // New class returns IUser[] so convert back
  311. /** @var list<string> $uids */
  312. $uids = [];
  313. foreach ($subadmins as $user) {
  314. $uids[] = $user->getUID();
  315. }
  316. return new DataResponse($uids);
  317. }
  318. }