1
0

AppConfigController.php 7.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * @copyright Copyright (c) 2016 Joas Schilling <coding@schilljs.com>
  5. *
  6. * @author Joas Schilling <coding@schilljs.com>
  7. * @author Roeland Jago Douma <roeland@famdouma.nl>
  8. * @author Kate Döen <kate.doeen@nextcloud.com>
  9. *
  10. * @license GNU AGPL version 3 or any later version
  11. *
  12. * This program is free software: you can redistribute it and/or modify
  13. * it under the terms of the GNU Affero General Public License as
  14. * published by the Free Software Foundation, either version 3 of the
  15. * License, or (at your option) any later version.
  16. *
  17. * This program is distributed in the hope that it will be useful,
  18. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  19. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  20. * GNU Affero General Public License for more details.
  21. *
  22. * You should have received a copy of the GNU Affero General Public License
  23. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  24. *
  25. */
  26. namespace OCA\Provisioning_API\Controller;
  27. use OC\AppConfig;
  28. use OC\AppFramework\Middleware\Security\Exceptions\NotAdminException;
  29. use OCP\AppFramework\Http;
  30. use OCP\AppFramework\Http\DataResponse;
  31. use OCP\AppFramework\OCSController;
  32. use OCP\IAppConfig;
  33. use OCP\IGroupManager;
  34. use OCP\IL10N;
  35. use OCP\IRequest;
  36. use OCP\IUser;
  37. use OCP\IUserSession;
  38. use OCP\Settings\IDelegatedSettings;
  39. use OCP\Settings\IManager;
  40. class AppConfigController extends OCSController {
  41. public function __construct(
  42. string $appName,
  43. IRequest $request,
  44. /** @var AppConfig */
  45. private IAppConfig $appConfig,
  46. private IUserSession $userSession,
  47. private IL10N $l10n,
  48. private IGroupManager $groupManager,
  49. private IManager $settingManager,
  50. ) {
  51. parent::__construct($appName, $request);
  52. }
  53. /**
  54. * Get a list of apps
  55. *
  56. * @return DataResponse<Http::STATUS_OK, array{data: string[]}, array{}>
  57. *
  58. * 200: Apps returned
  59. */
  60. public function getApps(): DataResponse {
  61. return new DataResponse([
  62. 'data' => $this->appConfig->getApps(),
  63. ]);
  64. }
  65. /**
  66. * Get the config keys of an app
  67. *
  68. * @param string $app ID of the app
  69. * @return DataResponse<Http::STATUS_OK, array{data: string[]}, array{}>|DataResponse<Http::STATUS_FORBIDDEN, array{data: array{message: string}}, array{}>
  70. *
  71. * 200: Keys returned
  72. * 403: App is not allowed
  73. */
  74. public function getKeys(string $app): DataResponse {
  75. try {
  76. $this->verifyAppId($app);
  77. } catch (\InvalidArgumentException $e) {
  78. return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN);
  79. }
  80. return new DataResponse([
  81. 'data' => $this->appConfig->getKeys($app),
  82. ]);
  83. }
  84. /**
  85. * Get a the config value of an app
  86. *
  87. * @param string $app ID of the app
  88. * @param string $key Key
  89. * @param string $defaultValue Default returned value if the value is empty
  90. * @return DataResponse<Http::STATUS_OK, array{data: string}, array{}>|DataResponse<Http::STATUS_FORBIDDEN, array{data: array{message: string}}, array{}>
  91. *
  92. * 200: Value returned
  93. * 403: App is not allowed
  94. */
  95. public function getValue(string $app, string $key, string $defaultValue = ''): DataResponse {
  96. try {
  97. $this->verifyAppId($app);
  98. } catch (\InvalidArgumentException $e) {
  99. return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN);
  100. }
  101. /** @psalm-suppress InternalMethod */
  102. $value = $this->appConfig->getValueMixed($app, $key, $defaultValue, null);
  103. return new DataResponse(['data' => $value]);
  104. }
  105. /**
  106. * @PasswordConfirmationRequired
  107. * @NoSubAdminRequired
  108. * @NoAdminRequired
  109. *
  110. * Update the config value of an app
  111. *
  112. * @param string $app ID of the app
  113. * @param string $key Key to update
  114. * @param string $value New value for the key
  115. * @return DataResponse<Http::STATUS_OK, array<empty>, array{}>|DataResponse<Http::STATUS_FORBIDDEN, array{data: array{message: string}}, array{}>
  116. *
  117. * 200: Value updated successfully
  118. * 403: App or key is not allowed
  119. */
  120. public function setValue(string $app, string $key, string $value): DataResponse {
  121. $user = $this->userSession->getUser();
  122. if ($user === null) {
  123. throw new \Exception("User is not logged in."); // Should not happen, since method is guarded by middleware
  124. }
  125. if (!$this->isAllowedToChangedKey($user, $app, $key)) {
  126. throw new NotAdminException($this->l10n->t('Logged in account must be an administrator or have authorization to edit this setting.'));
  127. }
  128. try {
  129. $this->verifyAppId($app);
  130. $this->verifyConfigKey($app, $key, $value);
  131. } catch (\InvalidArgumentException $e) {
  132. return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN);
  133. }
  134. /** @psalm-suppress InternalMethod */
  135. $this->appConfig->setValueMixed($app, $key, $value);
  136. return new DataResponse();
  137. }
  138. /**
  139. * @PasswordConfirmationRequired
  140. *
  141. * Delete a config key of an app
  142. *
  143. * @param string $app ID of the app
  144. * @param string $key Key to delete
  145. * @return DataResponse<Http::STATUS_OK, array<empty>, array{}>|DataResponse<Http::STATUS_FORBIDDEN, array{data: array{message: string}}, array{}>
  146. *
  147. * 200: Key deleted successfully
  148. * 403: App or key is not allowed
  149. */
  150. public function deleteKey(string $app, string $key): DataResponse {
  151. try {
  152. $this->verifyAppId($app);
  153. $this->verifyConfigKey($app, $key, '');
  154. } catch (\InvalidArgumentException $e) {
  155. return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN);
  156. }
  157. $this->appConfig->deleteKey($app, $key);
  158. return new DataResponse();
  159. }
  160. /**
  161. * @param string $app
  162. * @throws \InvalidArgumentException
  163. */
  164. protected function verifyAppId(string $app) {
  165. if (\OC_App::cleanAppId($app) !== $app) {
  166. throw new \InvalidArgumentException('Invalid app id given');
  167. }
  168. }
  169. /**
  170. * @param string $app
  171. * @param string $key
  172. * @param string $value
  173. * @throws \InvalidArgumentException
  174. */
  175. protected function verifyConfigKey(string $app, string $key, string $value) {
  176. if (in_array($key, ['installed_version', 'enabled', 'types'])) {
  177. throw new \InvalidArgumentException('The given key can not be set');
  178. }
  179. if ($app === 'core' && $key === 'encryption_enabled' && $value !== 'yes') {
  180. throw new \InvalidArgumentException('The given key can not be set');
  181. }
  182. if ($app === 'core' && (strpos($key, 'public_') === 0 || strpos($key, 'remote_') === 0)) {
  183. throw new \InvalidArgumentException('The given key can not be set');
  184. }
  185. if ($app === 'files'
  186. && $key === 'default_quota'
  187. && $value === 'none'
  188. && $this->appConfig->getValueInt('files', 'allow_unlimited_quota', 1) === 0) {
  189. throw new \InvalidArgumentException('The given key can not be set, unlimited quota is forbidden on this instance');
  190. }
  191. }
  192. private function isAllowedToChangedKey(IUser $user, string $app, string $key): bool {
  193. // Admin right verification
  194. $isAdmin = $this->groupManager->isAdmin($user->getUID());
  195. if ($isAdmin) {
  196. return true;
  197. }
  198. $settings = $this->settingManager->getAllAllowedAdminSettings($user);
  199. foreach ($settings as $setting) {
  200. if (!($setting instanceof IDelegatedSettings)) {
  201. continue;
  202. }
  203. $allowedKeys = $setting->getAuthorizedAppConfig();
  204. if (!array_key_exists($app, $allowedKeys)) {
  205. continue;
  206. }
  207. foreach ($allowedKeys[$app] as $regex) {
  208. if ($regex === $key
  209. || (str_starts_with($regex, '/') && preg_match($regex, $key) === 1)) {
  210. return true;
  211. }
  212. }
  213. }
  214. return false;
  215. }
  216. }