diff --git a/apps/provisioning_api/lib/Controller/AUserData.php b/apps/provisioning_api/lib/Controller/AUserData.php index eb881db45e03e..d11caaa166961 100644 --- a/apps/provisioning_api/lib/Controller/AUserData.php +++ b/apps/provisioning_api/lib/Controller/AUserData.php @@ -20,9 +20,11 @@ use OCP\AppFramework\OCS\OCSNotFoundException; use OCP\AppFramework\OCSController; use OCP\Files\NotFoundException; +use OCP\Group\ISubAdmin; use OCP\IConfig; use OCP\IGroupManager; use OCP\IRequest; +use OCP\IUser; use OCP\IUserManager; use OCP\IUserSession; use OCP\L10N\IFactory; @@ -45,35 +47,18 @@ abstract class AUserData extends OCSController { public const USER_FIELD_MANAGER = 'manager'; public const USER_FIELD_NOTIFICATION_EMAIL = 'notify_email'; - /** @var IUserManager */ - protected $userManager; - /** @var IConfig */ - protected $config; - /** @var Manager */ - protected $groupManager; - /** @var IUserSession */ - protected $userSession; - /** @var IAccountManager */ - protected $accountManager; - /** @var IFactory */ - protected $l10nFactory; - - public function __construct(string $appName, + public function __construct( + string $appName, IRequest $request, - IUserManager $userManager, - IConfig $config, - IGroupManager $groupManager, - IUserSession $userSession, - IAccountManager $accountManager, - IFactory $l10nFactory) { + protected IUserManager $userManager, + protected IConfig $config, + protected IGroupManager $groupManager, + protected IUserSession $userSession, + protected IAccountManager $accountManager, + protected ISubAdmin $subAdminManager, + protected IFactory $l10nFactory, + ) { parent::__construct($appName, $request); - - $this->userManager = $userManager; - $this->config = $config; - $this->groupManager = $groupManager; - $this->userSession = $userSession; - $this->accountManager = $accountManager; - $this->l10nFactory = $l10nFactory; } /** @@ -136,8 +121,8 @@ protected function getUserData(string $userId, bool $includeScopes = false): ?ar $data['backend'] = $targetUserObject->getBackendClassName(); $data['subadmin'] = $this->getUserSubAdminGroupsData($targetUserObject->getUID()); $data[self::USER_FIELD_QUOTA] = $this->fillStorageInfo($targetUserObject->getUID()); - $managerUids = $targetUserObject->getManagerUids(); - $data[self::USER_FIELD_MANAGER] = empty($managerUids) ? '' : $managerUids[0]; + $managers = $this->getManagers($targetUserObject); + $data[self::USER_FIELD_MANAGER] = empty($managers) ? '' : $managers[0]; try { if ($includeScopes) { @@ -206,6 +191,37 @@ protected function getUserData(string $userId, bool $includeScopes = false): ?ar return $data; } + /** + * @return string[] + */ + protected function getManagers(IUser $user): array { + $currentLoggedInUser = $this->userSession->getUser(); + $isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID()); + $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($currentLoggedInUser->getUID()); + $isSubAdmin = $this->subAdminManager->isSubAdmin($currentLoggedInUser); + + $managerUids = $user->getManagerUids(); + if ($isAdmin || $isDelegatedAdmin) { + return $managerUids; + } + + if ($isSubAdmin) { + $accessibleManagerUids = array_values(array_filter( + $managerUids, + function (string $managerUid) use ($currentLoggedInUser) { + $manager = $this->userManager->get($managerUid); + if (!($manager instanceof IUser)) { + return false; + } + return $this->subAdminManager->isUserAccessible($currentLoggedInUser, $manager); + }, + )); + return $accessibleManagerUids; + } + + return []; + } + /** * Get the groups a user is a subadmin of * diff --git a/apps/provisioning_api/lib/Controller/GroupsController.php b/apps/provisioning_api/lib/Controller/GroupsController.php index 4b05f772e8f27..f0712d122618a 100644 --- a/apps/provisioning_api/lib/Controller/GroupsController.php +++ b/apps/provisioning_api/lib/Controller/GroupsController.php @@ -21,6 +21,7 @@ use OCP\AppFramework\OCS\OCSForbiddenException; use OCP\AppFramework\OCS\OCSNotFoundException; use OCP\AppFramework\OCSController; +use OCP\Group\ISubAdmin; use OCP\IConfig; use OCP\IGroup; use OCP\IGroupManager; @@ -47,6 +48,7 @@ public function __construct(string $appName, IGroupManager $groupManager, IUserSession $userSession, IAccountManager $accountManager, + ISubAdmin $subAdminManager, IFactory $l10nFactory, LoggerInterface $logger) { parent::__construct($appName, @@ -56,6 +58,7 @@ public function __construct(string $appName, $groupManager, $userSession, $accountManager, + $subAdminManager, $l10nFactory ); diff --git a/apps/provisioning_api/lib/Controller/UsersController.php b/apps/provisioning_api/lib/Controller/UsersController.php index 5be0b6b1464b2..273e63c742dab 100644 --- a/apps/provisioning_api/lib/Controller/UsersController.php +++ b/apps/provisioning_api/lib/Controller/UsersController.php @@ -31,6 +31,7 @@ use OCP\AppFramework\OCS\OCSNotFoundException; use OCP\AppFramework\OCSController; use OCP\EventDispatcher\IEventDispatcher; +use OCP\Group\ISubAdmin; use OCP\HintException; use OCP\IConfig; use OCP\IGroup; @@ -63,6 +64,7 @@ public function __construct( IGroupManager $groupManager, IUserSession $userSession, IAccountManager $accountManager, + ISubAdmin $subAdminManager, IFactory $l10nFactory, private IURLGenerator $urlGenerator, private LoggerInterface $logger, @@ -81,6 +83,7 @@ public function __construct( $groupManager, $userSession, $accountManager, + $subAdminManager, $l10nFactory ); @@ -946,7 +949,7 @@ public function editUser(string $userId, string $key, string $value): DataRespon $permittedFields[] = IAccountManager::PROPERTY_PROFILE_ENABLED; $permittedFields[] = IAccountManager::PROPERTY_BIRTHDATE; $permittedFields[] = IAccountManager::PROPERTY_PRONOUNS; - + $permittedFields[] = IAccountManager::PROPERTY_PHONE . self::SCOPE_SUFFIX; $permittedFields[] = IAccountManager::PROPERTY_ADDRESS . self::SCOPE_SUFFIX; $permittedFields[] = IAccountManager::PROPERTY_WEBSITE . self::SCOPE_SUFFIX; diff --git a/lib/private/SubAdmin.php b/lib/private/SubAdmin.php index c025ab7b01246..335e901a321b6 100644 --- a/lib/private/SubAdmin.php +++ b/lib/private/SubAdmin.php @@ -259,6 +259,9 @@ public function isSubAdmin(IUser $user): bool { * @return bool */ public function isUserAccessible(IUser $subadmin, IUser $user): bool { + if ($subadmin->getUID() === $user->getUID()) { + return true; + } if (!$this->isSubAdmin($subadmin)) { return false; }