nextcloud · CarlSchwan · Oct 15, 2021 · Oct 14, 2021
diff --git a/apps/dav/lib/Controller/BirthdayCalendarController.php b/apps/dav/lib/Controller/BirthdayCalendarController.php
@@ -88,6 +88,7 @@ public function __construct($appName, IRequest $request,
 
 	/**
 	 * @return Response
+	 * @AuthorizedAdminSetting(settings=OCA\DAV\Settings\CalDAVSettings)
 	 */
 	public function enable() {
 		$this->config->setAppValue($this->appName, 'generateBirthdayCalendar', 'yes');
@@ -104,6 +105,7 @@ public function enable() {
 
 	/**
 	 * @return Response
+	 * @AuthorizedAdminSetting(settings=OCA\DAV\Settings\CalDAVSettings)
 	 */
 	public function disable() {
 		$this->config->setAppValue($this->appName, 'generateBirthdayCalendar', 'no');

diff --git a/apps/dav/lib/Settings/CalDAVSettings.php b/apps/dav/lib/Settings/CalDAVSettings.php
@@ -29,16 +29,23 @@
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\IConfig;
 use OCP\AppFramework\Services\IInitialState;
-use OCP\Settings\ISettings;
+use OCP\Settings\IDelegatedSettings;
 
-class CalDAVSettings implements ISettings {
+class CalDAVSettings implements IDelegatedSettings {
 
 	/** @var IConfig */
 	private $config;
 
 	/** @var IInitialState */
 	private $initialState;
 
+	private const defaults = [
+		'sendInvitations' => 'yes',
+		'generateBirthdayCalendar' => 'yes',
+		'sendEventReminders' => 'yes',
+		'sendEventRemindersPush' => 'no',
+	];
+
 	/**
 	 * CalDAVSettings constructor.
 	 *
@@ -51,13 +58,7 @@ public function __construct(IConfig $config, IInitialState $initialState) {
 	}
 
 	public function getForm(): TemplateResponse {
-		$defaults = [
-			'sendInvitations' => 'yes',
-			'generateBirthdayCalendar' => 'yes',
-			'sendEventReminders' => 'yes',
-			'sendEventRemindersPush' => 'no',
-		];
-		foreach ($defaults as $key => $default) {
+		foreach (self::defaults as $key => $default) {
 			$value = $this->config->getAppValue(Application::APP_ID, $key, $default);
 			$this->initialState->provideInitialState($key, $value === 'yes');
 		}
@@ -77,4 +78,14 @@ public function getSection() {
 	public function getPriority() {
 		return 10;
 	}
+
+	public function getName(): ?string {
+		return null; // Only setting in this section
+	}
+
+	public function getAuthorizedAppConfig(): array {
+		return [
+			'dav' => ['/(' . implode('|', array_keys(self::defaults)) . ')/']
+		];
+	}
 }
diff --git a/apps/federatedfilesharing/lib/Settings/Admin.php b/apps/federatedfilesharing/lib/Settings/Admin.php
@@ -27,25 +27,30 @@
 use OCA\FederatedFileSharing\FederatedShareProvider;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\GlobalScale\IConfig;
-use OCP\Settings\ISettings;
+use OCP\IL10N;
+use OCP\Settings\IDelegatedSettings;
 
-class Admin implements ISettings {
+class Admin implements IDelegatedSettings {
 
 	/** @var FederatedShareProvider */
 	private $fedShareProvider;
 
 	/** @var IConfig */
 	private $gsConfig;
 
+	/** @var IL10N */
+	private $l;
+
 	/**
 	 * Admin constructor.
 	 *
 	 * @param FederatedShareProvider $fedShareProvider
 	 * @param IConfig $globalScaleConfig
 	 */
-	public function __construct(FederatedShareProvider $fedShareProvider, IConfig $globalScaleConfig) {
+	public function __construct(FederatedShareProvider $fedShareProvider, IConfig $globalScaleConfig, IL10N $l) {
 		$this->fedShareProvider = $fedShareProvider;
 		$this->gsConfig = $globalScaleConfig;
+		$this->l = $l;
 	}
 
 	/**
@@ -83,4 +88,22 @@ public function getSection() {
 	public function getPriority() {
 		return 20;
 	}
+
+	public function getName(): ?string {
+		return $this->l->t('Federated Cloud Sharing');
+	}
+
+	public function getAuthorizedAppConfig(): array {
+		return [
+			'files_sharing' => [
+				'outgoing_server2server_share_enabled',
+				'incoming_server2server_share_enabled',
+				'federatedGroupSharingSupported',
+				'outgoingServer2serverGroupShareEnabled',
+				'incomingServer2serverGroupShareEnabled',
+				'lookupServerEnabled',
+				'lookupServerUploadEnabled',
+			],
+		];
+	}
 }
diff --git a/apps/federatedfilesharing/tests/Settings/AdminTest.php b/apps/federatedfilesharing/tests/Settings/AdminTest.php
@@ -29,6 +29,7 @@
 use OCA\FederatedFileSharing\Settings\Admin;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\GlobalScale\IConfig;
+use OCP\IL10N;
 use Test\TestCase;
 
 class AdminTest extends TestCase {
@@ -45,7 +46,8 @@ protected function setUp(): void {
 		$this->gsConfig = $this->createMock(IConfig::class);
 		$this->admin = new Admin(
 			$this->federatedShareProvider,
-			$this->gsConfig
+			$this->gsConfig,
+			$this->createMock(IL10N::class)
 		);
 	}
 

diff --git a/apps/federation/lib/Controller/SettingsController.php b/apps/federation/lib/Controller/SettingsController.php
@@ -56,8 +56,9 @@ public function __construct($AppName,
 
 
 	/**
-	 * add server to the list of trusted Nextclouds
+	 * Add server to the list of trusted Nextclouds.
 	 *
+	 * @AuthorizedAdminSetting(settings=OCA\Federation\Settings\Admin)
 	 * @param string $url
 	 * @return DataResponse
 	 * @throws HintException
@@ -76,8 +77,9 @@ public function addServer($url) {
 	}
 
 	/**
-	 * add server to the list of trusted Nextclouds
+	 * Add server to the list of trusted Nextclouds.
 	 *
+	 * @AuthorizedAdminSetting(settings=OCA\Federation\Settings\Admin)
 	 * @param int $id
 	 * @return DataResponse
 	 */
@@ -87,8 +89,9 @@ public function removeServer($id) {
 	}
 
 	/**
-	 * check if the server should be added to the list of trusted servers or not
+	 * Check if the server should be added to the list of trusted servers or not.
 	 *
+	 * @AuthorizedAdminSetting(settings=OCA\Federation\Settings\Admin)
 	 * @param string $url
 	 * @return bool
 	 * @throws HintException

diff --git a/apps/federation/lib/Settings/Admin.php b/apps/federation/lib/Settings/Admin.php
@@ -24,15 +24,26 @@
 
 use OCA\Federation\TrustedServers;
 use OCP\AppFramework\Http\TemplateResponse;
-use OCP\Settings\ISettings;
+use OCP\IL10N;
+use OCP\Settings\IDelegatedSettings;
 
-class Admin implements ISettings {
+class Admin implements IDelegatedSettings {
 
 	/** @var TrustedServers */
 	private $trustedServers;
 
-	public function __construct(TrustedServers $trustedServers) {
+	/** @var IL10N */
+	private $l;
+
+	/**
+	 * Admin constructor.
+	 *
+	 * @param TrustedServers $trustedServers
+	 * @param IL10N $l
+	 */
+	public function __construct(TrustedServers $trustedServers, IL10N $l) {
 		$this->trustedServers = $trustedServers;
+		$this->l = $l;
 	}
 
 	/**
@@ -63,4 +74,12 @@ public function getSection() {
 	public function getPriority() {
 		return 30;
 	}
+
+	public function getName(): ?string {
+		return $this->l->t("Trusted servers");
+	}
+
+	public function getAuthorizedAppConfig(): array {
+		return []; // Handled by custom controller
+	}
 }
diff --git a/apps/federation/tests/Settings/AdminTest.php b/apps/federation/tests/Settings/AdminTest.php
@@ -26,6 +26,7 @@
 use OCA\Federation\Settings\Admin;
 use OCA\Federation\TrustedServers;
 use OCP\AppFramework\Http\TemplateResponse;
+use OCP\IL10N;
 use Test\TestCase;
 
 class AdminTest extends TestCase {
@@ -38,7 +39,8 @@ protected function setUp(): void {
 		parent::setUp();
 		$this->trustedServers = $this->getMockBuilder('\OCA\Federation\TrustedServers')->disableOriginalConstructor()->getMock();
 		$this->admin = new Admin(
-			$this->trustedServers
+			$this->trustedServers,
+			$this->createMock(IL10N::class)
 		);
 	}
 

diff --git a/apps/provisioning_api/lib/Controller/AppConfigController.php b/apps/provisioning_api/lib/Controller/AppConfigController.php
@@ -26,12 +26,19 @@
  */
 namespace OCA\Provisioning_API\Controller;
 
+use OC\AppFramework\Middleware\Security\Exceptions\NotAdminException;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCSController;
 use OCP\IAppConfig;
 use OCP\IConfig;
+use OCP\IGroupManager;
+use OCP\IL10N;
 use OCP\IRequest;
+use OCP\IUser;
+use OCP\IUserSession;
+use OCP\Settings\IDelegatedSettings;
+use OCP\Settings\IManager;
 
 class AppConfigController extends OCSController {
 
@@ -41,6 +48,18 @@ class AppConfigController extends OCSController {
 	/** @var IAppConfig */
 	protected $appConfig;
 
+	/** @var IUserSession */
+	private $userSession;
+
+	/** @var IL10N */
+	private $l10n;
+
+	/** @var IGroupManager */
+	private $groupManager;
+
+	/** @var IManager */
+	private $settingManager;
+
 	/**
 	 * @param string $appName
 	 * @param IRequest $request
@@ -50,10 +69,18 @@ class AppConfigController extends OCSController {
 	public function __construct(string $appName,
 								IRequest $request,
 								IConfig $config,
-								IAppConfig $appConfig) {
+								IAppConfig $appConfig,
+								IUserSession $userSession,
+								IL10N $l10n,
+								IGroupManager $groupManager,
+								IManager $settingManager) {
 		parent::__construct($appName, $request);
 		$this->config = $config;
 		$this->appConfig = $appConfig;
+		$this->userSession = $userSession;
+		$this->l10n = $l10n;
+		$this->groupManager = $groupManager;
+		$this->settingManager = $settingManager;
 	}
 
 	/**
@@ -99,12 +126,23 @@ public function getValue(string $app, string $key, string $defaultValue = ''): D
 
 	/**
 	 * @PasswordConfirmationRequired
+	 * @NoSubAdminRequired
+	 * @NoAdminRequired
 	 * @param string $app
 	 * @param string $key
 	 * @param string $value
 	 * @return DataResponse
 	 */
 	public function setValue(string $app, string $key, string $value): DataResponse {
+		$user = $this->userSession->getUser();
+		if ($user === null) {
+			throw new \Exception("User is not logged in."); // Should not happen, since method is guarded by middleware
+		}
+
+		if (!$this->isAllowedToChangedKey($user, $app, $key)) {
+			throw new NotAdminException($this->l10n->t('Logged in user must be an admin or have authorization to edit this setting.'));
+		}
+
 		try {
 			$this->verifyAppId($app);
 			$this->verifyConfigKey($app, $key, $value);
@@ -170,4 +208,30 @@ protected function verifyConfigKey(string $app, string $key, string $value) {
 			throw new \InvalidArgumentException('The given key can not be set, unlimited quota is forbidden on this instance');
 		}
 	}
+
+	private function isAllowedToChangedKey(IUser $user, string $app, string $key): bool {
+		// Admin right verification
+		$isAdmin = $this->groupManager->isAdmin($user->getUID());
+		if ($isAdmin) {
+			return true;
+		}
+
+		$settings = $this->settingManager->getAllAllowedAdminSettings($user);
+		foreach ($settings as $setting) {
+			if (!($setting instanceof IDelegatedSettings)) {
+				continue;
+			}
+			$allowedKeys = $setting->getAuthorizedAppConfig();
+			if (!array_key_exists($app, $allowedKeys)) {
+				continue;
+			}
+			foreach ($allowedKeys[$app] as $regex) {
+				if ($regex === $key
+					|| (str_starts_with($regex, '/') && preg_match($regex, $key) === 1)) {
+					return true;
+				}
+			}
+		}
+		return false;
+	}
 }
diff --git a/apps/provisioning_api/lib/Controller/GroupsController.php b/apps/provisioning_api/lib/Controller/GroupsController.php
@@ -96,9 +96,10 @@ public function getGroups(string $search = '', int $limit = null, int $offset =
 	}
 
 	/**
-	 * returns a list of groups details with ids and displaynames
+	 * Returns a list of groups details with ids and displaynames
 	 *
 	 * @NoAdminRequired
+	 * @AuthorizedAdminSetting(settings=OCA\Settings\Settings\Admin\Sharing)
 	 *
 	 * @param string $search
 	 * @param int $limit

diff --git a/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php b/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php
@@ -70,7 +70,8 @@ public function __construct(
 	 * @throws NotSubAdminException
 	 */
 	public function beforeController($controller, $methodName) {
-		if (!$this->isAdmin && !$this->reflector->hasAnnotation('NoSubAdminRequired') && !$this->isSubAdmin) {
+		// If AuthorizedAdminSetting, the check will be done in the SecurityMiddleware
+		if (!$this->isAdmin && !$this->reflector->hasAnnotation('NoSubAdminRequired') && !$this->isSubAdmin && !$this->reflector->hasAnnotation('AuthorizedAdminSetting')) {
 			throw new NotSubAdminException();
 		}
 	}