Skip to content

fix(provisioning_api): Allow group details access for users with admin delegation #53275

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 3, 2025
Merged

fix(provisioning_api): Allow group details access for users with admin delegation #53275

merged 1 commit into from
Jun 3, 2025

Conversation

@nfebe
Copy link
Contributor

@nfebe nfebe commented Jun 3, 2025
edited
Loading

This fixes an issue where users with "Administration privileges → Users" could not access the groups details endpoint in the provisioning API, resulting in a 403 Forbidden error.

There is a problem with adding the AuthorizedAdminSetting attribute (middleware) that only allows access to users with Sharing admin privileges.

Users with "Users admin" privileges should also be able to access group details.

Resolves: #52617

Introduced in : #46815

@nfebe nfebe requested a review from a team as a code owner June 3, 2025 07:16
@nfebe nfebe requested review from sorbaugh and removed request for a team June 3, 2025 07:16
@nfebe nfebe added the 3. to review Waiting for reviews label Jun 3, 2025
@github-project-automation github-project-automation bot moved this to 🏗️ In progress in 📁 Files team Jun 3, 2025
@nfebe nfebe requested a review from come-nc June 3, 2025 07:17
@provokateurin
Copy link
Member

Introduced in : #46815

I don't get how the move from annotation to attribute should be responsible for this? Maybe you didn't read the entire commit when checking the git blame.

@nfebe
Copy link
Contributor Author

nfebe commented Jun 3, 2025

I don't get how the move from annotation to attribute should be responsible for this? Maybe you didn't read the entire commit when checking the git blame.

Right, sorry for git-blaming your commit, the issue then is simply the use of the middleware AuthorizedAdminSetting either in the middleware or annotation form (@AuthorizedAdminSetting(settings=OCA\Settings\Settings\Admin\Sharing))

provokateurin
provokateurin requested changes Jun 3, 2025
View reviewed changes
Copy link
Member

@provokateurin provokateurin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think adding #[AuthorizedAdminSetting(settings: Users::class)] should be enough.

@nfebe
fix(provisioning_api): Allow group details access for users with admi…
b647ca6 
…n delegation

This fixes an issue where users with "Administration privileges → Users" could not access
the groups details endpoint in the provisioning API, resulting in a 403 Forbidden error.

There is a problem with adding the  `AuthorizedAdminSetting` attribute (middleware)
that only allows access to users with Sharing admin privileges.

Users with "`Users` admin" privileges should also be able to access group details.

Resolves: #52617

Signed-off-by: nfebe <fenn25.fn@gmail.com>
@nfebe nfebe force-pushed the fix/52617/fix-group-admin-delegation branch from ca148d6 to b647ca6 Compare June 3, 2025 08:05
@nfebe nfebe requested a review from provokateurin June 3, 2025 08:06
@nfebe nfebe enabled auto-merge June 3, 2025 14:34
@nfebe
Copy link
Contributor Author

nfebe commented Jun 3, 2025

/backport to stable31

@nfebe nfebe merged commit 5d62ca6 into master Jun 3, 2025
211 of 216 checks passed
@nfebe nfebe deleted the fix/52617/fix-group-admin-delegation branch June 3, 2025 14:41
@backportbot backportbot bot mentioned this pull request Jun 3, 2025
Merged
@skjnldsv skjnldsv mentioned this pull request Aug 19, 2025
Merged
@come-nc
Copy link
Contributor

come-nc commented Aug 28, 2025

/backport to stable30

@backportbot backportbot bot mentioned this pull request Aug 28, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yemkareems yemkareems yemkareems approved these changes

@provokateurin provokateurin provokateurin approved these changes

@nickvergessen nickvergessen Awaiting requested review from nickvergessen

@skjnldsv skjnldsv Awaiting requested review from skjnldsv

@sorbaugh sorbaugh Awaiting requested review from sorbaugh sorbaugh is a code owner automatically assigned from nextcloud/server-backend

@come-nc come-nc Awaiting requested review from come-nc

Assignees

No one assigned

Labels

3. to review Waiting for reviews

Projects

📁 Files team
Status: 🏗️ In progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Regression: Admin-privileged group members cannot see or assign users to existing groups in Nextcloud 31.0.4

5 participants

@nfebe @provokateurin @come-nc @yemkareems