From 24b8b615d3e6a081566fb6cb0489b9a05334a0cb Mon Sep 17 00:00:00 2001 From: Jonathan Treffler Date: Sat, 16 Nov 2024 03:23:19 +0100 Subject: [PATCH] Allow organization folder admins to view/update/... all resources of organization folder, regardless of manager rights inheritance --- lib/Security/ResourceVoter.php | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/lib/Security/ResourceVoter.php b/lib/Security/ResourceVoter.php index 422b77a..7ca7935 100644 --- a/lib/Security/ResourceVoter.php +++ b/lib/Security/ResourceVoter.php @@ -6,14 +6,17 @@ use OCP\IUser; use OCP\IGroupManager; use OCA\OrganizationFolders\Db\Resource; +use OCA\OrganizationFolders\Service\OrganizationFolderMemberService; use OCA\OrganizationFolders\Service\ResourceService; use OCA\OrganizationFolders\Service\ResourceMemberService; +use OCA\OrganizationFolders\Enum\OrganizationFolderMemberPermissionLevel; use OCA\OrganizationFolders\Enum\ResourceMemberPermissionLevel; use OCA\OrganizationFolders\Enum\PrincipalType; use OCA\OrganizationFolders\OrganizationProvider\OrganizationProviderManager; class ResourceVoter extends Voter { public function __construct( + private OrganizationFolderMemberService $organizationFolderMemberService, private ResourceService $resourceService, private ResourceMemberService $resourceMemberService, private IGroupManager $groupManager, @@ -45,7 +48,29 @@ class ResourceVoter extends Voter { } private function isResourceOrganizationFolderAdmin(IUser $user, Resource $resource): bool { - // TODO: implement + $organizationFolderMembers = $this->organizationFolderMemberService->findAll($resource->getOrganizationFolderId(), [ + "permissionLevel" => OrganizationFolderMemberPermissionLevel::ADMIN, + ]); + + foreach($organizationFolderMembers as $organizationFolderMember) { + // should be true for all returned members because of the filter, double check because of the big security implications + if($organizationFolderMember->getPermissionLevel() === OrganizationFolderMemberPermissionLevel::ADMIN->value) { + $principal = $organizationFolderMember->getPrincipal(); + + if($principal->getType() === PrincipalType::GROUP) { + if($this->userIsInGroup($user, $principal->getId())) { + return true; + } + } else if($principal->getType() === PrincipalType::ROLE) { + [$organizationProviderId, $roleId] = explode(":", $principal->getId(), 2); + + if($this->userHasRole($user, $organizationProviderId, $roleId)) { + return true; + } + } + } + } + return false; } @@ -105,5 +130,5 @@ class ResourceVoter extends Voter { $role = $organizationProvider->getRole($roleId); return $this->userIsInGroup($user, $role->getMembersGroup()); - } + } }