API: Regular user with group admin perms cannot alter group memberships #25496

Closed
dercorn opened this Issue Jul 15, 2016 · 6 comments

Projects

None yet

3 participants

@dercorn
dercorn commented Jul 15, 2016 edited

Steps to reproduce

  1. try something like this with a non-admin user with group admin permissions:
curl -X POST --user <user>:<password> https://owncloud.server/files82/ocs/v1.php/cloud/users/uiserid/groups/  -d groupid=“testgroup"
  1. Receive a status code of either 999 or 997

Expected behaviour

The API call should modify users group memberships.

Actual behaviour

You receive an error

This was tested on oc 8.2.5 and 9.0.3. This behaviour was consistent on both versions.

00005763

@cdamken
Contributor
cdamken commented Jul 27, 2016

@DeepDiver1975 @PVince81 Any clue why can be modify the memberships?

@cdamken
Contributor
cdamken commented Jul 27, 2016 edited

@tomneedham I remember you created the API, could you tell us what should be expected?

how should be the behaviour with the group admins?

@PVince81
Collaborator
PVince81 commented Aug 8, 2016

Does changing memberships work in the UI ?

Maybe there's a bug in this API. (note that the UI doesn't use this API)

@PVince81 PVince81 added this to the 9.0.5 milestone Aug 8, 2016
@PVince81
Collaborator

You need to remove the trailing slash after "groups" to have the correct API call.

Still, it doesn't work on 9.0.4, confirmed.
From what I see in the code it only checks whether the user is an admin, not subadmin.

@PVince81 PVince81 self-assigned this Aug 12, 2016
@PVince81
Collaborator

Fix is here #25788

@PVince81 PVince81 closed this in #25788 Aug 15, 2016
@cdamken
Contributor
cdamken commented Aug 15, 2016

Thanks @PVince81 !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment