-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent group assignment in Web UI if not supported #38298
Conversation
5c30fa1
to
2105d05
Compare
e1adb65
to
fdcf96b
Compare
fdcf96b
to
4c5d61f
Compare
https://github.com/owncloud/core/pull/38298/files#diff-b229d762bcebc1e3804ce9733dc70e9dfbf5a1890eca0825dafd5e10b2ecafccR173 introduces a dependency from ownCloud to the app. Such dependency shouldn't happen. We might need to include a new feature to solve this problem. The group backend interface could expose some options to be implemented. One of them could be "allow adding only specific users". This option not only could force the guest group to allow only guest users, but also force ldap groups to have only ldap users (this isn't restricted at the moment). Although providing a good migration path to implement this feature will likely be a challenge (user_ldap and customgroups apps will be affected, maybe more), I think this will be a more consistent solution. |
@jvillafanez From my point of view, this issue is less about "Prevent user abc from being assigned to group xyz" and more about "Prevent group yxz from being assigned to any user via Web UI (and vice versa)". Plus we wouldn't need to change the interfaces. |
@jvillafanez See https://github.com/owncloud/core/pull/38298/files#diff-b229d762bcebc1e3804ce9733dc70e9dfbf5a1890eca0825dafd5e10b2ecafccR166 for the above mentioned implementation. What do you think? |
It might fit if we assume that the operations to add and remove guest users are hidden. Basically, only the guest app is allowed to add or remove users from the guest group. I don't like too much relying on private stuff, but the solution could fit for this case. For now, I think it's worth to try |
…e groups for assignment
As discussed I implemented a Technically speaking we now have a breaking change as I had to extend the |
return; | ||
} | ||
|
||
$groupsSelect.append($('<option value="' + escapeHTML(group) + '">' + escapeHTML(group) + '</option>')); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe I'm missing something, but it seems the subadmin can bypass the restrictions. I don't think it's a good idea that the subadmin can have more power than the admin.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as I can see, this is only used for the second group menu "Group Admin for" (=subadmin). Whereas a user cannot be assigned to the guest-group manually, the user can be assigned as its group admin. So we need to bypass the restriction here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, got it. I'm not sure if we can make it more clear... I'm pretty sure I'll ask myself the same question again the next time I go through this code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I at least added a comment for now
I can see lots of apps that reference it, for example https://github.com/owncloud/activity/blob/master/lib/FilesHooks.php#L82 But the change is an extension of the interface, and the object seems to be injected via the constructor. So the extended object should get passed in fine, and the apps should not complain that there is a bonus method. After this is merged, the nightly CI of every app will run all the app unit tests etc, so we will know the next day if there is any app to change. |
Right, but that's just an injection of the Group Manager which should be fine. Implementing the interface in another class (like the GroupManager here https://github.com/owncloud/core/blob/master/lib/private/Group/Manager.php#L61) would be a problem as it would also require the newly added method |
settings/js/users/users.js
Outdated
return; | ||
} | ||
|
||
var groupIsChecked = new Set(checked).has(group) === true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please double-check if we still support IE because it doesn't support this way of initialization.
In addition, the === true
isn't needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, the idea I had is that the checked
variable (the assignableGroups
and removableGroups
too) were a set already. I didn't want to keep traversing the whole list several times, but this solution will still do it in order to create the set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ooops yeah, you're totally right. Should create the sets before that loop.
Still, IE is an issue as OC supports IE11. Since I'm not a JS expert, I did some research on it. The proper way to convert an array to a set (supporting IE) seems to be to loop through the array and call set.add(el)
... not sure about this. I think it requires some testing which way is more efficient at the end.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're getting a list with the assignable and removable groups in https://github.com/owncloud/core/pull/38298/files#diff-89fda7202f65d0e3ad5878d84f67bb8d2f49da91cbe9efb1eebebf0228dc0e4cR672-R673 . There is where you should convert that list into a set. You'll have to traverse the list once to add the items to the set, but that's probably not different of what the "good" constructor would do it for you.
After that, that variable can be used as a set here, which should perform better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, I did some tests with ~200 groups. It's indeed faster that way. Not by a significant amount, bit still.
Ok, nothing more to add from me. |
There is lots of other stuff already merged in master that will already cause a minor version bump to 10.7.0 - so IMO stuff like this can be merged when working. @micbar please confirm. |
Kudos, SonarCloud Quality Gate passed! |
Confirmed in 10.7.0RC1
|
Description
This enhancement checks if users can be assigned to (or removed from) groups via Web UI. All group backends which do not support this functionality will be disabled in corresponding menus.
Related Issue
Screenshots (if appropriate):
Types of changes
Checklist: