-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Show only assignable groups to the subadmin #39752
Conversation
5df539e
to
a1bafab
Compare
Unless someone has a better idea, I think we'll have to skip the phan check the CI is complaining about |
Yes, there are plenty of comments in the code already:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
WFM manually testing. When logged in as a subadmin:
- adding a new user and
- editing an existing user
the list of groups to choose from now only has the groups which are applicable to the subadmin.
The backend server correctly implements checks already anyway, so this was just a UI issue, not a real subadmin privilege issue.
There are already API test scenarios covering this, like:
"Scenario: subadmin should not be able to create a new user into other group"
"Scenario: a subadmin cannot add users to groups the subadmin is not responsible for"
Do we want to add UI tests that confirm that excess groups do not appear in the dropdown lists in the UI?
I'm not sure if this could be considered a security issue since the user might not need to know the full list of groups. If so, I think we should have tests for this. |
The current behavior is:
It can be a separate issue and fix/change if this behavior is not what is really required. @pmaier1 Is (1) a bug or a feature? |
Kudos, SonarCloud Quality Gate passed! |
I regard it as a bug. Group admins should only get the groups they are an admin of. How is the behavior for an ownCloud admin? If I'm not mistaken, the Provisioning API is anyway only usable by (group-)admin users. |
correct - ordinary users can "see" themselves in the users part of the Provisioning API, but nothing else. They can't do anything in groups part of the Provisioning API. full admins can do everything. sub-admins (group admins) can do limited stuff for the members of "their" group(s). So we need to just limit/filter the response to a sub-admin when they request a list of groups. |
Linking with https://github.com/owncloud/enterprise/issues/5022. |
Since we'll have to deal with the provisioning API, let's merge this and fix the provisioning API in a different PR. |
Description
Subadmins will be shown their own assignable groups, not all the groups available
Related Issue
Reported in https://central.owncloud.org/t/10-9-1-group-admin-can-see-all-groups-even-the-ones-that-he-is-not-admin-of/36209/2
Fixes #39756
Motivation and Context
How Has This Been Tested?
The user can assign to the groups he's subadmin. Other groups won't appear.
Screenshots (if appropriate):
Types of changes
Checklist: