Allow subadmins to read app config values

core/js/config.js

@@ -8,51 +8,62 @@
  * @namespace
  */
 OC.AppConfig={
-	url:OC.filePath('core','ajax','appconfig.php'),
-	getCall:function(action,data,callback){
-		data.action=action;
-		$.getJSON(OC.AppConfig.url,data,function(result){
-			if(result.status==='success'){
-				if(callback){
-					callback(result.data);
-				}
-			}
-		});
-	},
-	postCall:function(action,data,callback){
-		data.action=action;
-		return $.post(OC.AppConfig.url,data,function(result){
-			if(result.status==='success'){
-				if(callback){
-					callback(result.data);
-				}
-			}
-		},'json');
-	},
+	url:OC.generateUrl('/settings/appconfig'),
 	getValue:function(app,key,defaultValue,callback){
-		if(typeof defaultValue=='function'){
-			callback=defaultValue;
-			defaultValue=null;
+		if (defaultValue === undefined || defaultValue === null) {
+			$.ajax({
+				url: `${OC.AppConfig.url}/${app}/${key}`,
+				success: callback
+			});
+		} else {
+			$.ajax({
+				url: `${OC.AppConfig.url}/${app}/${key}?default=${defaultValue}`,
+				success: callback
+			});
 		}
-		OC.AppConfig.getCall('getValue',{app:app,key:key,defaultValue:defaultValue},callback);
 	},
 	setValue:function(app,key,value){
-		return OC.AppConfig.postCall('setValue',{app:app,key:key,value:value});
+		return $.ajax({
+			url: OC.AppConfig.url,
+			type: 'PUT',
+			data: {
+				app: app,
+				key: key,
+				value: value
+			}
+		});
 	},
 	getApps:function(callback){
-		OC.AppConfig.getCall('getApps',{},callback);
+		$.ajax({
+			url: OC.AppConfig.url,
+			success: callback
+		});
 	},
 	getKeys:function(app,callback){
-		OC.AppConfig.getCall('getKeys',{app:app},callback);
+		$.ajax({
+			url: `${OC.AppConfig.url}/${app}`,
+			success: callback
+		});
 	},
 	hasKey:function(app,key,callback){
-		OC.AppConfig.getCall('hasKey',{app:app,key:key},callback);
+		$.ajax({
+			url: `${OC.AppConfig.url}/${app}/${key}`,
+			success: function(data) {
+				callback(data !== null);
+			}
+		});
 	},
 	deleteKey:function(app,key){
-		OC.AppConfig.postCall('deleteKey',{app:app,key:key});
+		$.ajax({
+			url: `${OC.AppConfig.url}/${app}/${key}`,
+			type: 'DELETE'
+		});
 	},
 	deleteApp:function(app){
-		OC.AppConfig.postCall('deleteApp',{app:app});
+		$.ajax({
+			url: `${OC.AppConfig.url}/${app}`,
+			type: 'DELETE'
+		});
 	}
 };
 //TODO OC.Preferences

settings/Application.php

@@ -35,6 +35,7 @@
 use OC\AppFramework\Utility\TimeFactory;
 use OC\Settings\Controller\CorsController;
 use OC\Settings\Controller\SettingsPageController;
+use OC\Settings\Controller\AppConfigController;
 use OC\Settings\Controller\AppSettingsController;
 use OC\Settings\Controller\AuthSettingsController;
 use OC\Settings\Controller\CertificateController;
@@ -187,6 +188,13 @@ public function __construct(array $urlParams=[]) {
 				$c->query('L10N')
 			);
 		});
+		$container->registerService('AppConfigController', function (IContainer $c) {
+			return new AppConfigController(
+				$c->query('AppName'),
+				$c->query('Request'),
+				$c->query('ServerContainer')->getAppConfig()
+			);
+		});
 
 		/**
 		 * Middleware

settings/Controller/AppConfigController.php

@@ -0,0 +1,129 @@
+<?php
+/**
+ * @copyright Copyright (c) 2023, ownCloud GmbH
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\Settings\Controller;
+
+use OCP\IAppConfig;
+use OCP\IRequest;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\DataResponse;
+use OCP\AppFramework\Http\JSONResponse;
+
+/**
+ * The code is mostly copied from core/ajax/appconfig.php
+ * Read methods (getApps, getKeys and getValue) are available to subadmins,
+ * which wasn't possible with the core/ajax/appconfig.php file. The rest of
+ * the methods require admin privileges.
+ * Note that the "hasKey" method is missing. You can do the same in a lot of
+ * cases by trying to get the value of the key.
+ *
+ * @package OC\Settings\Controller
+ */
+class AppConfigController extends Controller {
+	/** @var IAppConfig */
+	private $appConfig;
+
+	/**
+	 * @param string $appName
+	 * @param IRequest $request
+	 * @param IAppConfig $appConfig
+	 */
+	public function __construct(
+		$appName,
+		IRequest $request,
+		IAppConfig $appConfig
+	) {
+		parent::__construct($appName, $request);
+		$this->appConfig = $appConfig;
+	}
+
+	/**
+	 * @NoAdminRequired
+	 *
+	 * Get the list of apps
+	 */
+	public function getApps() {
+		return new JSONResponse($this->appConfig->getApps());
+	}
+
+	/**
+	 * @NoAdminRequired
+	 *
+	 * Get the list of keys for that particular app
+	 * @param string $app
+	 */
+	public function getKeys($app) {
+		return new JSONResponse($this->appConfig->getKeys($app));
+	}
+
+	/**
+	 * @NoAdminRequired
+	 *
+	 * Get the value of the key for that app, or the default value provided
+	 * if it's missing.
+	 * @param string $app
+	 * @param string $key
+	 * @param string $default
+	 */
+	public function getValue($app, $key, $default = null) {
+		return new JSONResponse($this->appConfig->getValue($app, $key, $default));
+	}
+
+	/**
+	 * Set the value for the target key in the app. If no value is provided,
+	 * the request will fail.
+	 * @param string $app
+	 * @param string $key
+	 * @param string $value
+	 */
+	public function setValue($app, $key, $value) {
+		if (!isset($app, $key, $value)) {
+			return new JSONResponse([], Http::STATUS_BAD_REQUEST);
+		} else {
+			return new JSONResponse($this->appConfig->setValue($app, $key, $value));
+		}
+	}
+
+	/**
+	 * Delete the key from the app
+	 * @param string $app
+	 * @param string $key
+	 */
+	public function deleteKey($app, $key) {
+		if (!isset($app, $key)) {
+			return new JSONResponse([], Http::STATUS_BAD_REQUEST);
+		} else {
+			return new JSONResponse($this->appConfig->deleteKey($app, $key));
+		}
+	}
+
+	/**
+	 * Delete the app from the appconfig. Note that this just deletes the stored
+	 * keys in the appconfig. It won't touch the app in any other way
+	 * @param string $app
+	 */
+	public function deleteApp($app) {
+		if (!isset($app)) {
+			return new JSONResponse([], Http::STATUS_BAD_REQUEST);
+		} else {
+			return new JSONResponse($this->appConfig->deleteApp($app));
+		}
+	}
+}

settings/routes.php

@@ -73,6 +73,12 @@
 		['name' => 'Users#resendInvitation', 'url' => '/resend/invitation/{userId}', 'verb' => 'POST'],
 		['name' => 'Users#setPassword', 'url' => '/setpassword/{token}/{userId}', 'verb' => 'POST'],
 		['name' => 'Groups#getAssignableAndRemovableGroups', 'url' => '/settings/groups/available', 'verb' => 'GET'],
+		['name' => 'AppConfig#getApps', 'url' => '/settings/appconfig', 'verb' => 'GET'],
+		['name' => 'AppConfig#getKeys', 'url' => '/settings/appconfig/{app}', 'verb' => 'GET'],
+		['name' => 'AppConfig#getValue', 'url' => '/settings/appconfig/{app}/{key}', 'verb' => 'GET'],
+		['name' => 'AppConfig#setValue', 'url' => '/settings/appconfig/{app?}/{key?}', 'verb' => 'PUT'], // optional params can be sent in the request body
+		['name' => 'AppConfig#deleteKey', 'url' => '/settings/appconfig/{app?}/{key?}', 'verb' => 'DELETE'], // optional params can be sent in the request body
+		['name' => 'AppConfig#deleteApp', 'url' => '/settings/appconfig/{app?}', 'verb' => 'DELETE'], // optional params can be sent in the request body
 	]
 ]);
 

tests/acceptance/features/bootstrap/WebUIUsersContext.php

@@ -237,7 +237,7 @@ public function theAdminResendsInvitationEmailUsingTheWebUI(
 	}
 
 	/**
-	 * @Then /^the (?:subadmin|administrator) should (not|)\s?be able\s? to see password field in new user form on the webUI$/
+	 * @Then /^the (?:subadmin|administrator) should (not|)\s?be able\s? to see the password field in the new user form on the webUI$/
 	 *
 	 * @param string $shouldOrNot
 	 *
@@ -262,7 +262,7 @@ public function subadminShouldBeAbleToSeePasswordFieldInNewUserForm(string $shou
 	}
 
 	/**
-	 * @Then /^the (?:subadmin|administrator) should (not|)\s?be able\s? to see email field in new user form on the webUI$/
+	 * @Then /^the (?:subadmin|administrator) should (not|)\s?be able\s? to see the email field in the new user form on the webUI$/
 	 *
 	 * @param string $shouldOrNot
 	 *

tests/acceptance/features/webUISettingsMenu/settingsMenu.feature

@@ -118,7 +118,7 @@ Feature: add users
       | Brian    |
 
   @issue-34652
-  Scenario: subadmin should be able to see password and email field
+  Scenario: subadmin should be able to see the password field but not the email field
     Given group "grp1" has been created
     And user "Alice" has been added to group "grp1"
     And user "Brian" has been added to group "grp1"
@@ -127,5 +127,5 @@ Feature: add users
     And the administrator has logged out of the webUI
     And user "Alice" has logged in using the webUI
     When the user browses to the users page
-    Then the subadmin should be able to see email field in new user form on the webUI
-    And the subadmin should be able to see password field in new user form on the webUI
+    Then the subadmin should be able to see the password field in the new user form on the webUI
+    But the subadmin should not be able to see the email field in the new user form on the webUI