Skip to content

Commit c24884d

Browse files
PVince81come-nc
andcommitted
Only expose storage location to admins
Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com> Signed-off-by: Vincent Petry <vincent@nextcloud.com>
1 parent b88864b commit c24884d

File tree

2 files changed

+16
-17
lines changed

2 files changed

+16
-17
lines changed

apps/provisioning_api/lib/Controller/AUserData.php

Lines changed: 12 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,7 @@ public function __construct(string $appName,
104104
*/
105105
protected function getUserData(string $userId, bool $includeScopes = false): array {
106106
$currentLoggedInUser = $this->userSession->getUser();
107+
assert($currentLoggedInUser !== null, 'No user logged in');
107108

108109
$data = [];
109110

@@ -113,8 +114,8 @@ protected function getUserData(string $userId, bool $includeScopes = false): arr
113114
throw new OCSNotFoundException('User does not exist');
114115
}
115116

116-
// Should be at least Admin Or SubAdmin!
117-
if ($this->groupManager->isAdmin($currentLoggedInUser->getUID())
117+
$isAdmin = $this->groupManager->isAdmin($currentLoggedInUser->getUID());
118+
if ($isAdmin
118119
|| $this->groupManager->getSubAdmin()->isUserAccessible($currentLoggedInUser, $targetUserObject)) {
119120
$data['enabled'] = $this->config->getUserValue($targetUserObject->getUID(), 'core', 'enabled', 'true') === 'true';
120121
} else {
@@ -132,13 +133,15 @@ protected function getUserData(string $userId, bool $includeScopes = false): arr
132133
$gids[] = $group->getGID();
133134
}
134135

135-
try {
136-
# might be thrown by LDAP due to handling of users disappears
137-
# from the external source (reasons unknown to us)
138-
# cf. https://github.com/nextcloud/server/issues/12991
139-
$data['storageLocation'] = $targetUserObject->getHome();
140-
} catch (NoUserException $e) {
141-
throw new OCSNotFoundException($e->getMessage(), $e);
136+
if ($isAdmin) {
137+
try {
138+
# might be thrown by LDAP due to handling of users disappears
139+
# from the external source (reasons unknown to us)
140+
# cf. https://github.com/nextcloud/server/issues/12991
141+
$data['storageLocation'] = $targetUserObject->getHome();
142+
} catch (NoUserException $e) {
143+
throw new OCSNotFoundException($e->getMessage(), $e);
144+
}
142145
}
143146

144147
// Find the data

apps/provisioning_api/tests/Controller/UsersControllerTest.php

Lines changed: 4 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1165,9 +1165,8 @@ public function testGetUserDataAsSubAdminAndUserIsAccessible() {
11651165
->method('getDisplayName')
11661166
->willReturn('Demo User');
11671167
$targetUser
1168-
->expects($this->once())
1169-
->method('getHome')
1170-
->willReturn('/var/www/newtcloud/data/UID');
1168+
->expects($this->never())
1169+
->method('getHome');
11711170
$targetUser
11721171
->expects($this->once())
11731172
->method('getLastLogin')
@@ -1206,7 +1205,6 @@ public function testGetUserDataAsSubAdminAndUserIsAccessible() {
12061205
$expected = [
12071206
'id' => 'UID',
12081207
'enabled' => true,
1209-
'storageLocation' => '/var/www/newtcloud/data/UID',
12101208
'lastLogin' => 1521191471000,
12111209
'backend' => 'Database',
12121210
'subadmin' => [],
@@ -1349,9 +1347,8 @@ public function testGetUserDataAsSubAdminSelfLookup() {
13491347
->method('getUID')
13501348
->willReturn('UID');
13511349
$targetUser
1352-
->expects($this->once())
1353-
->method('getHome')
1354-
->willReturn('/var/www/newtcloud/data/UID');
1350+
->expects($this->never())
1351+
->method('getHome');
13551352
$targetUser
13561353
->expects($this->once())
13571354
->method('getLastLogin')
@@ -1385,7 +1382,6 @@ public function testGetUserDataAsSubAdminSelfLookup() {
13851382

13861383
$expected = [
13871384
'id' => 'UID',
1388-
'storageLocation' => '/var/www/newtcloud/data/UID',
13891385
'lastLogin' => 1521191471000,
13901386
'backend' => 'Database',
13911387
'subadmin' => [],

0 commit comments

Comments
 (0)