Deny admin access when system config is set

[sharidas]

Deny admin access when system config is set
by the administrator. This will make admin
user behave as regular user for the custom groups.

Signed-off-by: Sujith H sharidasan@owncloud.com

[sharidas]

Description

The idea here is to deny admin access the custom groups. Inorder to acheive this in this PR I have added a system config customgroups.disallow-admin-edit. The sys admin can provide the list of groups whose access is denied for the admin. This would disable admin of oC to deny modification of the group name and access of members from the group -> if the group name is added to the config key customgroups.disallow-admin-edit.

Issue

• Enterprise ticket 3501

Testing done

• The system config customgroups.disallow-admin-edit is set to true
• Create users admin ( the oC admin user ), user1, user2, user3, adminSub ( another oC admin user)
  • As admin user create custom group - adminGroup
  • As user1 create custom group - user1Group
  • As user2 create custom group - user2Group
  • As user3 create custom group - user3Group
  • Now login as adminSub, this user cannot see all the groups. Which means it cannot see the groups adminGroup, user1Group, user2Group and user3Group
  • Login as admin. This user can only see adminGroup. The groups user1Group, user2Group and user3Group remain unavailable.

---

• As admin user - update the adminGroup by adding user1 to it.
• Now as user1 navigate to the custom groups page, the user should see user1Group and adminGroup. The reason for adminGroup -> user1 is a member of adminGroup

---

• Remove the config setting customgroups.disallow-admin-edit and you could see the admin's start to see all the groups.

[codecov]

Codecov Report

Merging #273 into master will increase coverage by 0.08%.
The diff coverage is 94.11%.

@@             Coverage Diff              @@
##             master     #273      +/-   ##
============================================
+ Coverage     84.67%   84.75%   +0.08%     
- Complexity      315      318       +3     
============================================
  Files            22       22              
  Lines           985      997      +12     
============================================
+ Hits            834      845      +11     
- Misses          151      152       +1

Impacted Files	Coverage Δ	Complexity Δ
lib/Dav/RootCollection.php	100% <100%> (ø)	1 <0> (ø)	⬇️
lib/Service/MembershipHelper.php	98.14% <100%> (+0.07%)	29 <0> (+2)	⬆️
lib/Dav/UsersCollection.php	94.28% <100%> (+0.34%)	14 <0> (ø)	⬇️
lib/Dav/GroupsCollection.php	96.1% <80%> (-1.16%)	30 <0> (+1)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0d49e9e...6844624. Read the comment docs.

[jvillafanez]

double-check we want to store the information there. It might be fine if we want the "ops guy" or whoever is managing the host to manage that.

[jvillafanez]

my point here is, who is going to maintain this option? because new groups can be created and for some of them we might not want the admin to edit them.

[sharidas]

Its a valid point. But lets say if there is an option to automate this, then also the admin can see this in the config.php file, right?

[jvillafanez]

Maybe we can change this a bit

if ($isUserAdmin) {
  foreach ($disallowedGroupsForAdmin......) {
    if ($groupInfo !== null && $disallowedGroupForAdmin === $groupInfo['display_name']) {
      return false;
    }
  }
}

I think this is easier to read.
Note that the $this->config->getSystemValue('customgroups.disallow-admin-edit', null); can also be moved inside the if ($isUserAdmin) (ifi the user isn't admin, no need to look for the groups), same for the $groupInfo

[jvillafanez]

good comment here 👍

[jvillafanez]

can we change the method name? the PHPDoc clarifies what the method does, but if I see isUserAdmin('admin') it isn't intuitive for me.

[sharidas]

I don't mind changing the method name, but there are instances where it would affect. For example the grep in the customgroups app shows:

lib/Dav/GroupMembershipCollection.php:          if (!$this->helper->isUserAdmin($groupId)) {
lib/Dav/GroupMembershipCollection.php:          if (!$this->helper->isUserAdmin($groupId)) {
lib/Dav/GroupMembershipCollection.php:          if (!$this->helper->isUserMember($groupId) && !$this->helper->isUserAdmin($groupId)) {
lib/Dav/GroupMembershipCollection.php:                  && !$this->helper->isUserAdmin($groupId)) {
lib/Dav/GroupMembershipCollection.php:          if (!$this->helper->isUserMember($groupId) && !$this->helper->isUserAdmin($groupId)) {
lib/Dav/GroupMembershipCollection.php:          if (!$this->helper->isUserAdmin($this->groupInfo['group_id'])) {
lib/Dav/MembershipNode.php:             if (!$this->helper->isUserAdmin($groupId)
lib/Dav/MembershipNode.php:             if (!$this->helper->isUserAdmin($groupId)) {

Would have to change in these locations too.

[jvillafanez]

pinging @micbar to decide. We can leave the method rename for a follow up PR, but we should make the PR soon.

[jvillafanez]

While reviewing the PR I've noticed a thing that should be refactored:

Changes in the Users and Root collections (in this PR) shows that the config object is just being passing around. Neither the users nor the root collections are doing anything with the config object, and it just being used because they create a group collection at some point (which is where the config object is required). This should be refactored to use a factory and move the object creation there.

I don't think we have time to fix it here (it doesn't seem an easy change), but we should include it as a technical debt to be checked the sooner the better.

[jvillafanez]

pinging @micbar to decide. We can leave the method rename for a follow up PR, but we should make the PR soon.

[jvillafanez]

Nothing to add from me. If this is tested and works properly, I think we can merge it.

[sharidas]

Another round of testing done with this PR:

Without the config setting:

• admin was able to add user(s) to the user1Group.
• Create a folder in user1 and share to user1Group. This folder only accessible to users user1 and user2 ( as these are the members of the user1Group)

With the config setting:

• admin cannot see the user1Group ( as its not the member of the group )
• user1 adds admin to user1Group and now admin can see this group. Now the admin can see the shared folder created by user1.
• Using curl try to update the display name of user1Group to user5CreateGroup123. Forbidden response is shown.
• Remove the admin from user1Group.
  • Try to remove any member of user1Group other than user1 using curl as admin user. You should see message that its not possible. A Forbidden exception is thrown.
  • Try to add a new member to user1Group using curl as admin user. You should see message that its not possible. A Forbidden exception is thrown.

With the config option set, the admin does behave like normal or regular user. It can only access the groups which it has access to (Not ALL).

[sharidas]

@micbar I have performed tests ( #273 (comment) and #273 (comment) )

• From UI and
• Also using curl. The reason for testing with curl is I wanted to make sure the system is not vulnerable when admin tries to attack the server.