fix(accounts): enforce per-property scope restrictions via API#60348
Open
miaulalala wants to merge 1 commit into
Open
fix(accounts): enforce per-property scope restrictions via API#60348miaulalala wants to merge 1 commit into
miaulalala wants to merge 1 commit into
Conversation
Adds `UNPUBLISHED_PROPERTIES` to `IAccountManager` for profile fields that must never be federated or published to the global lookup server (biography, birthdate, headline, organisation, role), matching the frontend's `UNPUBLISHED_READABLE_PROPERTIES` constant. Enforces two new constraints in `testPropertyScope`: - `UNPUBLISHED_PROPERTIES` may not use `SCOPE_FEDERATED` or `SCOPE_PUBLISHED`, even when set via the API. - `SCOPE_PUBLISHED` is rejected for all properties unless the admin has enabled lookup server upload (`files_sharing.lookupServerUploadEnabled`). Previously the `PUT /ocs/v2.php/cloud/users/<uid>` endpoint accepted any valid scope value regardless of these restrictions, allowing users to bypass the visibility limits enforced by the frontend UI. Fixes #59225 Signed-off-by: Anna Larch <anna@nextcloud.com> AI-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
miaulalala
requested review from
ArtificialOwl,
come-nc,
leftybournes and
salmart-dev
and removed request for
a team
miaulalala
added
bug
3. to review
Contributor
Author
|
/backport to stable33 |
Contributor
Author
|
/backport to stable32 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #59225 — the
PUT /ocs/v2.php/cloud/users/<uid>API accepted any valid scope value for any profile property, allowing users to bypass the visibility restrictions enforced by the frontend UI (e.g. settingwebsiteScope=v2-publishedon an instance where the admin has disabled lookup server upload).IAccountManager::UNPUBLISHED_PROPERTIESconstant listing the profile fields that must never be federated or published (biography, birthdate, headline, organisation, role) — mirrors the frontend'sUNPUBLISHED_READABLE_PROPERTIEStestPropertyScopenow rejectsSCOPE_FEDERATED/SCOPE_PUBLISHEDfor those propertiestestPropertyScopenow rejectsSCOPE_PUBLISHEDfor all properties unless the admin has enabled lookup server upload (files_sharing.lookupServerUploadEnabled)Test plan
NOCOVERAGE=1 ./autotest.sh sqlite tests/lib/Accounts/AccountManagerTest.php— all 63 tests pass including 3 new onesPUT /ocs/v2.php/cloud/users/<uid>withbiographyScope=v2-federated→ expect HTTP 400Invalid scopePUT /ocs/v2.php/cloud/users/<uid>withwebsiteScope=v2-publishedon an instance with lookup server upload disabled → expect HTTP 400Invalid scope🤖 Generated with Claude Code