Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent creation of secondary admin group #9527

Closed
wants to merge 1 commit into from
Closed

Prevent creation of secondary admin group #9527

wants to merge 1 commit into from

Conversation

skjnldsv
Copy link
Member

Fix #8010

@skjnldsv skjnldsv added this to the Nextcloud 14 milestone May 19, 2018
@skjnldsv skjnldsv self-assigned this May 19, 2018
@skjnldsv
Prevent creation of secondary admin group
f4670e7 
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
@skjnldsv skjnldsv force-pushed the prevent-admin-group-creation branch from 0deb977 to f4670e7 Compare May 19, 2018 08:45
@codecov
Copy link

codecov bot commented May 19, 2018
edited
Loading

Codecov Report

Merging #9527 into master will decrease coverage by <.01%.
The diff coverage is 100%.

@@             Coverage Diff              @@
##             master    #9527      +/-   ##
============================================
- Coverage      51.7%   51.69%   -0.01%     
- Complexity    25744    25747       +3     
============================================
  Files          1643     1643              
  Lines         96506    96510       +4     
  Branches       1393     1393              
============================================
- Hits          49894    49892       -2     
- Misses        46612    46618       +6
Impacted Files Coverage Δ Complexity Δ
lib/private/Group/Manager.php 88.11% <100%> (+0.16%) 63 <0> (+2) ⬆️
...ovisioning_api/lib/Controller/GroupsController.php 69.56% <100%> (+0.67%) 28 <0> (+1) ⬆️
lib/private/Files/Cache/Propagator.php 94.93% <0%> (-1.27%) 16% <0%> (ø)
core/js/js.js 65.41% <0%> (-0.56%) 0% <0%> (ø)

blizzz
blizzz reviewed May 19, 2018
View reviewed changes
apps/provisioning_api/lib/Controller/GroupsController.php
@@ -225,6 +225,10 @@ public function addGroup(string $groupid): DataResponse {
$this->logger->error('Group name not supplied', ['app' => 'provisioning_api']);
throw new OCSException('Invalid group name', 101);
}
// Check if trying to create an admin group
if (trim(strtolower($groupid)) === 'admin') {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

imho, if this scenario is not caught be the groupExists check in the next if-block, something is wrong with that check.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@blizzz You're saying we sholdn't allow similar groups with lowercase differencies?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@skjnldsv iirc – but it may depend on the backend – userids are already case insensitive when it comes to the exists check. perhaps it is just the local one with a different reason, but we should strive for some consistency. also, if possible, i prefer to avoid hard coded names.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably extend this to the global check!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@blizzz user backend yes... group backend. nope (yay)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@skjnldsv @rullzer how is it than an issue currently when we have case sensitive group names? as long as the new group is not exactly "admin" it should not have any effect?

We could make this insensitive in 14, however it can conflict when there are already installations with group ids in mixed cases. Keeping backwards compatibility is possible, but we'd never get rid of this extra annoying overhead.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add this then and not backport it?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how/what exactly?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I canceled it. The new vue users list handle the group properly. There is no need for additional patch! :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@skjnldsv skjnldsv added 2. developing Work in progress and removed 3. to review Waiting for reviews labels May 19, 2018
@skjnldsv skjnldsv closed this May 22, 2018
@skjnldsv skjnldsv deleted the prevent-admin-group-creation branch May 22, 2018 07:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blizzz blizzz blizzz left review comments

@rullzer rullzer Awaiting requested review from rullzer

@MorrisJobke MorrisJobke Awaiting requested review from MorrisJobke

@juliusknorr juliusknorr Awaiting requested review from juliusknorr

Assignees

@skjnldsv skjnldsv

Labels
2. developing Work in progress bug feature: users and groups security
Projects
None yet
Milestone
Nextcloud 14
Development

Successfully merging this pull request may close these issues.
4 participants
@skjnldsv @rullzer @blizzz @MorrisJobke