[stable23] bypass/limit permissions

lib/Command/CirclesConfig.php

@@ -172,6 +172,14 @@ protected function execute(InputInterface $input, OutputInterface $output): int
 
 		if (strtolower($input->getOption('output')) === 'json') {
 			$output->writeln(json_encode($outcome, JSON_PRETTY_PRINT));
+		} elseif (strtolower($input->getOption('output')) !== 'none') {
+			$circle = $this->circleService->getCircle($circleId);
+			$output->writeln(
+				json_encode(
+					Circle::getCircleFlags($circle, Circle::FLAGS_LONG),
+					JSON_PRETTY_PRINT
+				)
+			);
 		}
 
 		return 0;

lib/Controller/LocalController.php

@@ -31,8 +31,6 @@
 
 namespace OCA\Circles\Controller;
 
-use OCA\Circles\Tools\Traits\TDeserialize;
-use OCA\Circles\Tools\Traits\TNCLogger;
 use Exception;
 use OCA\Circles\Exceptions\FederatedUserException;
 use OCA\Circles\Exceptions\FederatedUserNotFoundException;
@@ -49,7 +47,10 @@
 use OCA\Circles\Service\FederatedUserService;
 use OCA\Circles\Service\MemberService;
 use OCA\Circles\Service\MembershipService;
+use OCA\Circles\Service\PermissionService;
 use OCA\Circles\Service\SearchService;
+use OCA\Circles\Tools\Traits\TDeserialize;
+use OCA\Circles\Tools\Traits\TNCLogger;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCS\OCSException;
 use OCP\AppFramework\OCSController;
@@ -81,6 +82,9 @@ class LocalController extends OcsController {
 	/** @var MembershipService */
 	private $membershipService;
 
+	/** @var PermissionService */
+	private $permissionService;
+
 	/** @var SearchService */
 	private $searchService;
 
@@ -109,6 +113,7 @@ public function __construct(
 		CircleService $circleService,
 		MemberService $memberService,
 		MembershipService $membershipService,
+		PermissionService $permissionService,
 		SearchService $searchService,
 		ConfigService $configService
 	) {
@@ -119,6 +124,7 @@ public function __construct(
 		$this->circleService = $circleService;
 		$this->memberService = $memberService;
 		$this->membershipService = $membershipService;
+		$this->permissionService = $permissionService;
 		$this->searchService = $searchService;
 		$this->configService = $configService;
 
@@ -139,6 +145,7 @@ public function __construct(
 	public function create(string $name, bool $personal = false, bool $local = false): DataResponse {
 		try {
 			$this->setCurrentFederatedUser();
+			$this->permissionService->confirmCircleCreation();
 
 			$circle = $this->circleService->create($name, null, $personal, $local);
 
@@ -572,14 +579,15 @@ public function link(string $circleId, string $singleId): DataResponse {
 
 
 	/**
+	 * @return void
+	 * @throws FederatedUserException
 	 * @throws FederatedUserNotFoundException
+	 * @throws FrontendException
 	 * @throws InvalidIdException
-	 * @throws FederatedUserException
-	 * @throws SingleCircleNotFoundException
 	 * @throws RequestBuilderException
-	 * @throws FrontendException
+	 * @throws SingleCircleNotFoundException
 	 */
-	private function setCurrentFederatedUser() {
+	private function setCurrentFederatedUser(): void {
 		if (!$this->configService->getAppValueBool(ConfigService::FRONTEND_ENABLED)) {
 			throw new FrontendException('frontend disabled');
 		}

lib/Exceptions/InsufficientPermissionException.php

@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+
+/**
+ * Circles - Bring cloud-users closer together.
+ *
+ * This file is licensed under the Affero General Public License version 3 or
+ * later. See the COPYING file.
+ *
+ * @author Maxence Lange <maxence@artificial-owl.com>
+ * @copyright 2021
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+
+namespace OCA\Circles\Exceptions;
+
+class InsufficientPermissionException extends FederatedItemForbiddenException {
+}

lib/FederatedItems/CircleConfig.php

@@ -34,12 +34,14 @@
 use OCA\Circles\Db\CircleRequest;
 use OCA\Circles\Exceptions\FederatedItemBadRequestException;
 use OCA\Circles\Exceptions\FederatedItemException;
+use OCA\Circles\Exceptions\RequestBuilderException;
 use OCA\Circles\IFederatedItem;
 use OCA\Circles\IFederatedItemAsyncProcess;
 use OCA\Circles\Model\Circle;
 use OCA\Circles\Model\Federated\FederatedEvent;
 use OCA\Circles\Model\Helpers\MemberHelper;
 use OCA\Circles\Service\ConfigService;
+use OCA\Circles\Service\PermissionService;
 use OCA\Circles\Tools\Traits\TDeserialize;
 
 /**
@@ -56,6 +58,9 @@ class CircleConfig implements
 	/** @var CircleRequest */
 	private $circleRequest;
 
+	/** @var PermissionService */
+	private $permissionService;
+
 	/** @var ConfigService */
 	private $configService;
 
@@ -64,10 +69,16 @@ class CircleConfig implements
 	 * CircleConfig constructor.
 	 *
 	 * @param CircleRequest $circleRequest
+	 * @param PermissionService $permissionService
 	 * @param ConfigService $configService
 	 */
-	public function __construct(CircleRequest $circleRequest, ConfigService $configService) {
+	public function __construct(
+		CircleRequest $circleRequest,
+		PermissionService $permissionService,
+		ConfigService $configService
+	) {
 		$this->circleRequest = $circleRequest;
+		$this->permissionService = $permissionService;
 		$this->configService = $configService;
 	}
 
@@ -76,6 +87,7 @@ public function __construct(CircleRequest $circleRequest, ConfigService $configS
 	 * @param FederatedEvent $event
 	 *
 	 * @throws FederatedItemException
+	 * @throws RequestBuilderException
 	 */
 	public function verify(FederatedEvent $event): void {
 		$circle = $event->getCircle();
@@ -150,7 +162,7 @@ public function verify(FederatedEvent $event): void {
 
 		$new = clone $circle;
 		$new->setConfig($config);
-		$this->configService->confirmAllowedCircleTypes($new);
+		$this->permissionService->confirmAllowedCircleTypes($new, $circle);
 
 		$event->getData()->sInt('config', $new->getConfig());
 

lib/Model/Member.php

@@ -738,8 +738,10 @@ public function getMemberships(): array {
 	 * @throws RequestBuilderException
 	 */
 	public function getLink(string $singleId, bool $detailed = false): Membership {
-		$this->getManager()->getLink($this, $singleId, $detailed);
-
+		if ($singleId !== '') {
+			$this->getManager()->getLink($this, $singleId, $detailed);
+		}
+
 		throw new MembershipNotFoundException();
 	}
 

lib/Service/CircleService.php

@@ -101,6 +101,9 @@ class CircleService {
 	/** @var MemberService */
 	private $memberService;
 
+	/** @var PermissionService */
+	private $permissionService;
+
 	/** @var ConfigService */
 	private $configService;
 
@@ -114,6 +117,7 @@ class CircleService {
 	 * @param FederatedUserService $federatedUserService
 	 * @param FederatedEventService $federatedEventService
 	 * @param MemberService $memberService
+	 * @param PermissionService $permissionService
 	 * @param ConfigService $configService
 	 */
 	public function __construct(
@@ -125,6 +129,7 @@ public function __construct(
 		FederatedUserService $federatedUserService,
 		FederatedEventService $federatedEventService,
 		MemberService $memberService,
+		PermissionService $permissionService,
 		ConfigService $configService
 	) {
 		$this->l10n = $l10n;
@@ -135,6 +140,7 @@ public function __construct(
 		$this->federatedUserService = $federatedUserService;
 		$this->federatedEventService = $federatedEventService;
 		$this->memberService = $memberService;
+		$this->permissionService = $permissionService;
 		$this->configService = $configService;
 
 		$this->setup('app', Application::APP_ID);
@@ -197,7 +203,7 @@ public function create(
 		}
 
 		$this->confirmName($circle);
-		$this->configService->confirmAllowedCircleTypes($circle);
+		$this->permissionService->confirmAllowedCircleTypes($circle);
 
 		$member = new Member();
 		$member->importFromIFederatedUser($owner);

lib/Service/ConfigService.php

@@ -106,6 +106,10 @@ class ConfigService {
 	public const ALLOWED_TYPES = 'allowed_types';
 	public const CIRCLE_TYPES_FORCE = 'circle_types_force';
 	public const CIRCLE_TYPES_BLOCK = 'circle_types_block';
+
+	public const BYPASS_CIRCLE_TYPES = 'bypass_circle_types';
+	public const LIMIT_CIRCLE_CREATION = 'limit_circle_creation';
+
 	public const MIGRATION_BYPASS = 'migration_bypass';
 	public const MIGRATION_22 = 'migration_22';
 	public const MIGRATION_22_1 = 'migration_22_1';
@@ -183,6 +187,9 @@ class ConfigService {
 		self::CIRCLE_TYPES_FORCE => '0',
 		self::CIRCLE_TYPES_BLOCK => '0',
 
+		self::BYPASS_CIRCLE_TYPES => '',
+		self::LIMIT_CIRCLE_CREATION => '',
+
 		self::MIGRATION_BYPASS => '0',
 		self::MIGRATION_22 => '0',
 		self::MIGRATION_22_1 => '0',