feat(user-management): add “Add existing account” dialog and provisio… #53114
Conversation
cushdog
requested review from
ArtificialOwl,
skjnldsv,
susnux and
artonge
and removed request for
a team
| @@ -25,31 +25,32 @@ | |||
| ['root' => '/cloud', 'name' => 'Groups#deleteGroup', 'url' => '/groups/{groupId}', 'verb' => 'DELETE', 'requirements' => ['groupId' => '.+']], | |||
|
|
|||
| // Users | |||
| ['root' => '/cloud', 'name' => 'Users#getUsers', 'url' => '/users', 'verb' => 'GET'], | |||
There was a problem hiding this comment.
Can you run composer run cs:fix locally?
There was a problem hiding this comment.
Hmpf the reformating is still there
AndyScherzinger
added
3. to review
| * 200: Users returned | ||
| */ | ||
| #[NoAdminRequired] | ||
| public function searchAllUsers(string $search = '', ?int $limit = null, int $offset = 0): DataResponse { |
There was a problem hiding this comment.
Is this not exactly what getUsers does? It also has a search param
There was a problem hiding this comment.
Yeah there is no need for a new endpoint, the frontend should use the existing ones unless there’s a really good reason.
I think getUsersDetails is the one to use as displaynames are needed, I suppose this is what the rest of the frontend uses (I did not check).
There was a problem hiding this comment.
Sorry about this! Changed this and did a much simpler version of what I had before, let me know what you think now!
| </template> | ||
|
|
||
| <script> | ||
| import { translate as t } from '@nextcloud/l10n' |
There was a problem hiding this comment.
| import { translate as t } from '@nextcloud/l10n' | |
| import { t } from '@nextcloud/l10n' |
| </NcDialog> | ||
| </template> | ||
|
|
||
| <script> |
There was a problem hiding this comment.
I would prefer new files to be Typescript.
| <script> | |
| <script lang="ts"> |
(and then use defineComponent below)
| <template #icon> | ||
| <NcIconSvgWrapper :path="mdiCog" /> | ||
| </template> | ||
| {{ t('settings', 'Account management settings') }} | ||
| {{ t("settings", "Account management settings") }} |
There was a problem hiding this comment.
please use npm run lint:fix locally. This contains a lot of fixable issues like usage of semicolon or double quotes.
cushdog
force-pushed
the
feat/11334-account-endpoint
branch
from
4e16a51 to
66091a4
Compare
|
Note: just wanted to quickly apologize for the change in commit history, ran into a bit of git trouble that I was able to work out with a force commit! |
| @@ -116,7 +116,7 @@ public function getUsers(string $search = '', ?int $limit = null, int $offset = | |||
| $subAdminManager = $this->groupManager->getSubAdmin(); | |||
| $isAdmin = $this->groupManager->isAdmin($uid); | |||
| $isDelegatedAdmin = $this->groupManager->isDelegatedAdmin($uid); | |||
| if ($isAdmin || $isDelegatedAdmin) { | |||
| if ($isAdmin || $isDelegatedAdmin || $subAdminManager->isSubAdmin($user)) { | |||
There was a problem hiding this comment.
This allows group admins to see all users.
@sorbaugh What is the design decision on this? It will be enabled by default? It is a big change.
The linked issue talks about limiting to displayname and a few things, which is not done here, but not sure it would be enough. We might want to safe guard behind an opt-in config flag, at least for upgrades.
There was a problem hiding this comment.
User iteration is not in our threat model, thus not a problem.
What is a problem is that more information as uid and displayname might be available.
Then again this is not a problem, because if we accept this feature, then every group admin can assign users to their group gaining full admin access over them.
So this means a group admin then has the same permissions on user management as admins, as there are not restrictions anymore (they can just add a user to their group and then adjust the user as they like).
For this its good to have approval of @nickvergessen for security point of view.
There was a problem hiding this comment.
So, the API already allows some extend of it.
Using http requests I as able, as a group admin, to add some users to my groups.
I am not sure why we need to change the API 🤔
There was a problem hiding this comment.
We need to change the API so that group admins can list all users, to be able to chose which ones they want to add to their groups
There was a problem hiding this comment.
Is the consensus that I would need to change the API then? I couldn't see any way to go about listing all users without adding in some new endpoint that only group-admins could access, which is why my original commit included a change to the API routes.
There was a problem hiding this comment.
We need to change the API so that group admins can list all users, to be able to chose which ones they want to add to their group
Right, so only the listing API needs a change. Other than that it should be working already.
There was a problem hiding this comment.
My thoughts exactly, I'll revert back to the API-change approach I committed originally!
.htaccess
Outdated
| #### DO NOT CHANGE ANYTHING ABOVE THIS LINE #### | ||
|
|
||
| ErrorDocument 403 /index.php/error/403 | ||
| ErrorDocument 404 /index.php/error/404 |
| ['root' => '/cloud', 'name' => 'Users#getUsers', 'url' => '/users', 'verb' => 'GET'], | ||
| ['root' => '/cloud', 'name' => 'Users#getUsersDetails', 'url' => '/users/details', 'verb' => 'GET'], | ||
| ['root' => '/cloud', 'name' => 'Users#getDisabledUsersDetails', 'url' => '/users/disabled', 'verb' => 'GET'], |
There was a problem hiding this comment.
Please reset this file space changes and only commit it if there are real changes.
apps/settings/l10n/cs.json
Outdated
| @@ -313,7 +313,6 @@ | |||
| "Architecture" : "Architektura", | |||
| "64-bit" : "64bit", | |||
| "It seems like you are running a 32-bit PHP version. Nextcloud needs 64-bit to run well. Please upgrade your OS and PHP to 64-bit!" : "Zdá se, že provozujete 32bitovou verzi PHP. Aby správně fungoval, potřebuje Nextcloud 64bit. Přejděte na 64bit instalaci operačního systému a PHP!", | |||
| "Task Processing pickup speed" : "Rychlost vyzvedávání zpracovávání úkolů", | |||
There was a problem hiding this comment.
All these l10n diff seems unrelated, or did I miss something?
There was a problem hiding this comment.
I never actually added these to my changes but they were committed anyways for some reason, I'll see if I can't fix this.
openapi.json
Outdated
| @@ -25242,6 +25242,104 @@ | |||
| } | |||
| } | |||
| }, | |||
| "/ocs/v2.php/cloud/users/search": { | |||
There was a problem hiding this comment.
openapi.json should be regenerated now that the new route is gone.
cushdog
requested review from
ChristophWurst,
miaulalala,
st3iny,
hamza221,
SebastianKrupinski and
tcitworld
as code owners
|
Apologies, working right now on unstaging the huge amount of extra files that got added in for some reason |
cushdog
force-pushed
the
feat/11334-account-endpoint
branch
4 times, most recently
from
c26dd3b to
64731fe
Compare
cushdog
force-pushed
the
feat/11334-account-endpoint
branch
from
64731fe to
1f8e6c6
Compare
Ok I think I figured this out, apologies I had to do quite a few |
Summary
This PR adds two related features:
Frontend
AddExistingUserDialog.vue) that lets group-admins search for existing users and assign them to the currently selected group.showAddExistingUserForm) persisted alongside the “New account” form flag to open/close the dialog.Backend
userId => displayNamefor all Nextcloud users matching the search string.Screenshots
TODO
AddExistingUserDialog.vue(rendering, search behavior, submit).UsersController::searchAllUsers()(success and 403 cases)./users/searchendpoint./users/search.Checklist
Note
I just wanted to quickly note that I didn't update the documentation yet, since I wasn't sure if that should only be updated after this pull-request is potentially accepted!