Core: Subadmin can create newgroup using userprovisioning API
Steps to reproduce
- Create a user
subadminand make him subadmin of a groupnew-group perform
curl http://subadmin:[email protected]/ocs/v1.php/cloud/groups -d groupid="newgroup"and see there is status code is
100in API-v1 and200in API-v2- and see there is new group
newgroup
Expected behaviour
Subadmin should not be able to create new group
Actual behaviour
Subadmin can create new group
Server configuration
Operating system: 17.10
Web server: Apache
Database: MySQL
PHP version: 7.1
ownCloud version: (see ownCloud admin page) 10.1.0
Where did you install ownCloud from: git
Log in terminal
When I ran
curl http://subadmin:123456@localhost:80/core/ocs/v1.php/cloud/groups -d groupid="newgroup"
I got
<?xml version="1.0"?>
<ocs>
<meta>
<status>ok</status>
<statuscode>100</statuscode>
<message/>
</meta>
<data/>
</ocs>
paurakhsharma
All 10 comments
GitMate.io thinks the contributor most likely able to help you is @phil-davis.
Possibly related issues are https://github.com/owncloud/core/pull/31263 (API test to test userprovisioning API-v2), https://github.com/owncloud/core/issues/29698 (a group called "0" cannot be created by provisioning API), https://github.com/owncloud/core/issues/31276 (Unusual response(997) from userprovisioning api-v2 ), https://github.com/owncloud/core/pull/29712 (Allow group 0 to be created by provisioning API), and https://github.com/owncloud/core/issues/4885 (Create a version for each public api class).
ownclouders
on 26 Apr 2018
We were a bit surprised about this. But I suppose that it just allows sub-admins to create group names without needing to bother the all-powerful admin.
Is there a requirements spec somewhere for what sub-admins should and should not be able to do?
Then we will know if the behavior is by design, or unintended.
phil-davis
on 26 Apr 2018
Does the subadmin have the option of creating groups in the web UI ? This is unlikely.
I don't think this is by design...
PVince81
on 22 May 2018
In the webUI a subadmin does not see the add group box. So cannot add groups.
Note: we have not yet tested the "private" API that the webUI uses to do all this sort of user/group provisioning stuff. So it is possible that that "private" API behaves in some interesting ways. But that is hidden from the everyday webUI user, unless they hack around changing the AJAX/POST etc stuff that happens from their browser. When we get the provisioning API behavior sorted, then we should test equivalent actions attempted via the "private" API.
phil-davis
on 22 May 2018
馃槧 - I hope with phoenix we can finally get rid of "public" vs "private" api - and only have api so there can't be any difference
patrickjahns
on 22 May 2018
Agree - and the term "private API" is a misnomer. It is open-source code, so hardly "private". Anyone can read the code and then try interesting ways to make use of it.
phil-davis
on 22 May 2018
I was more interested in having a unified codepath to be used by frontend and other parts
patrickjahns
on 22 May 2018
@PVince81 Estimate : 1md.
sharidas
on 11 Jun 2018
Closing this issue as the changes got merged
- in master -> https://github.com/owncloud/core/pull/31713
- stable10 -> https://github.com/owncloud/core/pull/31738
sharidas
on 12 Jun 2018
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 30 Jul 2019
Related issues
fridaynext
路
5Comments
dpeger
路
3Comments
individual-it
路
3Comments
patrickjahns
路
4Comments
michaelstingl
路
3Comments
Most helpful comment
馃槧 - I hope with phoenix we can finally get rid of "public" vs "private" api - and only have api so there can't be any difference