Add allow_adding_any_group_members option to allow or not adding gr…

…oup members from any users

Default to `1`.

When value is set to `0` it's only possible to add groups where the
current user is a member or for global administrators.

Fix nextcloud#128

Signed-off-by: Tortue Torche <tortuetorche@users.noreply.github.com>

lib/Search/LocalGroups.php

@@ -26,26 +26,48 @@
 
 namespace OCA\Circles\Search;
 
+use OC;
 use OCA\Circles\ISearch;
 use OCA\Circles\Model\Member;
 use OCA\Circles\Model\SearchResult;
+use OCP\IUser;
+use OCA\Circles\Service\ConfigService;
 
 class LocalGroups implements ISearch {
 
+	/** @var ConfigService */
+	private $configService;
+
+	/**
+	 * @param ConfigService $configService
+	 */
+	public function __construct(ConfigService $configService)
+	{
+		$this->configService = $configService;
+	}
+
 	/**
 	 * {@inheritdoc}
 	 */
 	public function search($search) {
 
 		$result = [];
-		$groupManager = \OC::$server->getGroupManager();
+		$groupManager = OC::$server->getGroupManager();
 
 		$groups = $groupManager->search($search);
+		$user = OC::$server->getUserSession()->getUser();
 		foreach ($groups as $group) {
-			$result[] = new SearchResult($group->getGID(), Member::TYPE_GROUP);
+			if ($this->configService->isAddingAnyGroupMembersAllowed() ||
+				(
+					$user instanceof IUser &&
+					($group->inGroup($user) || $groupManager->isAdmin($user->getUID()))
+				)
+			) {
+				$result[] = new SearchResult($group->getGID(), Member::TYPE_GROUP);
+			}
 		}
 
 		return $result;
 	}
 
-}
+}

lib/Service/ConfigService.php

@@ -41,6 +41,7 @@ class ConfigService {
 	const CIRCLES_ALLOW_FEDERATED_CIRCLES = 'allow_federated';
 	const CIRCLES_MEMBERS_LIMIT = 'members_limit';
 	const CIRCLES_ACCOUNTS_ONLY = 'accounts_only';
+	const CIRCLES_ALLOW_ANY_GROUP_MEMBERS = 'allow_adding_any_group_members';
 	const CIRCLES_ALLOW_LINKED_GROUPS = 'allow_linked_groups';
 	const CIRCLES_ALLOW_NON_SSL_LINKS = 'allow_non_ssl_links';
 	const CIRCLES_NON_SSL_LOCAL = 'local_is_non_ssl';
@@ -66,6 +67,7 @@ class ConfigService {
 		self::CIRCLES_NON_SSL_LOCAL           => '0',
 		self::CIRCLES_ACTIVITY_ON_CREATION    => '1',
 		self::CIRCLES_SKIP_INVITATION_STEP    => '0'
+		self::CIRCLES_ALLOW_ANY_GROUP_MEMBERS    => '1',
 	];
 
 	/** @var string */
@@ -86,6 +88,9 @@ class ConfigService {
 	/** @var int */
 	private $allowedCircle = -1;
 
+	/** @var int */
+	private $allowAddingAnyGroupMembers = -1;
+
 	/** @var int */
 	private $allowedLinkedGroups = -1;
 
@@ -139,6 +144,20 @@ public function isCircleAllowed($type) {
 		return ((int)$type & (int)$this->allowedCircle);
 	}
 
+	/**
+	 * returns if the current user is allowed to add any group members.
+	 * even if he isn't a member of these groups
+	 *
+	 * @return bool
+	 */
+	public function isAddingAnyGroupMembersAllowed() {
+		if ($this->allowAddingAnyGroupMembers === -1) {
+			$this->allowAddingAnyGroupMembers =
+				(int)$this->getAppValue(self::CIRCLES_ALLOW_ANY_GROUP_MEMBERS);
+		}
+
+		return ($this->allowAddingAnyGroupMembers === 1);
+	}
 
 	/**
 	 * @return bool

lib/Service/MembersService.php

@@ -48,7 +48,9 @@
 use OCA\Circles\Exceptions\ModeratorIsNotHighEnoughException;
 use OCA\Circles\Model\Circle;
 use OCA\Circles\Model\Member;
+use OCP\IGroup;
 use OCP\IL10N;
+use OCP\IUser;
 use OCP\IUserManager;
 
 
@@ -387,8 +389,18 @@ private function verifyIdentContact(&$ident, $type) {
 	 */
 	private function addGroupMembers(Circle $circle, $groupId) {
 
-		$group = OC::$server->getGroupManager()
-							->get($groupId);
+		$groupManager = OC::$server->getGroupManager();
+		$group = $groupManager->get($groupId);
+
+		$user = OC::$server->getUserSession()->getUser();
+
+		if (!$this->configService->isAddingAnyGroupMembersAllowed() &&
+			$group instanceof IGroup && $user instanceof IUser &&
+			!$group->inGroup($user) && !$groupManager->isAdmin($user->getUID())
+		) {
+			$group = null;
+		}
+
 		if ($group === null) {
 			throw new GroupDoesNotExistException($this->l10n->t('This group does not exist'));
 		}