fix(policy): propagate actor capabilities in context factory

vitormattos · vitormattos · commit 392367ff1ef1 · 2026-04-11T17:29:12.000-03:00
Signed-off-by: Vitor Mattos &lt;1079143+vitormattos@users.noreply.github.com&gt;
diff --git a/lib/Service/Policy/Runtime/PolicyContextFactory.php b/lib/Service/Policy/Runtime/PolicyContextFactory.php
@@ -9,6 +9,7 @@
 namespace OCA\Libresign\Service\Policy\Runtime;
 
 use OCA\Libresign\Service\Policy\Model\PolicyContext;
+use OCP\Group\ISubAdmin;
 use OCP\IGroupManager;
 use OCP\IUser;
 use OCP\IUserManager;
@@ -18,13 +19,15 @@ final class PolicyContextFactory {
 	public function __construct(
 		private IUserManager $userManager,
 		private IGroupManager $groupManager,
+		private ISubAdmin $subAdmin,
 		private IUserSession $userSession,
 	) {
 	}
 
 	/** @param array<string, mixed> $requestOverrides */
 	public function forCurrentUser(array $requestOverrides = [], ?array $activeContext = null): PolicyContext {
-		return $this->forUser($this->userSession->getUser(), $requestOverrides, $activeContext);
+		$user = $this->userSession->getUser();
+		return $this->build($user?->getUID(), $user, $requestOverrides, $activeContext, $user);
 	}
 
 	public function isCurrentActorSystemAdmin(): bool {
@@ -38,7 +41,7 @@ public function isCurrentActorSystemAdmin(): bool {
 
 	/** @param array<string, mixed> $requestOverrides */
 	public function forUser(?IUser $user, array $requestOverrides = [], ?array $activeContext = null): PolicyContext {
-		return $this->build($user?->getUID(), $user, $requestOverrides, $activeContext);
+		return $this->build($user?->getUID(), $user, $requestOverrides, $activeContext, $this->userSession->getUser());
 	}
 
 	/** @param array<string, mixed> $requestOverrides */
@@ -51,14 +54,15 @@ public function forUserId(?string $userId, array $requestOverrides = [], ?array
 			}
 		}
 
-		return $this->build($userId, $user, $requestOverrides, $activeContext);
+		return $this->build($userId, $user, $requestOverrides, $activeContext, $this->userSession->getUser());
 	}
 
 	/** @param array<string, mixed> $requestOverrides */
-	private function build(?string $userId, ?IUser $user, array $requestOverrides = [], ?array $activeContext = null): PolicyContext {
+	private function build(?string $userId, ?IUser $user, array $requestOverrides = [], ?array $activeContext = null, ?IUser $currentActor = null): PolicyContext {
 		$context = (new PolicyContext())
 			->setRequestOverrides($requestOverrides)
-			->setActiveContext($activeContext);
+			->setActiveContext($activeContext)
+			->setActorCapabilities($this->resolveActorCapabilities($currentActor));
 
 		if ($userId !== null && $userId !== '') {
 			$context->setUserId($userId);
@@ -69,4 +73,22 @@ private function build(?string $userId, ?IUser $user, array $requestOverrides =
 
 		return $context;
 	}
+
+	/** @return array<string, bool> */
+	private function resolveActorCapabilities(?IUser $currentActor): array {
+		if (!$currentActor instanceof IUser) {
+			return [
+				'canManageSystemPolicies' => false,
+				'canManageGroupPolicies' => false,
+			];
+		}
+
+		$userId = $currentActor->getUID();
+		$canManageSystemPolicies = $this->groupManager->isAdmin($userId) === true;
+
+		return [
+			'canManageSystemPolicies' => $canManageSystemPolicies,
+			'canManageGroupPolicies' => $canManageSystemPolicies || $this->subAdmin->isSubAdmin($currentActor) === true,
+		];
+	}
 }
