fix(controller): guard target user policy endpoints

vitormattos · vitormattos · commit 6a3c483285ca · 2026-04-11T17:29:32.000-03:00
Signed-off-by: Vitor Mattos &lt;1079143+vitormattos@users.noreply.github.com&gt;
diff --git a/lib/Controller/PolicyController.php b/lib/Controller/PolicyController.php
@@ -141,12 +141,17 @@ public function getGroup(string $groupId, string $policyKey): DataResponse {
 	 *
 	 * @param string $userId Target user identifier that receives the policy preference.
 	 * @param string $policyKey Policy identifier to read for the selected user.
-	 * @return DataResponse<Http::STATUS_OK, LibresignUserPolicyResponse, array{}>
+	 * @return DataResponse<Http::STATUS_OK, LibresignUserPolicyResponse, array{}>|DataResponse<Http::STATUS_FORBIDDEN, LibresignErrorResponse, array{}>
 	 *
 	 * 200: OK
+	 * 403: Forbidden
 	 */
 	#[ApiRoute(verb: 'GET', url: '/api/{apiVersion}/policies/user/{userId}/{policyKey}', requirements: ['apiVersion' => '(v1)', 'userId' => '[^/]+', 'policyKey' => '[a-z0-9_]+'])]
 	public function getUserPolicyForUser(string $userId, string $policyKey): DataResponse {
+		if (!$this->canManageUserPolicy($userId)) {
+			return $this->forbiddenUserPolicyResponse();
+		}
+
 		$policy = $this->policyService->getUserPreferenceForUserId($policyKey, $userId);
 
 		/** @var LibresignUserPolicyResponse $data */
@@ -317,13 +322,18 @@ public function setUserPreference(string $policyKey, null|bool|int|float|string
 	 * @param string $userId Target user identifier that receives the policy preference.
 	 * @param string $policyKey Policy identifier to persist for the target user.
 	 * @param null|bool|int|float|string $value Policy value to persist as target user preference.
-	 * @return DataResponse<Http::STATUS_OK, LibresignUserPolicyWriteResponse, array{}>|DataResponse<Http::STATUS_BAD_REQUEST, LibresignErrorResponse, array{}>
+	 * @return DataResponse<Http::STATUS_OK, LibresignUserPolicyWriteResponse, array{}>|DataResponse<Http::STATUS_BAD_REQUEST, LibresignErrorResponse, array{}>|DataResponse<Http::STATUS_FORBIDDEN, LibresignErrorResponse, array{}>
 	 *
 	 * 200: OK
 	 * 400: Invalid policy value
+	 * 403: Forbidden
 	 */
 	#[ApiRoute(verb: 'PUT', url: '/api/{apiVersion}/policies/user/{userId}/{policyKey}', requirements: ['apiVersion' => '(v1)', 'userId' => '[^/]+', 'policyKey' => '[a-z0-9_]+'])]
 	public function setUserPolicyForUser(string $userId, string $policyKey, null|bool|int|float|string $value = null): DataResponse {
+		if (!$this->canManageUserPolicy($userId)) {
+			return $this->forbiddenUserPolicyResponse();
+		}
+
 		$value = $this->readScalarParam('value', $value);
 
 		try {
@@ -371,12 +381,17 @@ public function clearUserPreference(string $policyKey): DataResponse {
 	 *
 	 * @param string $userId Target user identifier that receives the policy preference removal.
 	 * @param string $policyKey Policy identifier to clear for the target user.
-	 * @return DataResponse<Http::STATUS_OK, LibresignUserPolicyWriteResponse, array{}>
+	 * @return DataResponse<Http::STATUS_OK, LibresignUserPolicyWriteResponse, array{}>|DataResponse<Http::STATUS_FORBIDDEN, LibresignErrorResponse, array{}>
 	 *
 	 * 200: OK
+	 * 403: Forbidden
 	 */
 	#[ApiRoute(verb: 'DELETE', url: '/api/{apiVersion}/policies/user/{userId}/{policyKey}', requirements: ['apiVersion' => '(v1)', 'userId' => '[^/]+', 'policyKey' => '[a-z0-9_]+'])]
 	public function clearUserPolicyForUser(string $userId, string $policyKey): DataResponse {
+		if (!$this->canManageUserPolicy($userId)) {
+			return $this->forbiddenUserPolicyResponse();
+		}
+
 		$policy = $this->policyService->clearUserPreferenceForUserId($policyKey, $userId);
 		/** @var LibresignUserPolicyWriteResponse $data */
 		$data = [
@@ -428,6 +443,37 @@ private function canManageGroupPolicy(string $groupId): bool {
 		return $this->subAdmin->isSubAdminOfGroup($user, $group);
 	}
 
+	private function canManageUserPolicy(string $userId): bool {
+		$user = $this->userSession->getUser();
+		if ($user === null) {
+			return false;
+		}
+
+		if ($this->groupManager->isAdmin($user->getUID())) {
+			return true;
+		}
+
+		if (!$this->subAdmin->isSubAdmin($user)) {
+			return false;
+		}
+
+		$targetUser = $this->userManager->get($userId);
+		if (!$targetUser instanceof IUser) {
+			return false;
+		}
+
+		$managedGroupIds = array_values(array_map(
+			static fn ($group): string => $group->getGID(),
+			$this->subAdmin->getSubAdminsGroups($user),
+		));
+		if ($managedGroupIds === []) {
+			return false;
+		}
+
+		$targetGroupIds = $this->groupManager->getUserGroupIds($targetUser);
+		return array_intersect($managedGroupIds, $targetGroupIds) !== [];
+	}
+
 	/**
 	 * @return array<string, array{groupCount: int, userCount: int}>
 	 */
@@ -483,4 +529,14 @@ private function forbiddenGroupPolicyResponse(): DataResponse {
 
 		return new DataResponse($data, Http::STATUS_FORBIDDEN);
 	}
+
+	/** @return DataResponse<Http::STATUS_FORBIDDEN, LibresignErrorResponse, array{}> */
+	private function forbiddenUserPolicyResponse(): DataResponse {
+		/** @var LibresignErrorResponse $data */
+		$data = [
+			'error' => $this->l10n->t('Not allowed to manage this user policy'),
+		];
+
+		return new DataResponse($data, Http::STATUS_FORBIDDEN);
+	}
 }
