Merge pull request #1199 from nextcloud/enh/restrict_creation

Restrict Form Creation & Sharing Settings

appinfo/info.xml

@@ -57,6 +57,11 @@
 		</navigation>
 	</navigations>
 
+	<settings>
+		<admin>OCA\Forms\Settings\Settings</admin>
+		<admin-section>OCA\Forms\Settings\SettingsSection</admin-section>
+	</settings>
+
 	<activity>
 		<filters>
 			<filter>OCA\Forms\Activity\Filter</filter>

appinfo/routes.php

@@ -25,13 +25,25 @@
 
 return [
 	'routes' => [
+		// Internal AppConfig routes
+		[
+			'name' => 'config#getAppConfig',
+			'url' => '/config',
+			'verb' => 'GET'
+		],
+		[
+			'name' => 'config#updateAppConfig',
+			'url' => '/config/update',
+			'verb' => 'POST'
+		],
+
 		// Public Share Link
 		[
 			'name' => 'page#public_link_view',
 			'url' => '/s/{hash}',
 			'verb' => 'GET'
-
 		],
+
 		// Internal views
 		[
 			'name' => 'page#views',
@@ -51,6 +63,7 @@
 			'verb' => 'GET'
 		],
 	],
+
 	'ocs' => [
 
 		// Forms

lib/Constants.php

@@ -26,6 +26,20 @@
 use OCP\Share\IShare;
 
 class Constants {
+	/**
+	 * Used AppConfig Keys
+	 */
+	public const CONFIG_KEY_ALLOWPERMITALL = 'allowPermitAll';
+	public const CONFIG_KEY_ALLOWPUBLICLINK = 'allowPublicLink';
+	public const CONFIG_KEY_CREATIONALLOWEDGROUPS = 'creationAllowedGroups';
+	public const CONFIG_KEY_RESTRICTCREATION = 'restrictCreation';
+	public const CONFIG_KEYS = [
+		self::CONFIG_KEY_ALLOWPERMITALL,
+		self::CONFIG_KEY_ALLOWPUBLICLINK,
+		self::CONFIG_KEY_CREATIONALLOWEDGROUPS,
+		self::CONFIG_KEY_RESTRICTCREATION
+	];
+
 	/**
 	 * Maximum String lengths, the database is set to store.
 	 */

lib/Controller/ApiController.php

@@ -40,6 +40,7 @@
 use OCA\Forms\Db\ShareMapper;
 use OCA\Forms\Db\Submission;
 use OCA\Forms\Db\SubmissionMapper;
+use OCA\Forms\Service\ConfigService;
 use OCA\Forms\Service\FormsService;
 use OCA\Forms\Service\SubmissionService;
 
@@ -84,6 +85,9 @@ class ApiController extends OCSController {
 	/** @var SubmissionMapper */
 	private $submissionMapper;
 
+	/** @var ConfigService */
+	private $configService;
+
 	/** @var FormsService */
 	private $formsService;
 
@@ -113,6 +117,7 @@ public function __construct(string $appName,
 								QuestionMapper $questionMapper,
 								ShareMapper $shareMapper,
 								SubmissionMapper $submissionMapper,
+								ConfigService $configService,
 								FormsService $formsService,
 								SubmissionService $submissionService,
 								IL10N $l10n,
@@ -130,6 +135,7 @@ public function __construct(string $appName,
 		$this->questionMapper = $questionMapper;
 		$this->shareMapper = $shareMapper;
 		$this->submissionMapper = $submissionMapper;
+		$this->configService = $configService;
 		$this->formsService = $formsService;
 		$this->submissionService = $submissionService;
 
@@ -242,15 +248,20 @@ public function getForm(int $id): DataResponse {
 	 * @throws OCSForbiddenException
 	 */
 	public function newForm(): DataResponse {
-		$form = new Form();
+		// Check if user is allowed
+		if (!$this->configService->canCreateForms()) {
+			$this->logger->debug('This user is not allowed to create Forms.');
+			throw new OCSForbiddenException();
+		}
 
+		// Create Form
+		$form = new Form();
 		$form->setOwnerId($this->currentUser->getUID());
 		$form->setCreated(time());
 		$form->setHash($this->secureRandom->generate(
 			16,
 			ISecureRandom::CHAR_HUMAN_READABLE
 		));
-
 		$form->setTitle('');
 		$form->setDescription('');
 		$form->setAccess([
@@ -280,6 +291,12 @@ public function cloneForm(int $id): DataResponse {
 			'id' => $id
 		]);
 
+		// Check if user can create forms
+		if (!$this->configService->canCreateForms()) {
+			$this->logger->debug('This user is not allowed to create Forms.');
+			throw new OCSForbiddenException();
+		}
+
 		try {
 			$oldForm = $this->formMapper->findById($id);
 		} catch (IMapperException $e) {

lib/Controller/ConfigController.php

@@ -0,0 +1,93 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2022 Jonas Rittershofer <[email protected]>
+ *
+ * @author Jonas Rittershofer <[email protected]>
+ *
+ * @license AGPL-3.0-or-later
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Forms\Controller;
+
+use OCA\Forms\Constants;
+use OCA\Forms\Service\ConfigService;
+use OCP\AppFramework\ApiController;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\DataResponse;
+use OCP\IConfig;
+use OCP\ILogger;
+use OCP\IRequest;
+
+class ConfigController extends ApiController {
+	protected $appName;
+
+	/** @var ConfigService */
+	private $configService;
+
+	/** @var IConfig */
+	private $config;
+
+	/** @var ILogger */
+	private $logger;
+
+	public function __construct(string $appName,
+								ConfigService $configService,
+								IConfig $config,
+								ILogger $logger,
+								IRequest $request) {
+		parent::__construct($appName, $request);
+		$this->appName = $appName;
+		$this->configService = $configService;
+		$this->config = $config;
+		$this->logger = $logger;
+	}
+
+	/**
+	 * Get the current AppConfig
+	 * @return DataResponse
+	 */
+	public function getAppConfig(): DataResponse {
+		return new DataResponse($this->configService->getAppConfig());
+	}
+
+	/**
+	 * Update values on appConfig.
+	 * Admin required, thus not checking separately.
+	 *
+	 * @param string $configKey AppConfig Key to store
+	 * @param mixed $configValues Corresponding AppConfig Value
+	 *
+	 */
+	public function updateAppConfig(string $configKey, $configValue): DataResponse {
+		$this->logger->debug('Updating AppConfig: {configKey} => {configValue}', [
+			'configKey' => $configKey,
+			'configValue' => $configValue
+		]);
+
+		// Check for allowed keys
+		if (!in_array($configKey, Constants::CONFIG_KEYS)) {
+			return new DataResponse('Unknown appConfig key: ' . $configKey, Http::STATUS_BAD_REQUEST);
+		}
+
+		// Set on DB
+		$this->config->setAppValue($this->appName, $configKey, json_encode($configValue));
+
+		return new DataResponse();
+	}
+}

lib/Controller/PageController.php

@@ -30,6 +30,7 @@
 use OCA\Forms\Db\Form;
 use OCA\Forms\Db\FormMapper;
 use OCA\Forms\Db\ShareMapper;
+use OCA\Forms\Service\ConfigService;
 use OCA\Forms\Service\FormsService;
 
 use OCP\Accounts\IAccountManager;
@@ -64,15 +65,18 @@ class PageController extends Controller {
 	/** @var ShareMapper */
 	private $shareMapper;
 
+	/** @var ConfigService */
+	private $configService;
+
 	/** @var FormsService */
 	private $formsService;
 
 	/** @var IAccountManager */
 	protected $accountManager;
-	
+
 	/** @var IGroupManager */
 	private $groupManager;
-	
+
 	/** @var IInitialStateService */
 	private $initialStateService;
 
@@ -98,6 +102,7 @@ public function __construct(string $appName,
 								IRequest $request,
 								FormMapper $formMapper,
 								ShareMapper $shareMapper,
+								ConfigService $configService,
 								FormsService $formsService,
 								IAccountManager $accountManager,
 								IGroupManager $groupManager,
@@ -113,6 +118,7 @@ public function __construct(string $appName,
 
 		$this->formMapper = $formMapper;
 		$this->shareMapper = $shareMapper;
+		$this->configService = $configService;
 		$this->formsService = $formsService;
 
 		$this->accountManager = $accountManager;
@@ -137,6 +143,7 @@ public function index(): TemplateResponse {
 		Util::addStyle($this->appName, 'forms');
 		$this->insertHeaderOnIos();
 		$this->initialStateService->provideInitialState($this->appName, 'maxStringLengths', Constants::MAX_STRING_LENGTHS);
+		$this->initialStateService->provideInitialState($this->appName, 'appConfig', $this->configService->getAppConfig());
 		return new TemplateResponse($this->appName, self::TEMPLATE_MAIN);
 	}
 

lib/Controller/ShareApiController.php

@@ -31,6 +31,7 @@
 use OCA\Forms\Db\FormMapper;
 use OCA\Forms\Db\Share;
 use OCA\Forms\Db\ShareMapper;
+use OCA\Forms\Service\ConfigService;
 use OCA\Forms\Service\FormsService;
 
 use OCP\AppFramework\OCSController;
@@ -59,6 +60,9 @@ class ShareApiController extends OCSController {
 	/** @var ShareMapper */
 	private $shareMapper;
 
+	/** @var ConfigService */
+	private $configService;
+
 	/** @var FormsService */
 	private $formsService;
 
@@ -80,6 +84,7 @@ class ShareApiController extends OCSController {
 	public function __construct(string $appName,
 								FormMapper $formMapper,
 								ShareMapper $shareMapper,
+								ConfigService $configService,
 								FormsService $formsService,
 								IGroupManager $groupManager,
 								ILogger $logger,
@@ -91,6 +96,7 @@ public function __construct(string $appName,
 		$this->appName = $appName;
 		$this->formMapper = $formMapper;
 		$this->shareMapper = $shareMapper;
+		$this->configService = $configService;
 		$this->formsService = $formsService;
 		$this->groupManager = $groupManager;
 		$this->logger = $logger;
@@ -125,6 +131,12 @@ public function newShare(int $formId, int $shareType, string $shareWith = ''): D
 			throw new OCSBadRequestException('Invalid shareType');
 		}
 
+		// Block LinkShares if not allowed
+		if ($shareType === IShare::TYPE_LINK && !$this->configService->getAllowPublicLink()) {
+			$this->logger->debug('Link Share not allowed.');
+			throw new OCSForbiddenException('Link Share not allowed.');
+		}
+
 		try {
 			$form = $this->formMapper->findById($formId);
 		} catch (IMapperException $e) {