nextcloud · leftybournes · Apr 7, 2026 · Mar 16, 2026 · Mar 30, 2026 · Mar 30, 2026
@@ -7,10 +7,13 @@
  */
 namespace OCA\Files_External\Controller;
 
+use OC\Settings\AuthorizedGroupMapper;
 use OCA\Files_External\Lib\Auth\Password\GlobalAuth;
 use OCA\Files_External\Lib\Auth\PublicKey\RSA;
+use OCA\Files_External\Settings\Admin;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\AuthorizedAdminSetting;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\JSONResponse;
@@ -38,6 +41,7 @@ public function __construct(
 		private IGroupManager $groupManager,
 		private IUserManager $userManager,
 		private IL10N $l10n,
+		private AuthorizedGroupMapper $authorizedGroupMapper,
 	) {
 		parent::__construct($appName, $request);
 	}
@@ -51,6 +55,7 @@ public function __construct(
 	 * @param int|null $offset The offset from which to start returning results
 	 * @return JSONResponse
 	 */
+	#[AuthorizedAdminSetting(settings: Admin::class)]
 	public function getApplicableEntities(string $pattern = '', ?int $limit = null, ?int $offset = null): JSONResponse {
 		$groups = [];
 		foreach ($this->groupManager->search($pattern, $limit, $offset) as $group) {
@@ -112,10 +117,14 @@ public function saveGlobalCredentials($uid, $user, $password): JSONResponse {
 			], Http::STATUS_UNAUTHORIZED);
 		}
 
-		// Non-admins can only edit their own credentials
-		// Admin can edit global credentials
+		// Non-admins can only edit their own credentials.
+		// Admin or delegated admin can edit global credentials (uid === '').
+		// Cannot use #[AuthorizedAdminSetting] here because this endpoint is
+		// #[NoAdminRequired] and must also allow users to edit their own (uid !== '')
+		// credentials — the two paths share one method.
 		$allowedToEdit = $uid === ''
 			? $this->groupManager->isAdmin($currentUser->getUID())
+				|| in_array(Admin::class, $this->authorizedGroupMapper->findAllClassesForUser($currentUser), true)
 			: $currentUser->getUID() === $uid;
 
 		if ($allowedToEdit) {

@@ -9,7 +9,9 @@
 
 use OCA\Files_External\NotFoundException;
 use OCA\Files_External\Service\GlobalStoragesService;
+use OCA\Files_External\Settings\Admin;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\AuthorizedAdminSetting;
 use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IConfig;
@@ -60,6 +62,7 @@ public function __construct(
 	 * @param ?array $applicableGroups groups for which to mount the storage
 	 * @param ?int $priority priority
 	 */
+	#[AuthorizedAdminSetting(settings: Admin::class)]
 	#[PasswordConfirmationRequired(strict: true)]
 	public function create(
 		string $mountPoint,
@@ -123,6 +126,7 @@ public function create(
 	 * @param ?array $applicableGroups groups for which to mount the storage
 	 * @param ?int $priority priority
 	 */
+	#[AuthorizedAdminSetting(settings: Admin::class)]
 	#[PasswordConfirmationRequired(strict: true)]
 	public function update(
 		int $id,
@@ -173,4 +177,22 @@ public function update(
 			Http::STATUS_OK
 		);
 	}
+
+	// PHP attributes are not inherited, so these methods override the parent
+	// solely to attach #[AuthorizedAdminSetting] and expose them to delegated admins.
+	#[AuthorizedAdminSetting(settings: Admin::class)]
+	public function index() {
+		return parent::index();
+	}
+
+	#[AuthorizedAdminSetting(settings: Admin::class)]
+	public function show(int $id, $testOnly = true) {
+		return parent::show($id, $testOnly);
+	}
+
+	#[AuthorizedAdminSetting(settings: Admin::class)]
+	#[PasswordConfirmationRequired(strict: true)]
+	public function destroy(int $id) {
+		return parent::destroy($id);
+	}
 }
@@ -13,10 +13,11 @@
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Services\IInitialState;
 use OCP\Encryption\IManager;
+use OCP\IL10N;
 use OCP\IURLGenerator;
-use OCP\Settings\ISettings;
+use OCP\Settings\IDelegatedSettings;
 
-class Admin implements ISettings {
+class Admin implements IDelegatedSettings {
 	use CommonSettingsTrait;
 
 	public function __construct(
@@ -26,6 +27,7 @@ public function __construct(
 		private GlobalAuth $globalAuth,
 		private IInitialState $initialState,
 		private IURLGenerator $urlGenerator,
+		private IL10N $l10n,
 	) {
 		$this->visibility = BackendService::VISIBILITY_ADMIN;
 	}
@@ -65,4 +67,13 @@ public function getSection() {
 	public function getPriority() {
 		return 40;
 	}
+
+	public function getName(): string {
+		return $this->l10n->t('External storage');
+	}
+
+	public function getAuthorizedAppConfig(): array {
+		// No app config keys require delegation for external storage.
+		return [];
+	}
 }
@@ -7,10 +7,13 @@
  */
 namespace OCA\Files_External\Tests\Controller;
 
+use OC\Settings\AuthorizedGroupMapper;
 use OCA\Files_External\Controller\AjaxController;
 use OCA\Files_External\Lib\Auth\Password\GlobalAuth;
 use OCA\Files_External\Lib\Auth\PublicKey\RSA;
+use OCA\Files_External\Settings\Admin;
 use OCP\AppFramework\Http\JSONResponse;
+use OCP\IGroup;
 use OCP\IGroupManager;
 use OCP\IL10N;
 use OCP\IRequest;
@@ -28,6 +31,7 @@ class AjaxControllerTest extends TestCase {
 	private IGroupManager&MockObject $groupManager;
 	private IUserManager&MockObject $userManager;
 	private IL10N&MockObject $l10n;
+	private AuthorizedGroupMapper&MockObject $authorizedGroupMapper;
 	private AjaxController $ajaxController;
 
 	protected function setUp(): void {
@@ -38,6 +42,7 @@ protected function setUp(): void {
 		$this->groupManager = $this->createMock(IGroupManager::class);
 		$this->userManager = $this->createMock(IUserManager::class);
 		$this->l10n = $this->createMock(IL10N::class);
+		$this->authorizedGroupMapper = $this->createMock(AuthorizedGroupMapper::class);
 
 		$this->ajaxController = new AjaxController(
 			'files_external',
@@ -48,6 +53,7 @@ protected function setUp(): void {
 			$this->groupManager,
 			$this->userManager,
 			$this->l10n,
+			$this->authorizedGroupMapper,
 		);
 
 		$this->l10n->expects($this->any())
@@ -62,6 +68,50 @@ protected function setUp(): void {
 		parent::setUp();
 	}
 
+	public function testGetApplicableEntitiesReturnsGroupsAndUsers(): void {
+		$group = $this->createMock(IGroup::class);
+		$group->method('getGID')->willReturn('group1');
+		$group->method('getDisplayName')->willReturn('Group One');
+
+		$user = $this->createMock(IUser::class);
+		$user->method('getUID')->willReturn('user1');
+		$user->method('getDisplayName')->willReturn('User One');
+
+		$this->groupManager
+			->expects($this->once())
+			->method('search')
+			->with('test', 10, 0)
+			->willReturn([$group]);
+		$this->userManager
+			->expects($this->once())
+			->method('searchDisplayName')
+			->with('test', 10, 0)
+			->willReturn([$user]);
+
+		$response = $this->ajaxController->getApplicableEntities('test', 10, 0);
+		$this->assertSame(200, $response->getStatus());
+		$this->assertSame(['group1' => 'Group One'], $response->getData()['groups']);
+		$this->assertSame(['user1' => 'User One'], $response->getData()['users']);
+	}
+
+	public function testGetApplicableEntitiesWithNoResults(): void {
+		$this->groupManager
+			->expects($this->once())
+			->method('search')
+			->with('', null, null)
+			->willReturn([]);
+		$this->userManager
+			->expects($this->once())
+			->method('searchDisplayName')
+			->with('', null, null)
+			->willReturn([]);
+
+		$response = $this->ajaxController->getApplicableEntities();
+		$this->assertSame(200, $response->getStatus());
+		$this->assertSame([], $response->getData()['groups']);
+		$this->assertSame([], $response->getData()['users']);
+	}
+
 	public function testGetSshKeys(): void {
 		$this->rsa
 			->expects($this->once())
@@ -153,4 +203,91 @@ public function testSaveGlobalCredentialsAsNormalUserForAnotherUser(): void {
 		$this->assertSame($response->getStatus(), 403);
 		$this->assertSame('Permission denied', $response->getData()['message']);
 	}
+
+	public function testSaveGlobalCredentialsAsAdminForGlobal(): void {
+		$user = $this->createMock(IUser::class);
+		$user->method('getUID')->willReturn('MyAdminUid');
+		$this->userSession->method('getUser')->willReturn($user);
+		$this->groupManager
+			->expects($this->once())
+			->method('isAdmin')
+			->with('MyAdminUid')
+			->willReturn(true);
+		$this->authorizedGroupMapper
+			->expects($this->never())
+			->method('findAllClassesForUser');
+		$this->globalAuth
+			->expects($this->once())
+			->method('saveAuth')
+			->with('', 'test', 'password');
+
+		$response = $this->ajaxController->saveGlobalCredentials('', 'test', 'password');
+		$this->assertSame(200, $response->getStatus());
+	}
+
+	public function testSaveGlobalCredentialsAsDelegatedAdminForGlobal(): void {
+		$user = $this->createMock(IUser::class);
+		$user->method('getUID')->willReturn('DelegatedUid');
+		$this->userSession->method('getUser')->willReturn($user);
+		$this->groupManager
+			->expects($this->once())
+			->method('isAdmin')
+			->with('DelegatedUid')
+			->willReturn(false);
+		$this->authorizedGroupMapper
+			->expects($this->once())
+			->method('findAllClassesForUser')
+			->with($user)
+			->willReturn([Admin::class]);
+		$this->globalAuth
+			->expects($this->once())
+			->method('saveAuth')
+			->with('', 'test', 'password');
+
+		$response = $this->ajaxController->saveGlobalCredentials('', 'test', 'password');
+		$this->assertSame(200, $response->getStatus());
+	}
+
+	public function testSaveGlobalCredentialsAsDelegatedAdminForAnotherUser(): void {
+		// Delegated admins may only set global (uid='') credentials, not impersonate other users.
+		$user = $this->createMock(IUser::class);
+		$user->method('getUID')->willReturn('DelegatedUid');
+		$this->userSession->method('getUser')->willReturn($user);
+		$this->groupManager
+			->expects($this->never())
+			->method('isAdmin');
+		$this->authorizedGroupMapper
+			->expects($this->never())
+			->method('findAllClassesForUser');
+		$this->globalAuth
+			->expects($this->never())
+			->method('saveAuth');
+
+		$response = $this->ajaxController->saveGlobalCredentials('OtherUserUid', 'test', 'password');
+		$this->assertSame(403, $response->getStatus());
+		$this->assertSame('Permission denied', $response->getData()['message']);
+	}
+
+	public function testSaveGlobalCredentialsAsNormalUserForGlobal(): void {
+		$user = $this->createMock(IUser::class);
+		$user->method('getUID')->willReturn('NormalUid');
+		$this->userSession->method('getUser')->willReturn($user);
+		$this->groupManager
+			->expects($this->once())
+			->method('isAdmin')
+			->with('NormalUid')
+			->willReturn(false);
+		$this->authorizedGroupMapper
+			->expects($this->once())
+			->method('findAllClassesForUser')
+			->with($user)
+			->willReturn([]);
+		$this->globalAuth
+			->expects($this->never())
+			->method('saveAuth');
+
+		$response = $this->ajaxController->saveGlobalCredentials('', 'test', 'password');
+		$this->assertSame(403, $response->getStatus());
+		$this->assertSame('Permission denied', $response->getData()['message']);
+	}
 }
@@ -12,10 +12,10 @@
 use OCA\Files_External\Service\BackendService;
 use OCA\Files_External\Service\GlobalStoragesService;
 use OCA\Files_External\Settings\Admin;
-use OCP\App\IAppManager;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Services\IInitialState;
 use OCP\Encryption\IManager;
+use OCP\IL10N;
 use OCP\IURLGenerator;
 use PHPUnit\Framework\MockObject\MockObject;
 use Test\TestCase;
@@ -27,7 +27,7 @@ class AdminTest extends TestCase {
 	private GlobalAuth&MockObject $globalAuth;
 	private IInitialState&MockObject $initialState;
 	private IURLGenerator&MockObject $urlGenerator;
-	private IAppManager&MockObject $appManager;
+	private IL10N&MockObject $l10n;
 	private Admin $admin;
 
 	protected function setUp(): void {
@@ -38,7 +38,10 @@ protected function setUp(): void {
 		$this->globalAuth = $this->createMock(GlobalAuth::class);
 		$this->initialState = $this->createMock(IInitialState::class);
 		$this->urlGenerator = $this->createMock(IURLGenerator::class);
-		$this->appManager = $this->createMock(IAppManager::class);
+		$this->l10n = $this->createMock(IL10N::class);
+		$this->l10n->method('t')->willReturnCallback(function ($text) {
+			return $text;
+		});
 
 		$this->admin = new Admin(
 			$this->encryptionManager,
@@ -47,7 +50,7 @@ protected function setUp(): void {
 			$this->globalAuth,
 			$this->initialState,
 			$this->urlGenerator,
-			$this->appManager,
+			$this->l10n,
 		);
 	}
 
@@ -123,4 +126,22 @@ public function testGetSection(): void {
 	public function testGetPriority(): void {
 		$this->assertSame(40, $this->admin->getPriority());
 	}
+
+	public function testGetName(): void {
+		$this->l10n->expects($this->once())
+			->method('t')
+			->with('External storage')
+			->willReturn('External storage');
+
+		$this->assertSame('External storage', $this->admin->getName());
+	}
+
+	public function testGetAuthorizedAppConfig(): void {
+		$this->assertSame([], $this->admin->getAuthorizedAppConfig());
+	}
+
+	public function testImplementsIDelegatedSettings(): void {
+		$this->assertInstanceOf(\OCP\Settings\IDelegatedSettings::class, $this->admin);
+		$this->assertInstanceOf(\OCP\Settings\ISettings::class, $this->admin);
+	}
 }