Merge pull request #1406 from nextcloud/enh/noid/perm-mw-read

refactor: Extend Permission Middleware usage and replace deprecated annotations with attributes

lib/Controller/ApiColumnsController.php

@@ -6,13 +6,16 @@
  */
 namespace OCA\Tables\Controller;
 
+use OCA\Tables\AppInfo\Application;
 use OCA\Tables\Dto\Column as ColumnDto;
 use OCA\Tables\Errors\InternalError;
 use OCA\Tables\Errors\NotFoundError;
 use OCA\Tables\Errors\PermissionError;
+use OCA\Tables\Middleware\Attribute\RequirePermission;
 use OCA\Tables\ResponseDefinitions;
 use OCA\Tables\Service\ColumnService;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IL10N;
 use OCP\IRequest;
@@ -39,8 +42,6 @@ public function __construct(
 	 *
 	 * Return an empty array if no columns were found
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $nodeId Node ID
 	 * @param 'table'|'view' $nodeType Node type
 	 * @return DataResponse<Http::STATUS_OK, TablesColumn[], array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
@@ -49,6 +50,8 @@ public function __construct(
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ)]
 	public function index(int $nodeId, string $nodeType): DataResponse {
 		try {
 			if($nodeType === 'table') {
@@ -71,15 +74,14 @@ public function index(int $nodeId, string $nodeType): DataResponse {
 	/**
 	 * [api v2] Get a column object
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $id Column ID
 	 * @return DataResponse<Http::STATUS_OK, TablesColumn, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
 	 * 200: Column returned
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
 	public function show(int $id): DataResponse {
 		try {
 			return new DataResponse($this->service->find($id)->jsonSerialize());
@@ -97,8 +99,6 @@ public function show(int $id): DataResponse {
 	 *
 	 * Specify a subtype to use any special numbered column
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $baseNodeId Context of the column creation
 	 * @param string $title Title
 	 * @param boolean $mandatory Is mandatory
@@ -121,6 +121,8 @@ public function show(int $id): DataResponse {
 	 * @throws NotFoundError
 	 * @throws PermissionError
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
 	public function createNumberColumn(int $baseNodeId, string $title, ?float $numberDefault, ?int $numberDecimals, ?string $numberPrefix, ?string $numberSuffix, ?float $numberMin, ?float $numberMax, ?string $subtype = null, ?string $description = null, ?array $selectedViewIds = [], bool $mandatory = false, string $baseNodeType = 'table'): DataResponse {
 		$tableId = $baseNodeType === 'table' ? $baseNodeId : null;
 		$viewId = $baseNodeType === 'view' ? $baseNodeId : null;
@@ -151,8 +153,6 @@ public function createNumberColumn(int $baseNodeId, string $title, ?float $numbe
 	 *
 	 * Specify a subtype to use any special text column
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $baseNodeId Context of the column creation
 	 * @param string $title Title
 	 * @param string|null $textDefault Default
@@ -172,6 +172,8 @@ public function createNumberColumn(int $baseNodeId, string $title, ?float $numbe
 	 * @throws NotFoundError
 	 * @throws PermissionError
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
 	public function createTextColumn(int $baseNodeId, string $title, ?string $textDefault, ?string $textAllowedPattern, ?int $textMaxLength, ?string $subtype = null, ?string $description = null, ?array $selectedViewIds = [], bool $mandatory = false, string $baseNodeType = 'table'): DataResponse {
 		$tableId = $baseNodeType === 'table' ? $baseNodeId : null;
 		$viewId = $baseNodeType === 'view' ? $baseNodeId : null;
@@ -199,8 +201,6 @@ public function createTextColumn(int $baseNodeId, string $title, ?string $textDe
 	 *
 	 * Specify a subtype to use any special selection column
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $baseNodeId Context of the column creation
 	 * @param string $title Title
 	 * @param string $selectionOptions Json array{id: int, label: string} with options that can be selected, eg [{"id": 1, "label": "first"},{"id": 2, "label": "second"}]
@@ -219,6 +219,8 @@ public function createTextColumn(int $baseNodeId, string $title, ?string $textDe
 	 * @throws NotFoundError
 	 * @throws PermissionError
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
 	public function createSelectionColumn(int $baseNodeId, string $title, string $selectionOptions, ?string $selectionDefault, ?string $subtype = null, ?string $description = null, ?array $selectedViewIds = [], bool $mandatory = false, string $baseNodeType = 'table'): DataResponse {
 		$tableId = $baseNodeType === 'table' ? $baseNodeId : null;
 		$viewId = $baseNodeType === 'view' ? $baseNodeId : null;
@@ -245,8 +247,6 @@ public function createSelectionColumn(int $baseNodeId, string $title, string $se
 	 *
 	 * Specify a subtype to use any special datetime column
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $baseNodeId Context of the column creation
 	 * @param string $title Title
 	 * @param 'today'|'now'|null $datetimeDefault For a subtype 'date' you can set 'today'. For a main type or subtype 'time' you can set to 'now'.
@@ -264,6 +264,8 @@ public function createSelectionColumn(int $baseNodeId, string $title, string $se
 	 * @throws NotFoundError
 	 * @throws PermissionError
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
 	public function createDatetimeColumn(int $baseNodeId, string $title, ?string $datetimeDefault, ?string $subtype = null, ?string $description = null, ?array $selectedViewIds = [], bool $mandatory = false, string $baseNodeType = 'table'): DataResponse {
 		$tableId = $baseNodeType === 'table' ? $baseNodeId : null;
 		$viewId = $baseNodeType === 'view' ? $baseNodeId : null;
@@ -287,8 +289,6 @@ public function createDatetimeColumn(int $baseNodeId, string $title, ?string $da
 	/**
 	 * [api v2] Create new usergroup column
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $baseNodeId Context of the column creation
 	 * @param string $title Title
 	 * @param string|null $usergroupDefault Json array{id: string, type: int}, eg [{"id": "admin", "type": 0}, {"id": "user1", "type": 0}]
@@ -309,6 +309,8 @@ public function createDatetimeColumn(int $baseNodeId, string $title, ?string $da
 	 * @throws NotFoundError
 	 * @throws PermissionError
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
 	public function createUsergroupColumn(int $baseNodeId, string $title, ?string $usergroupDefault, bool $usergroupMultipleItems = null, bool $usergroupSelectUsers = null, bool $usergroupSelectGroups = null, bool $showUserStatus = null, string $description = null, ?array $selectedViewIds = [], bool $mandatory = false, string $baseNodeType = 'table'): DataResponse {
 		$tableId = $baseNodeType === 'table' ? $baseNodeId : null;
 		$viewId = $baseNodeType === 'view' ? $baseNodeId : null;

lib/Controller/ApiFavoriteController.php

@@ -8,12 +8,15 @@
 namespace OCA\Tables\Controller;
 
 use Exception;
+use OCA\Tables\AppInfo\Application;
 use OCA\Tables\Errors\InternalError;
 use OCA\Tables\Errors\NotFoundError;
 use OCA\Tables\Errors\PermissionError;
+use OCA\Tables\Middleware\Attribute\RequirePermission;
 use OCA\Tables\ResponseDefinitions;
 use OCA\Tables\Service\FavoritesService;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\DB\Exception as DBException;
 use OCP\IL10N;
@@ -39,8 +42,6 @@ public function __construct(
 	/**
 	 * [api v2] Add a node (table or view) to user favorites
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $nodeType any Application::NODE_TYPE_* constant
 	 * @param int $nodeId identifier of the node
 	 * @return DataResponse<Http::STATUS_OK, array{}, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
@@ -49,6 +50,8 @@ public function __construct(
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ)]
 	public function create(int $nodeType, int $nodeId): DataResponse {
 		try {
 			$this->service->addFavorite($nodeType, $nodeId);
@@ -66,8 +69,6 @@ public function create(int $nodeType, int $nodeId): DataResponse {
 	/**
 	 * [api v2] Remove a node (table or view) to from favorites
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $nodeType any Application::NODE_TYPE_* constant
 	 * @param int $nodeId identifier of the node
 	 * @return DataResponse<Http::STATUS_OK, array{}, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
@@ -76,6 +77,8 @@ public function create(int $nodeType, int $nodeId): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ)]
 	public function destroy(int $nodeType, int $nodeId): DataResponse {
 		try {
 			$this->service->removeFavorite($nodeType, $nodeId);

lib/Controller/ApiGeneralController.php

@@ -15,6 +15,7 @@
 use OCA\Tables\Service\TableService;
 use OCA\Tables\Service\ViewService;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IL10N;
 use OCP\IRequest;
@@ -46,12 +47,11 @@ public function __construct(
 	 *
 	 * Tables and views incl. shares
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @return DataResponse<Http::STATUS_OK, TablesIndex, array{}>|DataResponse<Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
 	 *
 	 * 200: Index returned
 	 */
+	#[NoAdminRequired]
 	public function index(): DataResponse {
 		try {
 			$tables = $this->tableService->formatTables($this->tableService->findAll($this->userId));

lib/Controller/ApiTablesController.php

@@ -8,16 +8,19 @@
 namespace OCA\Tables\Controller;
 
 use Exception;
+use OCA\Tables\AppInfo\Application;
 use OCA\Tables\Dto\Column as ColumnDto;
 use OCA\Tables\Errors\InternalError;
 use OCA\Tables\Errors\NotFoundError;
 use OCA\Tables\Errors\PermissionError;
+use OCA\Tables\Middleware\Attribute\RequirePermission;
 use OCA\Tables\ResponseDefinitions;
 use OCA\Tables\Service\ColumnService;
 use OCA\Tables\Service\TableService;
 use OCA\Tables\Service\ViewService;
 use OCP\App\IAppManager;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IDBConnection;
 use OCP\IL10N;
@@ -57,12 +60,11 @@ public function __construct(
 	/**
 	 * [api v2] Returns all Tables
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @return DataResponse<Http::STATUS_OK, TablesTable[], array{}>|DataResponse<Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
 	 *
 	 * 200: Tables returned
 	 */
+	#[NoAdminRequired]
 	public function index(): DataResponse {
 		try {
 			return new DataResponse($this->service->formatTables($this->service->findAll($this->userId)));
@@ -74,15 +76,15 @@ public function index(): DataResponse {
 	/**
 	 * [api v2] Get a table object
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $id Table ID
 	 * @return DataResponse<Http::STATUS_OK, TablesTable, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
 	 * 200: Table returned
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_TABLE, idParam: 'id')]
 	public function show(int $id): DataResponse {
 		try {
 			return new DataResponse($this->service->find($id)->jsonSerialize());
@@ -98,15 +100,15 @@ public function show(int $id): DataResponse {
 	/**
 	 * [api v2] Get a table Scheme
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $id Table ID
 	 * @return DataResponse<Http::STATUS_OK, TablesTable, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
 	 * 200: Scheme returned
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_TABLE, idParam: 'id')]
 	public function showScheme(int $id): DataResponse {
 		try {
 			return new DataResponse($this->service->getScheme($id)->jsonSerialize());
@@ -120,8 +122,6 @@ public function showScheme(int $id): DataResponse {
 	}
 
 	/**
-	 * @NoAdminRequired
-	 *
 	 * creates table from scheme
 	 *
 	 * @param string $title title of new table
@@ -133,6 +133,7 @@ public function showScheme(int $id): DataResponse {
 	 *
 	 * 200: Tables returned
 	 */
+	#[NoAdminRequired]
 	public function createFromScheme(string $title, string $emoji, string $description, array $columns, array $views): DataResponse {
 		try {
 			$this->db->beginTransaction();
@@ -191,8 +192,6 @@ public function createFromScheme(string $title, string $emoji, string $descripti
 	/**
 	 * [api v2] Create a new table and return it
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param string $title Title of the table
 	 * @param string|null $emoji Emoji for the table
 	 * @param string|null $description Description for the table
@@ -202,6 +201,7 @@ public function createFromScheme(string $title, string $emoji, string $descripti
 	 *
 	 * 200: Tables returned
 	 */
+	#[NoAdminRequired]
 	public function create(string $title, ?string $emoji, ?string $description, string $template = 'custom'): DataResponse {
 		try {
 			return new DataResponse($this->service->create($title, $template, $emoji, $description)->jsonSerialize());
@@ -213,8 +213,6 @@ public function create(string $title, ?string $emoji, ?string $description, stri
 	/**
 	 * [api v2] Update tables properties
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $id Table ID
 	 * @param string|null $title New table title
 	 * @param string|null $emoji New table emoji
@@ -226,6 +224,8 @@ public function create(string $title, ?string $emoji, ?string $description, stri
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, type: Application::NODE_TYPE_TABLE, idParam: 'id')]
 	public function update(int $id, ?string $title = null, ?string $emoji = null, ?string $description = null, ?bool $archived = null): DataResponse {
 		try {
 			return new DataResponse($this->service->update($id, $title, $emoji, $description, $archived, $this->userId)->jsonSerialize());
@@ -241,15 +241,15 @@ public function update(int $id, ?string $title = null, ?string $emoji = null, ?s
 	/**
 	 * [api v2] Delete a table
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $id Table ID
 	 * @return DataResponse<Http::STATUS_OK, TablesTable, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
 	 * 200: Deleted table returned
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, type: Application::NODE_TYPE_TABLE, idParam: 'id')]
 	public function destroy(int $id): DataResponse {
 		try {
 			return new DataResponse($this->service->delete($id)->jsonSerialize());
@@ -267,8 +267,6 @@ public function destroy(int $id): DataResponse {
 	 *
 	 * Transfer table from one user to another
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $id Table ID
 	 * @param string $newOwnerUserId New user ID
 	 *
@@ -278,6 +276,7 @@ public function destroy(int $id): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
 	public function transfer(int $id, string $newOwnerUserId): DataResponse {
 		try {
 			return new DataResponse($this->service->setOwner($id, $newOwnerUserId)->jsonSerialize());