extend admin-delegation

[printminion-co]

Summary

Use delegation to hide from admins settings allowed only for "super-admin"

• wait for admin-delegation occ - add output option for show command to support JSON formats nextcloud/server#55260 to be approved
• review/merge Merge pull request #55429 from nextcloud/backport/55260/stable31 #49
• wait for Fix admin delegation show all priority items nextcloud/server#55462 to be approved
• wait for to be reviewed/merged Display delegated section in common settings for non-admin nextcloud/server#55511
• Cherrypick if not merged fix(settings): Don't permit duplicate groups in occ admin-delegation:add nextcloud/server#46617
• Cherrypick Add unit tests for AdminDelegation command and AuthorizedGroupService nextcloud/server#55676

# turn on delegation
occ config:system:set --type boolean --value true -- settings.only-delegated-settings

turn off delegation

occ config:system:set --type boolean --value false -- settings.only-delegated-settings

script to delegate all settings to admin group

delegate_all.sh

#!/bin/bash

# Script to add or remove delegation to admin group for all admin sections
# Executes occ commands directly (runs inside container)
# Usage: ./delegate_all.sh [add|remove]
#
# Note: Pre-check logic implemented to workaround bug where groups can be added multiple times
# Bug reference: [Bug]: occ admin-delegation:add allows adding the same delegation multiple times #46609
# https://github.com/nextcloud/server/issues/46609

# Global variable for the group name
GROUP_NAME="admin"

# Check if operation parameter is provided
if [ $# -eq 0 ]; then
    echo "Usage: $0 [add|remove]"
    echo "  add    - Add delegation for all admin sections"
    echo "  remove - Remove delegation for all admin sections"
    exit 1
fi

OPERATION="$1"

# Validate operation parameter
if [ "$OPERATION" != "add" ] && [ "$OPERATION" != "remove" ]; then
    echo "Error: Invalid operation '$OPERATION'. Use 'add' or 'remove'."
    exit 1
fi

if [ "$OPERATION" == "add" ]; then
    echo "Starting delegation process for group '$GROUP_NAME'..."
    ACTION_VERB="Delegating"
    SUCCESS_MSG="Successfully delegated"
    FAIL_MSG="Failed to delegate"
    SKIP_MSG="Skipping (already delegated)"
    OCC_COMMAND="admin-delegation:add"
else
    echo "Starting delegation removal process for group '$GROUP_NAME'..."
    ACTION_VERB="Removing delegation"
    SUCCESS_MSG="Successfully removed delegation"
    FAIL_MSG="Failed to remove delegation"
    SKIP_MSG="Skipping (not delegated)"
    OCC_COMMAND="admin-delegation:remove"
fi

# Get admin delegation info
echo "Fetching admin delegation information..."
CONTAINER_OUTPUT=$(php occ admin-delegation:show --output=json_pretty)

# Check if the command was successful
if [ $? -ne 0 ]; then
    echo "Error: Failed to execute occ command"
    exit 1
fi

echo "Processing delegation data..."

# Parse JSON and process each setting
echo "$CONTAINER_OUTPUT" | jq -r '.[] | .settings[] | "\(.className)|\(.delegatedGroups | join(","))"' | while IFS='|' read -r className delegatedGroups; do
    if [ -n "$className" ]; then
        # Check if the group is already in the delegated groups
        group_already_delegated=false
        if [[ ",$delegatedGroups," == *",$GROUP_NAME,"* ]]; then
            group_already_delegated=true
        fi

        if [ "$OPERATION" == "add" ]; then
            if [ "$group_already_delegated" == "true" ]; then
                echo "○ $SKIP_MSG: $className"
                continue
            fi
            echo "$ACTION_VERB: $className"
        else
            if [ "$group_already_delegated" == "false" ]; then
                echo "○ $SKIP_MSG: $className"
                continue
            fi
            echo "$ACTION_VERB: $className"
        fi

        # Execute the delegation command
        php occ "$OCC_COMMAND" "$className" "$GROUP_NAME"

        # Check if delegation was successful
        if [ $? -eq 0 ]; then
            echo "✓ $SUCCESS_MSG: $className"
        else
            echo "✗ $FAIL_MSG: $className"
        fi
    fi
done

if [ "$OPERATION" == "add" ]; then
    echo "Delegation process completed!"
else
    echo "Delegation removal process completed!"
fi

# Show final status
echo ""
echo "Final delegation status:"
php occ admin-delegation:show --output=json_pretty

To run tests use the

tests/phpunit-autotest-settings.xml

<?xml version="1.0" encoding="utf-8" ?>
<!--
 - SPDX-FileCopyrightText: 2014-2016 ownCloud, Inc.
 - SPDX-License-Identifier: AGPL-3.0-only
-->
<phpunit bootstrap="bootstrap.php"
		 verbose="true"
		 timeoutForSmallTests="900"
		 timeoutForMediumTests="900"
		 timeoutForLargeTests="900"
>
	<testsuite name='ownCloud settings external'>
		<directory suffix=".php">../apps/settings/tests</directory>
	</testsuite>
	<!-- filters for code coverage -->
	<filter>
		<whitelist>
			<directory suffix=".php">../apps/settings</directory>
			<exclude>
				<directory suffix=".php">../apps/settings/l10n</directory>
				<directory suffix=".php">../apps/settings/tests</directory>
			</exclude>
		</whitelist>
	</filter>
</phpunit>

phpunit --configuration tests/phpunit-autotest-settings.xml

TODO

• ...

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)

[Copilot]

Pull Request Overview

This PR extends the admin delegation functionality to hide admin settings from regular admins when only delegated settings are enabled. The feature introduces a system configuration that allows super-admins to restrict access to admin settings, making them visible only through delegation mechanisms.

• Adds support for settings.only-delegated-settings system configuration to control delegation behavior
• Modifies navigation to show unified Settings entry instead of separate personal/admin entries when delegation is enabled
• Updates admin settings filtering logic to respect the delegation configuration

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
tests/lib/Settings/ManagerTest.php	Adds test coverage for delegation-aware admin settings filtering
tests/lib/NavigationManagerTest.php	Tests navigation behavior with delegated settings enabled/disabled
lib/private/Settings/Manager.php	Implements delegation logic in getAllowedAdminSettings method
lib/private/NavigationManager.php	Modifies navigation entries based on delegation configuration
apps/settings/tests/Settings/Admin/DelegationTest.php	New test file for Delegation settings class
apps/settings/lib/Settings/Admin/Delegation.php	Updates Delegation class to implement IDelegatedSettings
apps/settings/lib/Command/AdminDelegation/Show.php	Enhances show command with structured output formats

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Pull Request Overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The withConsecutive() method is deprecated in newer PHPUnit versions. Consider using separate with() expectations or the willReturnCallback() method to verify the calls individually.