Add occ commands to enable and disable a user + a disabled user can n…

[DeepDiver1975]

…o longer login - fixes #23838

@rullzer @LukasReschke @MorrisJobke

[mention-bot]

By analyzing the blame information on this pull request, we identified @icewind1991, @butonic and @xoen to be potential reviewers

[LukasReschke]

I'd like some integration tests on this covering the following scenarios:

1. Subadmin should be able to enable or disable an user in their group
2. Subadmins should NOT be able to enable or disable an user not in their group
3. Subadmins should not be able to disable users that have admin permissions even if they are in their group
4. Admins can enable and disable any user
5. Regular users will get an exception
6. It should not be possible to disable or enable ones own account, neither as admin nor as subadmin

cc @owncloud/qa

[nickvergessen]

\3. is not covered by the code?

[LukasReschke]

It is. Check L370

[LukasReschke]

Ah. Bloody GitHub, if I click on edit it shows "3." instead of "1."

Yes. 3, is not covered yet.

[PVince81]

@SergioBertolinSG do we have this covered now ?

[SergioBertolinSG]

Yes it works fine.

[DeepDiver1975]

Additional integration tests to be implemented:

1. disable user
2. 503 is received via dav
3. 503 is received via ocs api calls
4. 503 is received via web requests

[rullzer]

I did not check yet. But does this somehow yield the users shares invalid?

[LukasReschke]

I did not check yet. But does this somehow yield the users shares invalid?

Is this really required? I mean if you disable an user on an Active Directory server one can also still access files that belonged to them  🙈

Edit: Ah… Right… The migration scenario, my bad :)

[butonic]

Where do we localize the string so the user can be shown a proper message when he tries to login?

[DeepDiver1975]

Should be done here - thanks for the pointer

[MorrisJobke]

This seems to fail 🙈

[DeepDiver1975]

😠

Checked 4387 files in 45.2 seconds
Syntax error found in 1 file
------------------------------------------------------------
Parse error: ./lib/composer/composer/autoload_static.php:22
    20|         'OC\\Settings\\' => 
    21|         array (
  > 22|             0 => __DIR__ . '/../../..' . '/settings',
    23|         ),
    24|         'OC\\Core\\' => Unexpected '.', expecting ')'

[DeepDiver1975]

@nickvergessen @LukasReschke @MorrisJobke any idea why in this pr the composer generated file is causing trouble?

[DeepDiver1975]

issues seem to be related to php 5.4 and 5.5

[DeepDiver1975]

same fun in #23708 - master broken?

[LukasReschke]

Mhm. We don't ship any /lib/composer/composer/autoload_static.php, seems like composer on Travis generates this automatically… Let's see why it does that 😉

[LukasReschke]

Mhm…

Composer version 1.1-dev (4f0f8779cb6db67d2186e3480f5ca2243e9916e5) 2016-04-11 18:36:39

Caused by composer/composer@fd2f51cea8e5f1ef978cd8f90b87b69dc1778976… Let me see what one can do about that …

[LukasReschke]

Ok. autoload_static.php is only loaded when PHP >= 5.6 is used. #23935 adjusts the linter accordingly.

[DeepDiver1975]

@MorrisJobke @LukasReschke @rullzer please review and test once more - basic integration test added - needs further work @SergioBertolinSG

THX

[nickvergessen]

camelCase missing as well

[nickvergessen]

Btw in terms of tracking, would be nice to have a hook for the admin_audit app

[DeepDiver1975]

Btw in terms of tracking, would be nice to have a hook for the admin_audit app

agreed - please open a ticket in core and enterprise so that we can consume it. THX

[PVince81]

Integration tests failing:

06:19:13     /ssd/jenkins/workspace/ocs-api-integration-tests-ci@3/build/integration/features/provisioning-v1.feature:503
06:19:13     /ssd/jenkins/workspace/ocs-api-integration-tests-ci@3/build/integration/features/sharing-v1.feature:700

(log is too big)

[DeepDiver1975]

Oh shit ... I guess I fucked up the rebase .....

[PVince81]

So much bad luck. Now that I was determined to review and test this, LDAP login is broken on this branch and master also... #24409

[PVince81]

• TEST: sync client stops syncing after disabling user (note: sync client shows no error at all, might need additional fixing there @dragotin)
• TEST: disable local user
• TEST: can still share with disabled user
• TEST: can still access received local shares from disabled user
• TEST: can still access received fed shares from disabled user
• TEST: reenable user => sync client resumes without restart
• TEST: delete file as recipient still moves file to disabled user's trashbin
• TEST: edit file as recipient still creates versions for disabled user
• TEST: encryption still works as recipient to disabled user's folder
• TEST: web UI (ajax) reloads page when user disabled with open session
• TEST: logout as disabled user
• TEST: disable LDAP user
• TEST: subadmin enable/disable
• BUG: CSRF mess up:

1. Clear cookies
2. Login as "user1" (when enabled)
3. On the CLI, disable "user1"
4. In the web UI as "user1", click "Log out"
5. Login as "admin" again
   => "CSRF check failed" page.

[DeepDiver1975]

Clear cookies
Login as "user1" (when enabled)
On the CLI, disable "user1"
In the web UI as "user1", click "Log out"
Login as "admin" again => "CSRF check failed" page.

@LukasReschke mind taking a look? THX

[PVince81]

In general to be more RESTful another idea would be to still do a "PUT" on "/cloud/users/{userid}" and set the "enabled" attribute to true or false. (PUT being an "edit" operation)

This also means that the GET operation would return the "enabled" flag as well with the user's properties.

I'm ok with keeping in that way if that's too much to rework.

[PVince81]

I see that GET already returns the flag. So intuitively as an API consumer, I'd be tempted to try and set it the way I described.

However now I see that it says "displayName" in the response but the PUT value is "display" 😞

[DeepDiver1975]

Well - true restful would be to have only one GET to retrieve a json object holding all information and one PUT where we can push a full json object to store the new state.

But the whole provisioning api is not REST - so nothing to worry about - in the scope for v1.

[PVince81]

🙈 agreed

[PVince81]

Looks good from my POV 👍

@DeepDiver1975 did you test this with shib ?

[DeepDiver1975]

@DeepDiver1975 did you test this with shib ?

no - I have currently no working shib test environment at hand - I suggest to merge and test this by QA

[davitol]

Testing with Shib and Autoprovisioning:

Disabling/Enabling a user seems to work fine. But when disabling a shibboleth user and trying to log in with him, the following page is shown. Not sure if it is intended or not:

No logs are written in owncloud.log

Tested using Testshib and autoprovisioning mode

Steps tested:

1. Apply the patch
2. Disable a Shib user
3. Try to log in with this user
4. Enable the same Shib user
5. Log in with this user

[DeepDiver1975]

I guess there is not much more we can do from a core pov. I guess we need to capture this situation and display a page like: you are disabled.

This has to be done in the shibboleth app

[PVince81]

"you are disabled" sounds a bit funny 😄

[davitol]

👍 in that case

[DeepDiver1975]

@davitol please open an issue in the shibboleth repo - THX

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.