Merge pull request #3923 from nextcloud/enh/restrict-poll-owner

Add restricted owners

Author: dartcafe

lib/AppInfo/Application.php

@@ -161,13 +161,15 @@ private function registerServices(IRegistrationContext $context): void {
 		$context->registerService(CommentMapper::class, function (ContainerInterface $c): CommentMapper {
 			return new CommentMapper(
 				$c->get(IDBConnection::class),
+				$c->get(UserSession::class),
 			);
 		});
 
 		$context->registerService(VoteMapper::class, function (ContainerInterface $c): VoteMapper {
 			return new VoteMapper(
 				$c->get(IDBConnection::class),
 				$c->get(LoggerInterface::class),
+				$c->get(UserSession::class),
 			);
 		});
 

lib/Controller/PollController.php

@@ -111,6 +111,18 @@ public function update(int $pollId, array $poll): JSONResponse {
 		]);
 	}
 
+	/**
+	 * Lock Anonymous
+	 * @param int $pollId Poll id
+	 */
+	#[NoAdminRequired]
+	#[FrontpageRoute(verb: 'PUT', url: '/poll/{pollId}/lockAnonymous')]
+	public function lockAnonymous(int $pollId): JSONResponse {
+		return $this->response(fn () => [
+			'poll' => $this->pollService->lockAnonymous($pollId),
+		]);
+	}
+
 	/**
 	 * Send confirmation mails
 	 * @param int $pollId Poll id

lib/Controller/PublicController.php

@@ -105,7 +105,7 @@ public function getPoll(): JSONResponse {
 	public function getSession(): JSONResponse {
 		return $this->response(fn () => [
 			'token' => $this->request->getParam('token'),
-			'currentUser' => $this->userSession->getUser(),
+			'currentUser' => $this->userSession->getCurrentUser(),
 			'appPermissions' => $this->appSettings->getPermissionsArray(),
 			'appSettings' => $this->appSettings->getAppSettings(),
 			'share' => $this->userSession->getShare(),

lib/Controller/UserApiController.php

@@ -52,7 +52,7 @@ public function writePreferences(array $preferences): DataResponse {
 	public function getSession(): DataResponse {
 		return $this->response(fn () => [
 			'token' => $this->request->getParam('token'),
-			'currentUser' => $this->userSession->getUser(),
+			'currentUser' => $this->userSession->getCurrentUser(),
 			'appPermissions' => $this->appSettings->getPermissionsArray(),
 			'appSettings' => $this->appSettings->getAppSettings(),
 		]);

lib/Controller/UserController.php

@@ -63,7 +63,7 @@ public function writePreferences(array $preferences): JSONResponse {
 	public function getSession(): JSONResponse {
 		return $this->response(fn () => [
 			'token' => $this->request->getParam('token'),
-			'currentUser' => $this->userSession->getUser(),
+			'currentUser' => $this->userSession->getCurrentUser(),
 			'appPermissions' => $this->appSettings->getPermissionsArray(),
 			'appSettings' => $this->appSettings->getAppSettings(),
 			'preferences' => $this->preferencesService->get(),

lib/Db/CommentMapper.php

@@ -8,6 +8,7 @@
 
 namespace OCA\Polls\Db;
 
+use OCA\Polls\UserSession;
 use OCP\DB\QueryBuilder\IQueryBuilder;
 use OCP\IDBConnection;
 
@@ -18,7 +19,10 @@ class CommentMapper extends QBMapperWithUser {
 	public const TABLE = Comment::TABLE;
 
 	/** @psalm-suppress PossiblyUnusedMethod */
-	public function __construct(IDBConnection $db) {
+	public function __construct(
+		IDBConnection $db,
+		private UserSession $userSession,
+	) {
 		parent::__construct($db, self::TABLE, Comment::class);
 	}
 
@@ -82,13 +86,15 @@ public function purgeDeletedComments(int $offset): void {
 	 * Build the enhanced query with joined tables
 	 */
 	protected function buildQuery(): IQueryBuilder {
+		$currentUserId = $this->userSession->getCurrentUserId();
 		$qb = $this->db->getQueryBuilder();
 
 		$qb->select(self::TABLE . '.*')
 			->from($this->getTableName(), self::TABLE)
 			->groupBy(self::TABLE . '.id');
 
 		$this->joinAnon($qb, self::TABLE);
+		$this->joinShareRole($qb, self::TABLE, $currentUserId);
 		return $qb;
 	}
 }

lib/Db/EntityWithUser.php

@@ -8,10 +8,11 @@
 
 namespace OCA\Polls\Db;
 
-use OCA\Polls\Helper\Container;
+use OCA\Polls\Model\User\Anon;
 use OCA\Polls\Model\UserBase;
 use OCA\Polls\UserSession;
 use OCP\AppFramework\Db\Entity;
+use OCP\Server;
 
 /**
  * @psalm-suppress UnusedProperty
@@ -23,17 +24,15 @@
  * @method string getPollOwnerId()
  * @method string getPollShowResults()
  * @method int getPollExpire()
+ * @method string getShareType()
  */
 
 abstract class EntityWithUser extends Entity {
 	protected int $anonymized = 0;
 	protected string $pollOwnerId = '';
 	protected string $pollShowResults = '';
 	protected int $pollExpire = 0;
-
-	public const ANON_FULL = 'anonymous';
-	public const ANON_PRIVACY = 'privacy';
-	public const ANON_NONE = 'ful_view';
+	protected ?string $shareType = '';
 
 	public function __construct() {
 		// joined Attributes
@@ -42,41 +41,66 @@ public function __construct() {
 	}
 
 	/**
-	 * Anonymized the user completely (ANON_FULL) or just strips out personal information
+	 * Is the current user the owner of the entity
+	 * @return bool
 	 */
-	public function getAnonymizeLevel(): string {
-		$currentUserId = Container::queryClass(UserSession::class)->getCurrentUserId();
-		// Don't censor for poll owner or it is the current user's entity
-		if ($this->getPollOwnerId() === $currentUserId || $this->getIsOwner()) {
-			return self::ANON_NONE;
+	public function getCurrentUserIsEntityUser(): bool {
+		$userSession = Server::get(UserSession::class);
+		return $userSession->getCurrentUserId() === $this->getUserId();
+	}
+
+	private function getEntityAnonymization(): bool {
+		if ($this->getCurrentUserIsEntityUser()) {
+			// if the current user is the owner of the entity, don't anonymize the entity
+			return false;
 		}
 
-		// Anonymize if poll's anonymize setting is true
-		if ((bool)$this->anonymized) {
-			return self::ANON_FULL;
+		if ($this->getAnonymized() < 0) {
+			// the poll is anonymized and locked, anonymize the entity
+			return true;
 		}
 
-		// Anonymize if votes are hidden
+		if ($this->getAnonymized() > 0) {
+			// the poll is anonymized and unlocked
+			$userSession = Server::get(UserSession::class);
+			if ($this->getPollOwnerId() === $userSession->getCurrentUserId()) {
+				// if the current user is the poll owner, don't anonymize the entity
+				return false;
+			}
+			if ($this->getShareType() === Share::TYPE_ADMIN) {
+				// if the current user is a delegated admin, don't anonymize the entity
+				return false;
+			}
+			// if the current user is not the poll owner, anonymize the entity
+			return true;
+		}
+
+		// the poll is not anonymized
 		if ($this->getPollShowResults() === Poll::SHOW_RESULTS_NEVER
-			|| ($this->getPollShowResults() === Poll::SHOW_RESULTS_CLOSED && (
-				!$this->getPollExpire() || $this->getPollExpire() > time()
-			))
-		) {
-			return self::ANON_FULL;
+			|| ($this->getPollShowResults() === Poll::SHOW_RESULTS_CLOSED
+				&& !$this->getPollExpire() > time())) {
+
+			// Do not anonymize the poll owner
+			return !($this instanceof Poll);
 		}
 
-		return self::ANON_PRIVACY;
+		// in all other cases, don't anonymize the entity
+		return false;
 	}
 
-	public function getIsOwner(): bool {
-		return Container::queryClass(UserSession::class)->getCurrentUserId() === $this->getUserId();
-	}
 
+	/**
+	 * @return UserBase Gets owner of the entity
+	 */
 	public function getUser(): UserBase {
-		/** @var UserMapper */
-		$userMapper = (Container::queryClass(UserMapper::class));
+		if ($this->getEntityAnonymization()) {
+			$user = new Anon($this->getUserId());
+			return $user;
+		}
+
+		$userMapper = (Server::get(UserMapper::class));
+
 		$user = $userMapper->getParticipant($this->getUserId(), $this->getPollId());
-		$user->setAnonymizeLevel($this->getAnonymizeLevel());
 		return $user;
 	}
 }

lib/Db/Option.php

@@ -117,7 +117,7 @@ public function jsonSerialize(): array {
 			'duration' => $this->getDuration(),
 			'locked' => $this->getIsLocked(),
 			'hash' => $this->getPollOptionHash(),
-			'isOwner' => $this->getIsOwner(),
+			'isOwner' => $this->getCurrentUserIsEntityUser(),
 			'votes' => $this->getVotes(),
 			'owner' => $this->getOwnerUser(),
 		];

lib/Db/OptionMapper.php

@@ -173,6 +173,7 @@ protected function buildQuery(bool $hideResults = false): IQueryBuilder {
 		$this->joinCurrentUserVote($qb, self::TABLE, $currentUserId);
 		$this->joinCurrentUserVoteCount($qb, self::TABLE, $currentUserId);
 		$this->joinAnon($qb, self::TABLE);
+		$this->joinShareRole($qb, self::TABLE, $currentUserId);
 
 
 		return $qb;