fix(subadmin): strict boolean gate and single-source isEnabled()

DeepDiver1975 · claude · DeepDiver1975 · commit 79644482b9fc · 2026-06-18T16:18:19.000+02:00
Address remaining review feedback on the allow_subadmins gate:

- Tighten the gate to a strict `=== true` check so only the documented
  boolean opt-in enables the feature; string values such as 'false' or
  '0' in a hand-edited config.php now fail closed instead of fail open.
- Make SubAdmin::isEnabled() public and route settings/users.php through
  it, removing the duplicated inline config read so the gate has a single
  source of truth in the OC\SubAdmin manager.
- Document the breaking upgrade behavior in the changelog: existing
  group-admin assignments are ignored until allow_subadmins =&gt; true.

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
Signed-off-by: Thomas Müller &lt;1005065+DeepDiver1975@users.noreply.github.com&gt;
diff --git a/changelog/unreleased/41634 b/changelog/unreleased/41634
@@ -4,5 +4,7 @@ Disable the subadmin (group-admin) feature by default behind a new
 allow_subadmins system config, as a security risk-mitigation.
 The feature's code path has known security shortcomings; deployments
 that rely on it can opt back in with 'allow_subadmins' => true in config.php.
+On upgrade, existing group-admin assignments are ignored until an admin
+sets 'allow_subadmins' => true in config.php.
 
 https://github.com/owncloud/core/pull/41634
diff --git a/lib/private/SubAdmin.php b/lib/private/SubAdmin.php
@@ -84,8 +84,8 @@ public function __construct(
 	 *
 	 * @return bool
 	 */
-	private function isEnabled() {
-		return $this->config->getSystemValue('allow_subadmins', false) !== false;
+	public function isEnabled() {
+		return $this->config->getSystemValue('allow_subadmins', false) === true;
 	}
 
 	/**
diff --git a/settings/users.php b/settings/users.php
@@ -72,7 +72,7 @@
 $recoveryAdminEnabled = OC_App::isEnabled('encryption') &&
 						$config->getAppValue('encryption', 'recoveryAdminEnabled', null);
 
-if ($isAdmin && $config->getSystemValue('allow_subadmins', false) !== false) {
+if ($isAdmin && \OC::$server->getGroupManager()->getSubAdmin()->isEnabled()) {
 	$subAdmins = \OC::$server->getGroupManager()->getSubAdmin()->getAllSubAdmins();
 	// New class returns IUser[] so convert back
 	$result = [];

Original file line number	Diff line number	Diff line change
`@@ -84,8 +84,8 @@ public function __construct(`
`84`	`84`	`*`
`85`	`85`	`* @return bool`
`86`	`86`	`*/`
`87`		`- private function isEnabled() {`
`88`		`- return $this->config->getSystemValue('allow_subadmins', false) !== false;`
	`87`	`+ public function isEnabled() {`
	`88`	`+ return $this->config->getSystemValue('allow_subadmins', false) === true;`
`89`	`89`	`}`
`90`	`90`
`91`	`91`	`/**`