From 0caa81c70023f1e9557c4b6769a9ff200df17a19 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 5 Jan 2024 13:58:01 +0100 Subject: API: move create/delete user calls to usermanager This only moves the calls. A proper refactoring of the user manager would make sense: 1) introduce a helper component covering the basic operations including proper error signalling using Exceptions 2) refactor admin and cli components to make use of 1) 3) make the operations in 1) available via the API --- lib/plugins/usermanager/remote.php | 102 +++++++++++++++++++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 lib/plugins/usermanager/remote.php (limited to 'lib') diff --git a/lib/plugins/usermanager/remote.php b/lib/plugins/usermanager/remote.php new file mode 100644 index 000000000..5db4a54f9 --- /dev/null +++ b/lib/plugins/usermanager/remote.php @@ -0,0 +1,102 @@ + + */ +class remote_plugin_usermanager extends RemotePlugin +{ + + /** + * Create a new user + * + * If no password is provided, a password is auto generated. If the user can't be created + * by the auth backend a return value of `false` is returned. You need to check this return + * value rather than relying on the error code only. + * + * Superuser permission are required to create users. + * + * @param string $user The user's login name + * @param string $name The user's full name + * @param string $mail The user's email address + * @param string[] $groups The groups the user should be in + * @param string $password The user's password, empty for autogeneration + * @param bool $notify Whether to send a notification email to the user + * @return bool Wether the user was successfully created + * @throws AccessDeniedException + * @throws RemoteException + * @todo handle error messages from auth backend + */ + public function createUser($user, $name, $mail, $groups, $password = '', $notify = false) + { + if (!auth_isadmin()) { + throw new AccessDeniedException('Only admins are allowed to create users', 114); + } + + /** @var AuthPlugin $auth */ + global $auth; + + if (!$auth->canDo('addUser')) { + throw new AccessDeniedException( + sprintf('Authentication backend %s can\'t do addUser', $auth->getPluginName()), + 114 + ); + } + + $user = trim($auth->cleanUser($user)); + $name = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $name)); + $mail = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $mail)); + + if ($user === '') throw new RemoteException('empty or invalid user', 401); + if ($name === '') throw new RemoteException('empty or invalid user name', 402); + if (!mail_isvalid($mail)) throw new RemoteException('empty or invalid mail address', 403); + + if ((string)$password === '') { + try { + $password = auth_pwgen($user); + } catch (\Exception $e) { + throw new RemoteException('Could not generate password', 404); // FIXME adjust code + } + } + + if (!is_array($groups) || $groups === []) { + $groups = null; + } + + $ok = (bool)$auth->triggerUserMod('create', [$user, $password, $name, $mail, $groups]); + + if ($ok && $notify) { + auth_sendPassword($user, $password); + } + + return $ok; + } + + + /** + * Remove a user + * + * You need to be a superuser to delete users. + * + * @param string[] $user The login name of the user to delete + * @return bool wether the user was successfully deleted + * @throws AccessDeniedException + * @todo handle error messages from auth backend + */ + public function deleteUser($user) + { + if (!auth_isadmin()) { + throw new AccessDeniedException('Only admins are allowed to delete users', 114); + } + /** @var AuthPlugin $auth */ + global $auth; + return (bool)$auth->triggerUserMod('delete', [[$user]]); + } +} -- cgit v1.2.3