Merge pull request #49514 from nextcloud/feat/restrict-tag-creation

apps/dav/lib/SystemTag/SystemTagPlugin.php

@@ -18,6 +18,7 @@
 use OCP\SystemTag\ISystemTagManager;
 use OCP\SystemTag\ISystemTagObjectMapper;
 use OCP\SystemTag\TagAlreadyExistsException;
+use OCP\SystemTag\TagCreationForbiddenException;
 use OCP\Util;
 use Sabre\DAV\Exception\BadRequest;
 use Sabre\DAV\Exception\Conflict;
@@ -189,6 +190,8 @@ private function createTag($data, $contentType = 'application/json') {
 			return $tag;
 		} catch (TagAlreadyExistsException $e) {
 			throw new Conflict('Tag already exists', 0, $e);
+		} catch (TagCreationForbiddenException $e) {
+			throw new Forbidden('You don’t have right to create tags', 0, $e);
 		}
 	}
 
@@ -376,7 +379,7 @@ public function handleUpdateProperties($path, PropPatch $propPatch) {
 		if (!$node instanceof SystemTagNode && !$node instanceof SystemTagObjectType) {
 			return;
 		}
-		
+
 		$propPatch->handle([self::OBJECTIDS_PROPERTYNAME], function ($props) use ($node) {
 			if (!$node instanceof SystemTagObjectType) {
 				return false;
@@ -394,7 +397,7 @@ public function handleUpdateProperties($path, PropPatch $propPatch) {
 				if (count($objectTypes) !== 1 || $objectTypes[0] !== $node->getName()) {
 					throw new BadRequest('Invalid object-ids property. All object types must be of the same type: ' . $node->getName());
 				}
-				
+
 				$this->tagMapper->setObjectIdsForTag($node->getSystemTag()->getId(), $node->getName(), array_keys($objects));
 			}
 

apps/settings/lib/Settings/Admin/Server.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors
  * SPDX-License-Identifier: AGPL-3.0-or-later
@@ -53,6 +54,9 @@ public function getForm() {
 		$this->initialStateService->provideInitialState('profileEnabledGlobally', $this->profileManager->isProfileEnabled());
 		$this->initialStateService->provideInitialState('profileEnabledByDefault', $this->isProfileEnabledByDefault($this->config));
 
+		// Basic settings
+		$this->initialStateService->provideInitialState('restrictSystemTagsCreationToAdmin', $this->appConfig->getValueString('systemtags', 'restrict_creation_to_admin', 'true'));
+
 		return new TemplateResponse('settings', 'settings/admin/server', [
 			'profileEnabledGlobally' => $this->profileManager->isProfileEnabled(),
 		], '');

apps/settings/tests/Settings/Admin/ServerTest.php

@@ -84,8 +84,7 @@ public function testGetForm(): void {
 		$this->appConfig
 			->expects($this->any())
 			->method('getValueString')
-			->with('core', 'backgroundjobs_mode', 'ajax')
-			->willReturn('ajax');
+			->willReturnCallback(fn ($a, $b, $default) => $default);
 		$this->profileManager
 			->expects($this->exactly(2))
 			->method('isProfileEnabled')

apps/systemtags/src/components/SystemTagForm.vue

@@ -9,9 +9,9 @@
 		aria-labelledby="system-tag-form-heading"
 		@submit.prevent="handleSubmit"
 		@reset="reset">
-		<h3 id="system-tag-form-heading">
+		<h4 id="system-tag-form-heading">
 			{{ t('systemtags', 'Create or edit tags') }}
-		</h3>
+		</h4>
 
 		<div class="system-tag-form__group">
 			<label for="system-tags-input">{{ t('systemtags', 'Search for a tag to edit') }}</label>

apps/systemtags/src/components/SystemTags.vue

@@ -51,6 +51,8 @@ import {
 	setTagForFile,
 } from '../services/files.js'
 
+import { loadState } from '@nextcloud/initial-state'
+
 import type { Tag, TagWithId } from '../types.js'
 
 export default Vue.extend({
@@ -188,6 +190,10 @@ export default Vue.extend({
 				this.sortedTags.unshift(createdTag)
 				this.selectedTags.push(createdTag)
 			} catch (error) {
+				if(loadState('settings', 'restrictSystemTagsCreationToAdmin', '0') === '1') {
+					showError(t('systemtags', 'System admin disabled tag creation. You can only use existing ones.'))
+					return
+				}
 				showError(t('systemtags', 'Failed to create tag'))
 			}
 			this.loading = false

apps/systemtags/src/components/SystemTagsCreationControl.vue

@@ -0,0 +1,78 @@
+<!--
+  - SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+  - SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+<template>
+	<div id="system-tags-creation-control">
+		<h4 class="inlineblock">
+			{{ t('settings', 'System tag creation') }}
+		</h4>
+
+		<p class="settings-hint">
+			{{ t('settings', 'If enabled, regular accounts will be restricted from creating new tags but will still be able to assign and remove them from their files.') }}
+		</p>
+
+		<NcCheckboxRadioSwitch type="switch"
+			:checked.sync="systemTagsCreationRestrictedToAdmin"
+			@update:checked="updateSystemTagsDefault">
+			{{ t('settings', 'Restrict tag creation to admins only') }}
+		</NcCheckboxRadioSwitch>
+	</div>
+</template>
+
+<script lang="ts">
+import { loadState } from '@nextcloud/initial-state'
+import { showError, showSuccess } from '@nextcloud/dialogs'
+import { t } from '@nextcloud/l10n'
+import logger from '../logger.ts'
+import { updateSystemTagsAdminRestriction } from '../services/api.js'
+
+import NcCheckboxRadioSwitch from '@nextcloud/vue/dist/Components/NcCheckboxRadioSwitch.js'
+
+export default {
+	name: 'SystemTagsCreationControl',
+
+	components: {
+		NcCheckboxRadioSwitch,
+	},
+
+	data() {
+		return {
+			// By default, system tags creation is not restricted to admins
+			systemTagsCreationRestrictedToAdmin: loadState('settings', 'restrictSystemTagsCreationToAdmin', '0') === '1',
+		}
+	},
+	methods: {
+		t,
+		async updateSystemTagsDefault(isRestricted: boolean) {
+			try {
+				const responseData = await updateSystemTagsAdminRestriction(isRestricted)
+				console.debug('updateSystemTagsDefault', responseData)
+				this.handleResponse({
+					isRestricted,
+					status: responseData.ocs?.meta?.status,
+				})
+			} catch (e) {
+				this.handleResponse({
+					errorMessage: t('settings', 'Unable to update setting'),
+					error: e,
+				})
+			}
+		},
+
+		handleResponse({ isRestricted, status, errorMessage, error }) {
+			if (status === 'ok') {
+				this.systemTagsCreationRestrictedToAdmin = isRestricted
+				showSuccess(t('settings', `System tag creation is now ${isRestricted ? 'restricted to administrators' : 'allowed for everybody'}`))
+				return
+			}
+
+			if (errorMessage) {
+				showError(errorMessage)
+				logger.error(errorMessage, error)
+			}
+		},
+	},
+}
+</script>

apps/systemtags/src/files_actions/bulkSystemTagsAction.ts

@@ -9,6 +9,8 @@ import { FileAction } from '@nextcloud/files'
 import { isPublicShare } from '@nextcloud/sharing/public'
 import { spawnDialog } from '@nextcloud/dialogs'
 import { t } from '@nextcloud/l10n'
+import { getCurrentUser } from '@nextcloud/auth'
+import { loadState } from '@nextcloud/initial-state'
 
 import TagMultipleSvg from '@mdi/svg/svg/tag-multiple.svg?raw'
 
@@ -34,6 +36,11 @@ export const action = new FileAction({
 
 	// If the app is disabled, the action is not available anyway
 	enabled(nodes) {
+		// By default, everyone can create system tags
+		if (loadState('settings', 'restrictSystemTagsCreationToAdmin', '0') === '1' && getCurrentUser()?.isAdmin !== true) {
+			return false
+		}
+
 		if (isPublicShare()) {
 			return false
 		}

apps/systemtags/src/services/api.ts

@@ -7,13 +7,14 @@ import type { FileStat, ResponseDataDetailed, WebDAVClientError } from 'webdav'
 import type { ServerTag, Tag, TagWithId } from '../types.js'
 
 import axios from '@nextcloud/axios'
-import { generateUrl } from '@nextcloud/router'
+import { generateUrl, generateOcsUrl } from '@nextcloud/router'
 import { t } from '@nextcloud/l10n'
 
 import { davClient } from './davClient.js'
 import { formatTag, parseIdFromLocation, parseTags } from '../utils'
 import logger from '../logger.ts'
 import { emit } from '@nextcloud/event-bus'
+import { confirmPassword } from '@nextcloud/password-confirmation'
 
 export const fetchTagsPayload = `<?xml version="1.0"?>
 <d:propfind xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns" xmlns:nc="http://nextcloud.org/ns">
@@ -203,3 +204,25 @@ export const setTagObjects = async function(tag: TagWithId, type: string, object
 		},
 	})
 }
+
+type OcsResponse = {
+	ocs: NonNullable<unknown>,
+}
+
+export const updateSystemTagsAdminRestriction = async (isAllowed: boolean): Promise<OcsResponse> => {
+	// Convert to string for compatibility
+	const isAllowedString = isAllowed ? '1' : '0'
+
+	const url = generateOcsUrl('/apps/provisioning_api/api/v1/config/apps/{appId}/{key}', {
+		appId: 'systemtags',
+		key: 'restrict_creation_to_admin',
+	})
+
+	await confirmPassword()
+
+	const res = await axios.post(url, {
+		value: isAllowedString,
+	})
+
+	return res.data
+}

apps/systemtags/src/views/SystemTagsSection.vue

@@ -6,10 +6,10 @@
 <template>
 	<NcSettingsSection :name="t('systemtags', 'Collaborative tags')"
 		:description="t('systemtags', 'Collaborative tags are available for all users. Restricted tags are visible to users but cannot be assigned by them. Invisible tags are for internal use, since users cannot see or assign them.')">
+		<SystemTagsCreationControl />
 		<NcLoadingIcon v-if="loadingTags"
 			:name="t('systemtags', 'Loading collaborative tags …')"
 			:size="32" />
-
 		<SystemTagForm v-else
 			:tags="tags"
 			@tag:created="handleCreate"
@@ -29,6 +29,7 @@ import { translate as t } from '@nextcloud/l10n'
 import { showError } from '@nextcloud/dialogs'
 
 import SystemTagForm from '../components/SystemTagForm.vue'
+import SystemTagsCreationControl from '../components/SystemTagsCreationControl.vue'
 
 import { fetchTags } from '../services/api.js'
 
@@ -41,6 +42,7 @@ export default Vue.extend({
 		NcLoadingIcon,
 		NcSettingsSection,
 		SystemTagForm,
+		SystemTagsCreationControl,
 	},
 
 	data() {

dist/5531-5531.js.license

@@ -79,12 +79,18 @@ This file is generated from multiple sources. Included packages:
 - @nextcloud/event-bus
 	- version: 3.3.1
 	- license: GPL-3.0-or-later
+- @nextcloud/initial-state
+	- version: 2.2.0
+	- license: GPL-3.0-or-later
 - @nextcloud/l10n
 	- version: 3.1.0
 	- license: GPL-3.0-or-later
 - @nextcloud/logger
 	- version: 3.0.2
 	- license: GPL-3.0-or-later
+- @nextcloud/password-confirmation
+	- version: 5.3.1
+	- license: MIT
 - @nextcloud/router
 	- version: 3.0.1
 	- license: GPL-3.0-or-later

dist/files-sidebar.js.license

@@ -12,6 +12,7 @@ SPDX-FileCopyrightText: jden <[email protected]>
 SPDX-FileCopyrightText: inherits developers
 SPDX-FileCopyrightText: escape-html developers
 SPDX-FileCopyrightText: defunctzombie
+SPDX-FileCopyrightText: debounce developers
 SPDX-FileCopyrightText: atomiks
 SPDX-FileCopyrightText: Varun A P
 SPDX-FileCopyrightText: Tobias Koppers @sokra
@@ -114,6 +115,9 @@ This file is generated from multiple sources. Included packages:
 - @nextcloud/logger
 	- version: 3.0.2
 	- license: GPL-3.0-or-later
+- @nextcloud/password-confirmation
+	- version: 5.3.1
+	- license: MIT
 - @nextcloud/paths
 	- version: 2.2.1
 	- license: GPL-3.0-or-later
@@ -183,6 +187,9 @@ This file is generated from multiple sources. Included packages:
 - css-loader
 	- version: 7.1.2
 	- license: MIT
+- debounce
+	- version: 2.2.0
+	- license: MIT
 - define-data-property
 	- version: 1.1.4
 	- license: MIT