fix(provisioning_api): Correct limit for editUser

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>

apps/provisioning_api/lib/Controller/UsersController.php

@@ -894,7 +894,7 @@ class UsersController extends AUserDataOCSController {
 	 */
 	#[PasswordConfirmationRequired]
 	#[NoAdminRequired]
-	#[UserRateLimit(limit: 50, period: 60)]
+	#[UserRateLimit(limit: 50, period: 600)]
 	public function editUser(string $userId, string $key, string $value): DataResponse {
 		$currentLoggedInUser = $this->userSession->getUser();
 

apps/settings/lib/Controller/UsersController.php

@@ -32,6 +32,7 @@ use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
+use OCP\AppFramework\Http\Attribute\UserRateLimit;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Http\TemplateResponse;
@@ -314,6 +315,7 @@ class UsersController extends Controller {
 	 */
 	#[NoAdminRequired]
 	#[PasswordConfirmationRequired]
+	#[UserRateLimit(limit: 5, period: 60)]
 	public function setUserSettings(?string $avatarScope = null,
 		?string $displayname = null,
 		?string $displaynameScope = null,

build/integration/features/bootstrap/BasicStructure.php

@@ -121,7 +121,11 @@ trait BasicStructure {
 	 * @return string
 	 */
 	public function getOCSResponse($response) {
-		return simplexml_load_string($response->getBody())->meta[0]->statuscode;
+		$body = simplexml_load_string((string)$response->getBody());
+		if ($body === false) {
+			throw new \RuntimeException('Could not parse OCS response, body is not valid XML');
+		}
+		return $body->meta[0]->statuscode;
 	}
 
 	/**

build/integration/features/bootstrap/FeatureContext.php

@@ -13,9 +13,16 @@ require __DIR__ . '/../../vendor/autoload.php';
  * Features context.
  */
 class FeatureContext implements Context, SnippetAcceptingContext {
+	use AppConfiguration;
 	use ContactsMenu;
 	use ExternalStorage;
 	use Search;
 	use WebDav;
 	use Trashbin;
+
+	protected function resetAppConfigs(): void {
+		$this->deleteServerConfig('bruteForce', 'whitelist_0');
+		$this->deleteServerConfig('bruteForce', 'whitelist_1');
+		$this->deleteServerConfig('bruteforcesettings', 'apply_allowlist_to_ratelimit');
+	}
 }

build/integration/features/provisioning-v1.feature

@@ -4,6 +4,9 @@
 Feature: provisioning
   Background:
     Given using api version "1"
+    Given parameter "whitelist_0" of app "bruteForce" is set to "127.0.0.1"
+    Given parameter "whitelist_1" of app "bruteForce" is set to "::1"
+    Given parameter "apply_allowlist_to_ratelimit" of app "bruteforcesettings" is set to "true"
 
   Scenario: Getting an not existing user
     Given As an "admin"
@@ -604,6 +607,7 @@ Feature: provisioning
       | settings |
       | sharebymail |
       | systemtags |
+      | testing |
       | theming |
       | twofactor_backupcodes |
       | updatenotification |
@@ -629,6 +633,7 @@ Feature: provisioning
     And the HTTP status code should be "200"
 
   Scenario: enable an app
+    Given invoking occ with "app:disable testing"
     Given As an "admin"
     And app "testing" is disabled
     When sending "POST" to "/cloud/apps/testing"
@@ -643,12 +648,14 @@ Feature: provisioning
     And the HTTP status code should be "200"
 
   Scenario: disable an app
+    Given invoking occ with "app:enable testing"
     Given As an "admin"
     And app "testing" is enabled
     When sending "DELETE" to "/cloud/apps/testing"
     Then the OCS status code should be "100"
     And the HTTP status code should be "200"
     And app "testing" is disabled
+    Given invoking occ with "app:enable testing"
 
   Scenario: disable an user
     Given As an "admin"