fix(provisioning_api): Correct limit for editUser

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2026-06-09 08:44:07 -04:00 · 2025-02-05 23:46:28 +01:00 · 2025-02-05 23:46:28 +01:00 · 422655bf1e
commit 422655bf1e
parent 96384cd950
5 changed files with 29 additions and 9 deletions
--- a/apps/provisioning_api/lib/Controller/UsersController.php
+++ b/apps/provisioning_api/lib/Controller/UsersController.php
@ -889,7 +889,7 @@ class UsersController extends AUserData {
 	 */
 	#[PasswordConfirmationRequired]
 	#[NoAdminRequired]
-	#[UserRateLimit(limit: 50, period: 60)]
+	#[UserRateLimit(limit: 50, period: 600)]
 	public function editUser(string $userId, string $key, string $value): DataResponse {
 		$currentLoggedInUser = $this->userSession->getUser();

--- a/apps/settings/lib/Controller/UsersController.php
+++ b/apps/settings/lib/Controller/UsersController.php
@ -31,6 +31,7 @@ use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
+use OCP\AppFramework\Http\Attribute\UserRateLimit;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Http\TemplateResponse;
@ -312,6 +313,7 @@ class UsersController extends Controller {
 	 */
 	#[NoAdminRequired]
 	#[PasswordConfirmationRequired]
+	#[UserRateLimit(limit: 5, period: 60)]
 	public function setUserSettings(?string $avatarScope = null,
 		?string $displayname = null,
 		?string $displaynameScope = null,
--- a/build/integration/features/bootstrap/BasicStructure.php
+++ b/build/integration/features/bootstrap/BasicStructure.php
@ -120,7 +120,11 @@ trait BasicStructure {
 	 * @return string
 	 */
 	public function getOCSResponse($response) {
-		return simplexml_load_string($response->getBody())->meta[0]->statuscode;
+		$body = simplexml_load_string((string)$response->getBody());
+		if ($body === false) {
+			throw new \RuntimeException('Could not parse OCS response, body is not valid XML');
+		}
+		return $body->meta[0]->statuscode;
 	}

 	/**
--- a/build/integration/features/bootstrap/FeatureContext.php
+++ b/build/integration/features/bootstrap/FeatureContext.php
@ -13,9 +13,16 @@ require __DIR__ . '/../../vendor/autoload.php';
 * Features context.
 */
 class FeatureContext implements Context, SnippetAcceptingContext {
+	use AppConfiguration;
 	use ContactsMenu;
 	use ExternalStorage;
 	use Search;
 	use WebDav;
 	use Trashbin;
+
+	protected function resetAppConfigs(): void {
+		$this->deleteServerConfig('bruteForce', 'whitelist_0');
+		$this->deleteServerConfig('bruteForce', 'whitelist_1');
+		$this->deleteServerConfig('bruteforcesettings', 'apply_allowlist_to_ratelimit');
+	}
 }
--- a/build/integration/features/provisioning-v1.feature
+++ b/build/integration/features/provisioning-v1.feature
@ -4,6 +4,9 @@
 Feature: provisioning
 	Background:
 		Given using api version "1"
+		Given parameter "whitelist_0" of app "bruteForce" is set to "127.0.0.1"
+		Given parameter "whitelist_1" of app "bruteForce" is set to "::1"
+		Given parameter "apply_allowlist_to_ratelimit" of app "bruteforcesettings" is set to "true"

 	Scenario: Getting an not existing user
 		Given As an "admin"
@ -570,7 +573,7 @@ Feature: provisioning
 		And group "new-group" does not exist

 	Scenario: Delete a group with special characters
-	    Given As an "admin"
+		Given As an "admin"
 		And group "España" exists
 		When sending "DELETE" to "/cloud/groups/España"
 		Then the OCS status code should be "100"
@ -600,6 +603,7 @@ Feature: provisioning
 			| settings |
 			| sharebymail |
 			| systemtags |
+			| testing |
 			| theming |
 			| twofactor_backupcodes |
 			| updatenotification |
@ -625,6 +629,7 @@ Feature: provisioning
 		And the HTTP status code should be "200"

 	Scenario: enable an app
+		Given invoking occ with "app:disable testing"
 		Given As an "admin"
 		And app "testing" is disabled
 		When sending "POST" to "/cloud/apps/testing"
@ -638,13 +643,15 @@ Feature: provisioning
 		Then the OCS status code should be "998"
 		And the HTTP status code should be "200"

-	Scenario: disable an app
-		Given As an "admin"
-		And app "testing" is enabled
-		When sending "DELETE" to "/cloud/apps/testing"
-		Then the OCS status code should be "100"
-		And the HTTP status code should be "200"
+  Scenario: disable an app
+    Given invoking occ with "app:enable testing"
+    Given As an "admin"
+    And app "testing" is enabled
+    When sending "DELETE" to "/cloud/apps/testing"
+    Then the OCS status code should be "100"
+    And the HTTP status code should be "200"
 		And app "testing" is disabled
+		Given invoking occ with "app:enable testing"

 	Scenario: disable an user
 		Given As an "admin"