nextcloud · backportbot · Mar 16, 2026 · Mar 30, 2026 · Mar 30, 2026 · Sep 28, 2025
@@ -6,25 +6,27 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-
-$this->create('files_external_oauth2', 'apps/files_external/ajax/oauth2.php')
-	->actionInclude('files_external/ajax/oauth2.php');
-
-$this->create('files_external_list_applicable', '/apps/files_external/applicable')
-	->actionInclude('files_external/ajax/applicable.php');
-
 return [
 	'resources' => [
 		'global_storages' => ['url' => '/globalstorages'],
 		'user_storages' => ['url' => '/userstorages'],
 		'user_global_storages' => ['url' => '/userglobalstorages'],
 	],
 	'routes' => [
+		[
+			'name' => 'Ajax#getApplicableEntities',
+			'url' => '/ajax/applicable',
+			'verb' => 'GET',
+		],
+		[
+			'name' => 'Ajax#oauth2Callback',
+			'url' => '/ajax/oauth2.php',
+			'verb' => 'GET',
+		],
 		[
 			'name' => 'Ajax#getSshKeys',
 			'url' => '/ajax/public_key.php',
 			'verb' => 'POST',
-			'requirements' => [],
 		],
 		[
 			'name' => 'Ajax#saveGlobalCredentials',

@@ -7,16 +7,20 @@
  */
 namespace OCA\Files_External\Controller;
 
+use OC\Settings\AuthorizedGroupMapper;
 use OCA\Files_External\Lib\Auth\Password\GlobalAuth;
 use OCA\Files_External\Lib\Auth\PublicKey\RSA;
+use OCA\Files_External\Settings\Admin;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\AuthorizedAdminSetting;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\IGroupManager;
 use OCP\IL10N;
 use OCP\IRequest;
+use OCP\IUserManager;
 use OCP\IUserSession;
 
 class AjaxController extends Controller {
@@ -35,11 +39,47 @@ public function __construct(
 		private GlobalAuth $globalAuth,
 		private IUserSession $userSession,
 		private IGroupManager $groupManager,
+		private IUserManager $userManager,
 		private IL10N $l10n,
+		private AuthorizedGroupMapper $authorizedGroupMapper,
 	) {
 		parent::__construct($appName, $request);
 	}
 
+
+	/**
+	 * Legacy endpoint for oauth2 callback
+	 */
+	#[NoAdminRequired()]
+	public function oauth2Callback(): JSONResponse {
+		return new JSONResponse(['status' => 'success']);
+	}
+
+	/**
+	 * Returns a list of users and groups that match the given pattern.
+	 * Used for user and group picker in the admin settings.
+	 *
+	 * @param string $pattern The search pattern
+	 * @param int|null $limit The maximum number of results to return
+	 * @param int|null $offset The offset from which to start returning results
+	 * @return JSONResponse
+	 */
+	#[AuthorizedAdminSetting(settings: Admin::class)]
+	public function getApplicableEntities(string $pattern = '', ?int $limit = null, ?int $offset = null): JSONResponse {
+		$groups = [];
+		foreach ($this->groupManager->search($pattern, $limit, $offset) as $group) {
+			$groups[$group->getGID()] = $group->getDisplayName();
+		}
+
+		$users = [];
+		foreach ($this->userManager->searchDisplayName($pattern, $limit, $offset) as $user) {
+			$users[$user->getUID()] = $user->getDisplayName();
+		}
+
+		$results = ['groups' => $groups, 'users' => $users];
+		return new JSONResponse($results);
+	}
+
 	/**
 	 * @param int $keyLength
 	 * @return array
@@ -87,9 +127,10 @@ public function saveGlobalCredentials($uid, $user, $password): JSONResponse {
 		}
 
 		// Non-admins can only edit their own credentials
-		// Admin can edit global credentials
+		// Admin or delegated admin can edit global credentials
 		$allowedToEdit = $uid === ''
 			? $this->groupManager->isAdmin($currentUser->getUID())
+				|| in_array(Admin::class, $this->authorizedGroupMapper->findAllClassesForUser($currentUser), true)
 			: $currentUser->getUID() === $uid;
 
 		if ($allowedToEdit) {

@@ -9,7 +9,9 @@
 
 use OCA\Files_External\NotFoundException;
 use OCA\Files_External\Service\GlobalStoragesService;
+use OCA\Files_External\Settings\Admin;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\AuthorizedAdminSetting;
 use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IConfig;
@@ -71,6 +73,7 @@ public function __construct(
 	 *
 	 * @return DataResponse
 	 */
+	#[AuthorizedAdminSetting(settings: Admin::class)]
 	#[PasswordConfirmationRequired(strict: true)]
 	public function create(
 		$mountPoint,
@@ -136,6 +139,7 @@ public function create(
 	 *
 	 * @return DataResponse
 	 */
+	#[AuthorizedAdminSetting(settings: Admin::class)]
 	#[PasswordConfirmationRequired(strict: true)]
 	public function update(
 		$id,
@@ -186,4 +190,20 @@ public function update(
 			Http::STATUS_OK
 		);
 	}
+
+	#[AuthorizedAdminSetting(settings: Admin::class)]
+	public function index() {
+		return parent::index();
+	}
+
+	#[AuthorizedAdminSetting(settings: Admin::class)]
+	public function show(int $id, $testOnly = true) {
+		return parent::show($id, $testOnly);
+	}
+
+	#[AuthorizedAdminSetting(settings: Admin::class)]
+	#[PasswordConfirmationRequired(strict: true)]
+	public function destroy(int $id) {
+		return parent::destroy($id);
+	}
 }
@@ -12,15 +12,16 @@
 use OCA\Files_External\Service\GlobalStoragesService;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\Encryption\IManager;
-use OCP\Settings\ISettings;
-
-class Admin implements ISettings {
+use OCP\IL10N;
+use OCP\Settings\IDelegatedSettings;
 
+class Admin implements IDelegatedSettings {
 	public function __construct(
 		private IManager $encryptionManager,
 		private GlobalStoragesService $globalStoragesService,
 		private BackendService $backendService,
 		private GlobalAuth $globalAuth,
+		private IL10N $l10n,
 	) {
 	}
 
@@ -60,4 +61,12 @@ public function getSection() {
 	public function getPriority() {
 		return 40;
 	}
+
+	public function getName(): string {
+		return $this->l10n->t('External storage');
+	}
+
+	public function getAuthorizedAppConfig(): array {
+		return [];
+	}
 }
@@ -120,7 +120,7 @@ function initApplicableUsersMultiselect($elements, userListLimit) {
 		dropdownCssClass: 'files-external-select2',
 		// minimumInputLength: 1,
 		ajax: {
-			url: OC.generateUrl('apps/files_external/applicable'),
+			url: OC.generateUrl('apps/files_external/ajax/applicable'),
 			dataType: 'json',
 			quietMillis: 100,
 			data(term, page) { // page is the one-based page number tracked by Select2
@@ -131,26 +131,21 @@ function initApplicableUsersMultiselect($elements, userListLimit) {
 				}
 			},
 			results(data) {
-				if (data.status === 'success') {
-
-					const results = []
-					let userCount = 0 // users is an object
+				const results = []
+				let userCount = 0 // users is an object
 
-					// add groups
-					$.each(data.groups, function(gid, group) {
-						results.push({ name: gid + '(group)', displayname: group, type: 'group' })
-					})
-					// add users
-					$.each(data.users, function(id, user) {
-						userCount++
-						results.push({ name: id, displayname: user, type: 'user' })
-					})
+				// add groups
+				$.each(data.groups, function(gid, group) {
+					results.push({ name: gid + '(group)', displayname: group, type: 'group' })
+				})
+				// add users
+				$.each(data.users, function(id, user) {
+					userCount++
+					results.push({ name: id, displayname: user, type: 'user' })
+				})
 
-					const more = (userCount >= userListLimit) || (data.groups.length >= userListLimit)
-					return { results, more }
-				} else {
-					// FIXME add error handling
-				}
+				const more = (userCount >= userListLimit) || (data.groups.length >= userListLimit)
+				return { results, more }
 			},
 		},
 		initSelection(element, callback) {