Merge pull request #12780 from owncloud/fix/admin-settings-direct-access

LukasHirt · web-flow · commit 62579fa80725 · 2025-07-03T10:18:12.000+02:00
fix(web-app-admin-settings): [OCISDEV-138] handle direct admin settings access
diff --git a/changelog/unreleased/bugfix-handle-direct-admin-settings-access.md b/changelog/unreleased/bugfix-handle-direct-admin-settings-access.md
@@ -0,0 +1,7 @@
+Bugfix: Handle direct admin settings access
+
+Opening the admin settings directly by pasting the URL in the browser address bar or opening the app in a new tab now works correctly.
+The redirect was not correctly using the navigation guard leading to a mismatch in users permissions.
+We now redirect to the first available route and leave the route itself to handle the permissions navigation guard.
+
+https://github.com/owncloud/web/pull/12780
diff --git a/packages/web-app-admin-settings/src/index.ts b/packages/web-app-admin-settings/src/index.ts
@@ -22,23 +22,31 @@ function $gettext(msg: string) {
 
 const appId = 'admin-settings'
 
+function getAvailableRoute(ability: Ability) {
+  if (ability.can('read-all', 'Setting')) {
+    return { name: 'admin-settings-general' }
+  }
+
+  if (ability.can('read-all', 'Account')) {
+    return { name: 'admin-settings-users' }
+  }
+
+  if (ability.can('read-all', 'Group')) {
+    return { name: 'admin-settings-groups' }
+  }
+
+  if (ability.can('read-all', 'Drive')) {
+    return { name: 'admin-settings-spaces' }
+  }
+
+  throw Error('Insufficient permissions')
+}
+
 export const routes = ({ $ability }: { $ability: Ability }): RouteRecordRaw[] => [
   {
     path: '/',
     redirect: () => {
-      if ($ability.can('read-all', 'Setting')) {
-        return { name: 'admin-settings-general' }
-      }
-      if ($ability.can('read-all', 'Account')) {
-        return { name: 'admin-settings-users' }
-      }
-      if ($ability.can('read-all', 'Group')) {
-        return { name: 'admin-settings-groups' }
-      }
-      if ($ability.can('read-all', 'Drive')) {
-        return { name: 'admin-settings-spaces' }
-      }
-      throw Error('Insufficient permissions')
+      return { name: 'admin-settings-general' }
     }
   },
   {
@@ -47,7 +55,7 @@ export const routes = ({ $ability }: { $ability: Ability }): RouteRecordRaw[] =>
     component: General,
     beforeEnter: (to, from, next) => {
       if (!$ability.can('read-all', 'Setting')) {
-        next({ path: '/' })
+        return next(getAvailableRoute($ability))
       }
       next()
     },
@@ -62,7 +70,7 @@ export const routes = ({ $ability }: { $ability: Ability }): RouteRecordRaw[] =>
     component: Users,
     beforeEnter: (to, from, next) => {
       if (!$ability.can('read-all', 'Account')) {
-        next({ path: '/' })
+        return next(getAvailableRoute($ability))
       }
       next()
     },
@@ -77,7 +85,7 @@ export const routes = ({ $ability }: { $ability: Ability }): RouteRecordRaw[] =>
     component: Groups,
     beforeEnter: (to, from, next) => {
       if (!$ability.can('read-all', 'Group')) {
-        next({ path: '/' })
+        return next(getAvailableRoute($ability))
       }
       next()
     },
@@ -92,7 +100,7 @@ export const routes = ({ $ability }: { $ability: Ability }): RouteRecordRaw[] =>
     component: Spaces,
     beforeEnter: (to, from, next) => {
       if (!$ability.can('read-all', 'Drive')) {
-        next({ path: '/' })
+        return next(getAvailableRoute($ability))
       }
       next()
     },
diff --git a/packages/web-app-admin-settings/tests/unit/index.spec.ts b/packages/web-app-admin-settings/tests/unit/index.spec.ts
@@ -45,85 +45,103 @@ describe('admin settings index', () => {
   })
   describe('routes', () => {
     describe('default-route "/"', () => {
-      it('should redirect to general if permission given', () => {
+      it('should redirect to general', () => {
         const ability = mock<Ability>()
         ability.can.mockReturnValueOnce(true)
         const route = routes({ $ability: ability }).find((n) => n.path === '/')
         expect((route.redirect as any)().name).toEqual('admin-settings-general')
       })
-      it('should redirect to user management if permission given', () => {
-        const ability = mock<Ability>()
-        ability.can.mockReturnValueOnce(false)
-        ability.can.mockReturnValueOnce(true)
-        const route = routes({ $ability: ability }).find((n) => n.path === '/')
-        expect((route.redirect as any)().name).toEqual('admin-settings-users')
-      })
-      it('should redirect to group management if permission given', () => {
-        const ability = mock<Ability>()
-        ability.can.mockReturnValueOnce(false)
-        ability.can.mockReturnValueOnce(false)
-        ability.can.mockReturnValueOnce(true)
-        const route = routes({ $ability: ability }).find((n) => n.path === '/')
-        expect((route.redirect as any)().name).toEqual('admin-settings-groups')
-      })
-      it('should redirect to space management if permission given', () => {
-        const ability = mock<Ability>()
-        ability.can.mockReturnValueOnce(false)
-        ability.can.mockReturnValueOnce(false)
-        ability.can.mockReturnValueOnce(false)
-        ability.can.mockReturnValueOnce(true)
-        const route = routes({ $ability: ability }).find((n) => n.path === '/')
-        expect((route.redirect as any)().name).toEqual('admin-settings-spaces')
-      })
-      it('should throw an error if permissions are insufficient', () => {
-        const ability = mock<Ability>()
-        ability.can.mockReturnValue(false)
-        expect(routes({ $ability: ability }).find((n) => n.path === '/').redirect).toThrow()
-      })
     })
     it.each([
-      { can: true, redirect: null },
-      { can: false, redirect: { path: '/' } }
+      { can: vi.fn(() => true), redirect: null },
+      {
+        can: vi.fn((_, subject) => {
+          if (subject === 'Group') {
+            return true
+          }
+
+          return false
+        }),
+        redirect: { name: 'admin-settings-groups' }
+      }
     ])('redirects "/general" with sufficient permissions', ({ can, redirect }) => {
-      const ability = mock<Ability>({ can: vi.fn(() => can) })
+      const ability = mock<Ability>({ can })
       const route = routes({ $ability: ability }).find((n) => n.path === '/general')
       const nextMock = vi.fn()
       ;(route.beforeEnter as any)({}, {}, nextMock)
       const args = [...(redirect ? [redirect] : [])]
       expect(nextMock).toHaveBeenCalledWith(...args)
     })
     it.each([
-      { can: true, redirect: null },
-      { can: false, redirect: { path: '/' } }
+      { can: vi.fn(() => true), redirect: null },
+      {
+        can: vi.fn((_, subject) => {
+          if (subject === 'Drive') {
+            return true
+          }
+
+          return false
+        }),
+        redirect: { name: 'admin-settings-spaces' }
+      }
     ])('redirects "/users" with sufficient permissions', ({ can, redirect }) => {
-      const ability = mock<Ability>({ can: vi.fn(() => can) })
+      const ability = mock<Ability>({ can })
       const route = routes({ $ability: ability }).find((n) => n.path === '/users')
       const nextMock = vi.fn()
       ;(route.beforeEnter as any)({}, {}, nextMock)
       const args = [...(redirect ? [redirect] : [])]
       expect(nextMock).toHaveBeenCalledWith(...args)
     })
     it.each([
-      { can: true, redirect: null },
-      { can: false, redirect: { path: '/' } }
+      { can: vi.fn(() => true), redirect: null },
+      {
+        can: vi.fn((_, subject) => {
+          if (subject === 'Setting') {
+            return true
+          }
+
+          return false
+        }),
+        redirect: { name: 'admin-settings-general' }
+      }
     ])('redirects "/groups" with sufficient permissions', ({ can, redirect }) => {
-      const ability = mock<Ability>({ can: vi.fn(() => can) })
+      const ability = mock<Ability>({ can })
       const route = routes({ $ability: ability }).find((n) => n.path === '/groups')
       const nextMock = vi.fn()
       ;(route.beforeEnter as any)({}, {}, nextMock)
       const args = [...(redirect ? [redirect] : [])]
       expect(nextMock).toHaveBeenCalledWith(...args)
     })
     it.each([
-      { can: true, redirect: null },
-      { can: false, redirect: { path: '/' } }
+      { can: vi.fn(() => true), redirect: null },
+      {
+        can: vi.fn((_, subject) => {
+          if (subject === 'Account') {
+            return true
+          }
+
+          return false
+        }),
+        redirect: { name: 'admin-settings-users' }
+      }
     ])('redirects "/spaces" with sufficient permissions', ({ can, redirect }) => {
-      const ability = mock<Ability>({ can: vi.fn(() => can) })
+      const ability = mock<Ability>({ can })
       const route = routes({ $ability: ability }).find((n) => n.path === '/spaces')
       const nextMock = vi.fn()
       ;(route.beforeEnter as any)({}, {}, nextMock)
       const args = [...(redirect ? [redirect] : [])]
       expect(nextMock).toHaveBeenCalledWith(...args)
     })
+    it.each(['/general', '/users', '/groups', '/spaces'])(
+      'should throw an error if permissions are insufficient',
+      (path) => {
+        const ability = mock<Ability>({ can: vi.fn(() => false) })
+        const route = routes({ $ability: ability }).find((n) => n.path === path)
+        const nextMock = vi.fn()
+        expect(() => {
+          ;(route.beforeEnter as any)({}, {}, nextMock)
+        }).toThrowError('Insufficient permissions')
+      }
+    )
   })
 })
