feat: restrict policy workbench group targets to manageable scope

- Filter group targets by manageable_policy_group_ids for group-admin users
- Remove redundant comment from AdminController footer template save method
- Add unit tests for group-admin group filtering and probe access shortcut
- Ensures group-admins only see groups they manage when adding policy rules

Signed-off-by: Vitor Mattos <[email protected]>

Author: vitormattos

lib/Controller/AdminController.php

@@ -878,7 +878,6 @@ public function getFooterTemplate(): DataResponse {
 	public function saveFooterTemplate(string $template = '', int $width = 595, int $height = 50) {
 		try {
 			$this->footerService->saveTemplate($template);
-			// Template was already persisted above; avoid a second save that can revert policy flags.
 			$pdf = $this->footerService->renderPreviewPdf('', $width, $height);
 
 			return new DataDownloadResponse($pdf, 'footer-preview.pdf', 'application/pdf');

src/tests/views/Settings/PolicyWorkbench/useRealPolicyWorkbench.spec.ts

@@ -14,14 +14,21 @@ const { currentUserState } = vi.hoisted(() => ({
 	},
 }))
 
+const { configState } = vi.hoisted(() => ({
+	configState: {
+		can_manage_group_policies: true,
+		manageable_policy_group_ids: [] as string[],
+	},
+}))
+
 vi.mock('@nextcloud/auth', () => ({
 	getCurrentUser: vi.fn(() => currentUserState),
 }))
 
 vi.mock('@nextcloud/initial-state', () => ({
 	loadState: vi.fn((_app, key: string, defaultValue: unknown) => {
 		if (key === 'config') {
-			return { can_manage_group_policies: true }
+			return configState
 		}
 
 		return defaultValue
@@ -75,6 +82,8 @@ import { createRealPolicyWorkbenchState } from '../../../../views/Settings/Polic
 describe('useRealPolicyWorkbench', () => {
 	beforeEach(() => {
 		currentUserState.isAdmin = true
+		configState.can_manage_group_policies = true
+		configState.manageable_policy_group_ids = []
 		axiosGet.mockReset()
 		saveSystemPolicy.mockReset()
 		saveGroupPolicy.mockReset()
@@ -458,6 +467,33 @@ describe('useRealPolicyWorkbench', () => {
 		])
 	})
 
+	it('filters group targets to manageable_policy_group_ids for group-admin', async () => {
+		currentUserState.isAdmin = false
+		configState.manageable_policy_group_ids = ['legal']
+
+		const state = createRealPolicyWorkbenchState()
+		state.openSetting('signature_flow')
+		state.startEditor({ scope: 'group' })
+
+		await Promise.resolve()
+		await Promise.resolve()
+
+		expect(state.availableTargets).toEqual([
+			{ id: 'legal', displayName: 'legal', isNoUser: true },
+		])
+	})
+
+	it('probeGroupAccess uses manageable_policy_group_ids shortcut for group-admin', async () => {
+		currentUserState.isAdmin = false
+		configState.manageable_policy_group_ids = ['legal']
+
+		const state = createRealPolicyWorkbenchState()
+		await state.probeGroupAccess()
+
+		expect(state.canManageGroups).toBe(true)
+		expect(axiosGet).not.toHaveBeenCalledWith('cloud/groups', expect.anything())
+	})
+
 	it('probeGroupAccess sets canManageGroups to true when groups are returned', async () => {
 		currentUserState.isAdmin = false
 

src/views/Settings/PolicyWorkbench/useRealPolicyWorkbench.ts

@@ -152,7 +152,12 @@ export function createRealPolicyWorkbenchState() {
 	const policiesStore = usePoliciesStore()
 	const currentUser = getCurrentUser()
 	const isInstanceAdmin = currentUser?.isAdmin === true
-	const config = loadState<{ can_manage_group_policies?: boolean }>('libresign', 'config', {})
+	const config = loadState<{ can_manage_group_policies?: boolean, manageable_policy_group_ids?: string[] }>('libresign', 'config', {})
+	const manageablePolicyGroupIds = new Set(
+		Array.isArray(config.manageable_policy_group_ids)
+			? config.manageable_policy_group_ids.filter((groupId): groupId is string => typeof groupId === 'string' && groupId.trim().length > 0)
+			: [],
+	)
 	const initialViewMode: 'system-admin' | 'group-admin' = currentUser?.isAdmin
 		? 'system-admin'
 		: config.can_manage_group_policies
@@ -179,6 +184,14 @@ export function createRealPolicyWorkbenchState() {
 	const draftTouchVersion = ref(0)
 	const editorInitialTouchVersion = ref(0)
 
+	function filterManageableGroupTargets(targets: PolicyTargetOption[]): PolicyTargetOption[] {
+		if (isInstanceAdmin || manageablePolicyGroupIds.size === 0) {
+			return targets
+		}
+
+		return targets.filter((target) => manageablePolicyGroupIds.has(target.id))
+	}
+
 	const visibleSettingSummaries = computed<PolicySettingSummary[]>(() => {
 		const isGroupAdminMode = viewMode.value === 'group-admin'
 
@@ -624,7 +637,7 @@ export function createRealPolicyWorkbenchState() {
 				},
 			})
 
-			return (data.ocs?.data?.groups ?? [])
+			return filterManageableGroupTargets((data.ocs?.data?.groups ?? [])
 				.map((group) => ({
 					id: group.id,
 					displayName: group.displayname || group.id,
@@ -633,7 +646,7 @@ export function createRealPolicyWorkbenchState() {
 						: undefined,
 					isNoUser: true,
 				}))
-				.sort((left, right) => left.displayName.localeCompare(right.displayName))
+				.sort((left, right) => left.displayName.localeCompare(right.displayName)))
 		}
 
 		const { data } = await axios.get<GroupListResponse>(generateOcsUrl('cloud/groups'), {
@@ -644,13 +657,13 @@ export function createRealPolicyWorkbenchState() {
 			},
 		})
 
-		return (data.ocs?.data?.groups ?? [])
+		return filterManageableGroupTargets((data.ocs?.data?.groups ?? [])
 			.map((groupId) => ({
 				id: groupId,
 				displayName: groupId,
 				isNoUser: true,
 			}))
-			.sort((left, right) => left.displayName.localeCompare(right.displayName))
+			.sort((left, right) => left.displayName.localeCompare(right.displayName)))
 	}
 
 	async function fetchUsers(query = '', limit = 20, offset = 0): Promise<PolicyTargetOption[]> {
@@ -743,6 +756,11 @@ export function createRealPolicyWorkbenchState() {
 			return
 		}
 
+		if (manageablePolicyGroupIds.size > 0) {
+			canManageGroups.value = true
+			return
+		}
+
 		try {
 			const result = await fetchGroups('', 1, 0)
 			canManageGroups.value = result.length > 0