fix(contacts): Do not expose SAB in /contactsmenu

When hitting the `/contactsmenu/contacts` endpoint with the `dav.system_addressbook_exposed` config switch set to `"no"`, the system address book content is still listed in the response.

This ensure that we do not expose unexpectedly the system address book.

Signed-off-by: Louis Chmn <louis@chmn.me>

Author: artonge

apps/dav/lib/CardDAV/ContactsManager.php

@@ -9,6 +9,7 @@
 
 use OCA\DAV\Db\PropertyMapper;
 use OCP\Contacts\IManager;
+use OCP\IAppConfig;
 use OCP\IL10N;
 use OCP\IURLGenerator;
 
@@ -23,6 +24,7 @@ public function __construct(
 		private CardDavBackend $backend,
 		private IL10N $l10n,
 		private PropertyMapper $propertyMapper,
+		private IAppConfig $appConfig,
 	) {
 	}
 
@@ -43,6 +45,11 @@ public function setupContactsProvider(IManager $cm, $userId, IURLGenerator $urlG
 	 * @param IURLGenerator $urlGenerator
 	 */
 	public function setupSystemContactsProvider(IManager $cm, ?string $userId, IURLGenerator $urlGenerator) {
+		$systemAddressBookExposed = $this->appConfig->getValueBool('dav', 'system_addressbook_exposed', true);
+		if (!$systemAddressBookExposed) {
+			return;
+		}
+
 		$addressBooks = $this->backend->getAddressBooksForUser('principals/system/system');
 		$this->register($cm, $addressBooks, $urlGenerator, $userId);
 	}

apps/dav/tests/unit/CardDAV/ContactsManagerTest.php

@@ -11,6 +11,7 @@
 use OCA\DAV\CardDAV\ContactsManager;
 use OCA\DAV\Db\PropertyMapper;
 use OCP\Contacts\IManager;
+use OCP\IAppConfig;
 use OCP\IL10N;
 use OCP\IURLGenerator;
 use Test\TestCase;
@@ -19,17 +20,21 @@ class ContactsManagerTest extends TestCase {
 	public function test(): void {
 		/** @var IManager | \PHPUnit\Framework\MockObject\MockObject $cm */
 		$cm = $this->getMockBuilder(IManager::class)->disableOriginalConstructor()->getMock();
-		$cm->expects($this->exactly(2))->method('registerAddressBook');
+		$cm->expects($this->exactly(1))->method('registerAddressBook');
+		/** @var IURLGenerator&MockObject $urlGenerator */
 		$urlGenerator = $this->getMockBuilder(IURLGenerator::class)->disableOriginalConstructor()->getMock();
 		/** @var CardDavBackend | \PHPUnit\Framework\MockObject\MockObject $backEnd */
 		$backEnd = $this->getMockBuilder(CardDavBackend::class)->disableOriginalConstructor()->getMock();
 		$backEnd->method('getAddressBooksForUser')->willReturn([
 			['{DAV:}displayname' => 'Test address book', 'uri' => 'default'],
 		]);
 		$propertyMapper = $this->createMock(PropertyMapper::class);
+		/** @var IAppConfig&MockObject $appConfig */
+		$appConfig = $this->createMock(IAppConfig::class);
 
+		/** @var IL10N&MockObject $l */
 		$l = $this->createMock(IL10N::class);
-		$app = new ContactsManager($backEnd, $l, $propertyMapper);
+		$app = new ContactsManager($backEnd, $l, $propertyMapper, $appConfig);
 		$app->setupContactsProvider($cm, 'user01', $urlGenerator);
 	}
 }

build/integration/features/contacts-menu.feature

@@ -194,3 +194,19 @@ Feature: contacts-menu
     And searching for contacts matching with "test"
     # Disabled because it regularly fails on drone:
     # Then the list of searched contacts has "0" contacts
+
+  Scenario: users cannot list other users from the system address book
+    Given user "user0" exists
+    And user "user1" exists
+    And invoking occ with "config:app:set dav system_addressbook_exposed --value false"
+    And Logging in using web as "user1"
+    And searching for contacts matching with ""
+    Then the list of searched contacts has "1" contacts
+    And invoking occ with "config:app:delete dav system_addressbook_exposed"
+
+  Scenario: users can list other users from the system address book
+    Given user "user0" exists
+    And user "user1" exists
+    And Logging in using web as "user1"
+    And searching for contacts matching with ""
+    Then the list of searched contacts has "2" contacts