Merge pull request #59599 from nextcloud/test/noid/add-proof-for-adding-self-to-other-group

nickvergessen · web-flow · commit e9cd2fc83040 · 2026-04-13T15:14:13.000+02:00
test: Add integration test to confirm a user can not add themselves t…
diff --git a/build/integration/features/provisioning-v1.feature b/build/integration/features/provisioning-v1.feature
@@ -487,11 +487,26 @@ Feature: provisioning
     Given As an "admin"
     And user "brand-new-user" exists
     And group "new-group" exists
+    And group "other-group" exists
     When sending "POST" to "/cloud/users/brand-new-user/subadmins" with
       | groupid | new-group |
     Then the OCS status code should be "100"
     And the HTTP status code should be "200"
 
+    # Ensure self promotion is not possible
+    Given As an "brand-new-user"
+    When sending "POST" to "/cloud/users/brand-new-user/groups" with
+      | groupid | admin |
+    Then the OCS status code should be "104"
+    And the HTTP status code should be "200"
+
+    # Ensure self adding to other groups is not possible
+    Given As an "brand-new-user"
+    When sending "POST" to "/cloud/users/brand-new-user/groups" with
+      | groupid | other-group |
+    Then the OCS status code should be "104"
+    And the HTTP status code should be "200"
+
   Scenario: get users using a subadmin
     Given As an "admin"
     And user "brand-new-user" exists
@@ -793,7 +808,7 @@ Feature: provisioning
     Then the HTTP status code should be "200"
     And user "subadmin" is disabled
 
-  Scenario: Admin user cannot disable himself
+  Scenario: Admin user cannot disable themself
     Given As an "admin"
     And user "another-admin" exists
     And user "another-admin" belongs to group "admin"
@@ -804,7 +819,7 @@ Feature: provisioning
     And As an "admin"
     And user "another-admin" is enabled
 
-  Scenario:Admin user cannot enable himself
+  Scenario: Admin user cannot enable themself
     Given As an "admin"
     And user "another-admin" exists
     And user "another-admin" belongs to group "admin"
@@ -837,7 +852,7 @@ Feature: provisioning
     And As an "admin"
     And user "user2" is disabled
 
-  Scenario: Subadmin should not be able to disable himself
+  Scenario: Subadmin should not be able to disable themself
     Given As an "admin"
     And user "subadmin" exists
     And group "new-group" exists
@@ -850,7 +865,7 @@ Feature: provisioning
     And As an "admin"
     And user "subadmin" is enabled
 
-  Scenario: Subadmin should not be able to enable himself
+  Scenario: Subadmin should not be able to enable themself
     Given As an "admin"
     And user "subadmin" exists
     And group "new-group" exists
