fix(ban): Don't allow banning in one-to-one conversations and fix banning IP ranges

lib/Controller/BanController.php

@@ -40,7 +40,7 @@ public function __construct(
 	 * @param 'users'|'guests'|'ip' $actorType Type of actor to ban, or `ip` when banning a clients remote address
 	 * @param string $actorId Actor ID or the IP address or range in case of type `ip`
 	 * @param string $internalNote Optional internal note (max. 4000 characters)
-	 * @return DataResponse<Http::STATUS_OK, TalkBan, array{}>|DataResponse<Http::STATUS_BAD_REQUEST, array{error: 'bannedActor'|'internalNote'|'moderator'|'self'}, array{}>
+	 * @return DataResponse<Http::STATUS_OK, TalkBan, array{}>|DataResponse<Http::STATUS_BAD_REQUEST, array{error: 'bannedActor'|'internalNote'|'moderator'|'self'|'room'}, array{}>
 	 *
 	 * 200: Ban successfully
 	 * 400: Actor information is invalid

lib/Service/BanService.php

@@ -44,6 +44,10 @@ public function __construct(
 	 * @throws \InvalidArgumentException
 	 */
 	public function createBan(Room $room, string $moderatorActorType, string $moderatorActorId, string $moderatorDisplayname, string $bannedActorType, string $bannedActorId, DateTime $bannedTime, string $internalNote): Ban {
+		if (!in_array($room->getType(), [Room::TYPE_GROUP, Room::TYPE_PUBLIC], true)) {
+			throw new \InvalidArgumentException('room');
+		}
+
 		if (!in_array($bannedActorType, ['users', 'guests', 'ip'], true)) {
 			throw new \InvalidArgumentException('bannedActor');
 		}
@@ -58,9 +62,9 @@ public function createBan(Room $room, string $moderatorActorType, string $modera
 			} catch (\InvalidArgumentException) {
 				// Not an IP, check if it's a range
 				try {
-					$this->ipFactory->addressFromString($bannedActorId);
+					$this->ipFactory->rangeFromString($bannedActorId);
 				} catch (\InvalidArgumentException) {
-					// Not an IP, see if it's a range
+					// Not an IP range either
 					throw new \InvalidArgumentException('bannedActor');
 				}
 			}

openapi-full.json

@@ -2177,7 +2177,8 @@
                                                                 "bannedActor",
                                                                 "internalNote",
                                                                 "moderator",
-                                                                "self"
+                                                                "self",
+                                                                "room"
                                                             ]
                                                         }
                                                     }

openapi.json

@@ -2064,7 +2064,8 @@
                                                                 "bannedActor",
                                                                 "internalNote",
                                                                 "moderator",
-                                                                "self"
+                                                                "self",
+                                                                "room"
                                                             ]
                                                         }
                                                     }

src/types/openapi/openapi-full.ts

@@ -2507,7 +2507,7 @@ export interface operations {
                             meta: components["schemas"]["OCSMeta"];
                             data: {
                                 /** @enum {string} */
-                                error: "bannedActor" | "internalNote" | "moderator" | "self";
+                                error: "bannedActor" | "internalNote" | "moderator" | "self" | "room";
                             };
                         };
                     };

src/types/openapi/openapi.ts

@@ -1988,7 +1988,7 @@ export interface operations {
                             meta: components["schemas"]["OCSMeta"];
                             data: {
                                 /** @enum {string} */
-                                error: "bannedActor" | "internalNote" | "moderator" | "self";
+                                error: "bannedActor" | "internalNote" | "moderator" | "self" | "room";
                             };
                         };
                     };

tests/integration/features/bootstrap/FeatureContext.php

@@ -1547,16 +1547,9 @@ public function userRemovesAttendeeFromRoom(string $user, string $actorType, str
 	}
 
 	/**
-	 * @When /^user "([^"]*)" bans (user|group|email|remote|guest) "([^"]*)" from room "([^"]*)" with (\d+) \((v1)\)$/
-	 *
-	 * @param string $user
-	 * @param string $actorType
-	 * @param string $actorId
-	 * @param string $identifier
-	 * @param int $statusCode
-	 * @param string $apiVersion
+	 * @When /^user "([^"]*)" bans ([^ ]*) "([^"]*)" from room "([^"]*)" with (\d+) \((v1)\)$/
 	 */
-	public function userBansUserFromRoom(string $user, string $actorType, string $actorId, string $identifier, int $statusCode, string $apiVersion = 'v1', TableNode $internalNote): void {
+	public function userBansUserFromRoom(string $user, string $actorType, string $actorId, string $identifier, int $statusCode, string $apiVersion = 'v1', ?TableNode $internalNote = null): void {
 		if ($actorType === 'guest') {
 			$actorId = self::$sessionNameToActorId[$actorId];
 		} elseif ($actorId === 'stranger') {
@@ -1568,7 +1561,9 @@ public function userBansUserFromRoom(string $user, string $actorType, string $ac
 			}
 		}
 
-		$actorType .= 's';
+		if ($actorType !== 'ip') {
+			$actorType .= 's';
+		}
 
 		$this->setCurrentUser($user);
 		$body = [
@@ -1588,13 +1583,18 @@ public function userBansUserFromRoom(string $user, string $actorType, string $ac
 			'POST', '/apps/spreed/api/' . $apiVersion . '/ban/' . self::$identifierToToken[$identifier], $body
 		);
 
-		$this->assertStatusCode($this->response, $statusCode);
+		$data = $this->getDataFromResponse($this->response);
+		$this->assertStatusCode($this->response, $statusCode, print_r($data, true));
 
 		if ($statusCode === 200) {
-			$data = $this->getDataFromResponse($this->response);
 			self::$userToBanId[self::$identifierToToken[$identifier]] ??= [];
 			self::$userToBanId[self::$identifierToToken[$identifier]][$actorType] ??= [];
 			self::$userToBanId[self::$identifierToToken[$identifier]][$actorType][$actorId] = $data['id'];
+		} elseif ($internalNote !== null) {
+			$internalNoteData = $internalNote->getRowsHash();
+			if (isset($internalNoteData['error'])) {
+				Assert::assertSame($internalNoteData['error'], $data['error']);
+			}
 		}
 	}
 

tests/integration/features/conversation-1/ban.feature

@@ -72,6 +72,7 @@ Feature: conversation/ban
         And user "participant1" joins room "room" with 200 (v4)
         And user "participant1" bans user "participant1" from room "room" with 400 (v1)
             | internalNote | BannedP1 |
+            | error | self |
 
     Scenario: Moderator trying to ban moderator
         Given user "participant1" creates room "room" (v4)
@@ -83,6 +84,7 @@ Feature: conversation/ban
         And user "participant1" promotes "participant2" in room "room" with 200 (v4)
         And user "participant1" bans user "participant2" from room "room" with 400 (v1)
             | internalNote | BannedP2 |
+            | error | moderator |
         And user "participant1" demotes "participant2" in room "room" with 200 (v4)
         And user "participant1" bans user "participant2" from room "room" with 200 (v1)
             | internalNote | BannedP2 |
@@ -179,3 +181,42 @@ Feature: conversation/ban
       | actorType  | actorId                     |
       | users      | participant1                |
       | groups     | group1                      |
+
+  Scenario: Can not ban in one-to-one conversations
+    Given user "participant1" creates room "one-to-one room" (v4)
+      | roomType | 1 |
+      | invite   | participant2 |
+    And user "participant1" bans user "participant2" from room "one-to-one room" with 400 (v1)
+      | error | room |
+
+  Scenario: Invalid banned actor type
+    Given user "participant1" creates room "room" (v4)
+      | roomType | 3 |
+      | roomName | room |
+    And user "participant1" bans range "participant2" from room "room" with 400 (v1)
+      | error | bannedActor |
+
+  Scenario: Invalid IP address
+    Given user "participant1" creates room "room" (v4)
+      | roomType | 3 |
+      | roomName | room |
+    And user "participant1" bans ip "participant2" from room "room" with 400 (v1)
+      | error | bannedActor |
+
+  Scenario: Invalid IP address range
+    Given user "participant1" creates room "room" (v4)
+      | roomType | 3 |
+      | roomName | room |
+    And user "participant1" bans ip "127.0.0.1/64" from room "room" with 400 (v1)
+      | error | bannedActor |
+
+  Scenario: Test valid IP bans
+    Given user "participant1" creates room "room" (v4)
+      | roomType | 3 |
+      | roomName | room |
+    And user "participant1" bans ip "127.0.0.1" from room "room" with 200 (v1)
+    And user "participant1" bans ip "127.0.0.1/24" from room "room" with 200 (v1)
+    And user "participant1" bans ip "127.0.0.1/32" from room "room" with 200 (v1)
+    And user "participant1" bans ip "::1" from room "room" with 200 (v1)
+    And user "participant1" bans ip "::1/32" from room "room" with 200 (v1)
+    And user "participant1" bans ip "::1/64" from room "room" with 200 (v1)