nextcloud: accept users only part of the admin group

This commit is contained in:
ibizaman 2026-01-12 09:21:32 +01:00
parent eb56116868
commit 14e672076c
3 changed files with 12 additions and 18 deletions

View file

@ -498,7 +498,12 @@ in
adminGroup = lib.mkOption {
type = lib.types.str;
description = "Group admins must belong to to be able to login to Nextcloud.";
description = ''
Group admins must belong to to be able to login to Nextcloud.
This option is purposely not inside the LDAP app because only SSO allows
distinguising between users and admins.
'';
default = "nextcloud_admin";
};
@ -1167,7 +1172,10 @@ in
groups = "groups";
is_admin = "is_nextcloud_admin";
};
oidc_login_allowed_groups = [ cfg.apps.ldap.userGroup ];
oidc_login_allowed_groups = [
cfg.apps.ldap.userGroup
cfg.apps.sso.adminGroup
];
oidc_login_default_group = "oidc";
oidc_login_use_external_storage = false;
oidc_login_scope = lib.concatStringsSep " " scopes;

View file

@ -11,8 +11,10 @@ It is based on the nixpkgs Nextcloud server and provides opinionated defaults.
to configure those with the UI.
- [LDAP](#services-nextcloudserver-usage-ldap) app:
enables app and sets up integration with an existing LDAP server, in this case LLDAP.
Note that the LDAP app cannot distinguish between normal users and admin users.
- [SSO](#services-nextcloudserver-usage-oidc) app:
enables app and sets up integration with an existing SSO server, in this case Authelia.
The SSO app can distinguish between normal users and admin users.
- [Preview Generator](#services-nextcloudserver-usage-previewgenerator) app:
enables app and sets up required cron job.
- [External Storage](#services-nextcloudserver-usage-externalstorage) app:

View file

@ -212,22 +212,6 @@ let
"expect(page.get_by_text('Wrong login or password')).to_be_visible()"
];
}
{
username = "bob";
password = "BobPassword";
nextPageExpect = [
"expect(page.get_by_text('Wrong login or password')).not_to_be_visible()"
"expect(page.get_by_role('button', name=re.compile('[Ll]og [Ii]n'))).not_to_be_visible()"
"expect(page).to_have_title(re.compile('Dashboard'))"
];
}
{
username = "bob";
password = "NotBobPassword";
nextPageExpect = [
"expect(page.get_by_text('Wrong login or password')).to_be_visible()"
];
}
];
};
};