fix: Bypass RBAC and multitenancy checks in CLI context by rubenvdlinde · Pull Request #978 · ConductionNL/openregister

rubenvdlinde · 2026-03-24T09:43:22Z

Summary

Fixes RBAC permission checks that block app configuration imports when running from CLI (occ commands, repair steps, cron jobs)
In CLI context, there is no user session or active organisation, so hasRbacPermission() returned false for both checks
Now detects \OC::$CLI === true and allows access for these trusted system operations

Fixes #973

Test plan

Run docker exec nextcloud php occ maintenance:repair with Pipelinq installed — schemas should load without "Access denied" errors
Run docker exec nextcloud php occ app:disable pipelinq && docker exec nextcloud php occ app:enable pipelinq — same result
Verify web UI RBAC is unaffected (non-CLI context still enforces permissions)
Run Pipelinq Playwright CI — tests should pass now that schemas load

When running from CLI (occ commands, repair steps, cron jobs), there is no user session or active organisation. The RBAC check in hasRbacPermission() returned false in both cases, blocking app configuration imports via repair steps. Now checks OC::$CLI and allows access when running from the command line, since these are trusted system operations. Fixes #973

github-actions · 2026-03-24T09:45:35Z

Quality Report


Repository	ConductionNL/openregister
Commit	`29d84f3`
Branch	978/merge
Event	pull_request
Generated	2026-03-24 09:45 UTC
Workflow Run	https://github.com/ConductionNL/openregister/actions/runs/23482955037

Summary

Group	Result
PHP Quality	FAIL
Vue Quality	PASS
Security	PASS
License	PASS
PHPUnit	SKIP
Newman	SKIP
Playwright	SKIP

PHP Quality

Tool	Result
lint	PASS
phpcs	FAIL
phpmd	PASS
psalm	PASS
phpstan	PASS
phpmetrics	PASS

Vue Quality

Tool	Result
eslint	PASS
stylelint	PASS

Security

Ecosystem	Result
composer	PASS
npm	PASS

License Compliance

Ecosystem	Result
composer	PASS
npm	PASS

composer dependencies (147 total)

Metric	Count
Approved (allowlist)	146
Approved (override)	1
Denied	0

npm dependencies (586 total)

Metric	Count
Approved (allowlist)	585
Approved (override)	1
Denied	0

PHPUnit Tests

PHPUnit tests were not enabled for this run.

Integration Tests (Newman)

Newman integration tests were not enabled for this run.

E2E Tests (Playwright)

Playwright E2E tests were not enabled for this run.

Generated automatically by the Quality workflow.

Download the full PDF report from the workflow artifacts.

rjzondervan · 2026-03-24T09:56:15Z

lib/Db/MultiTenancyTrait.php

        $activeOrg = $this->organisationService->getActiveOrganisation();
        if ($activeOrg === null) {
+            // CLI context — no active organisation is expected. Allow access.
+            if (\OC::$CLI === true) {


Just a small check: Is there no other way of accessing this information? Looking at the trends in deprecation by Nextcloud they seem not too happy about the \OC::$something accessors

Good catch! PHP_SAPI === 'cli' is a pure PHP constant — no Nextcloud dependency at all, future-proof. Let me update the fix.

\OC::$CLI is a legacy Nextcloud accessor that may be deprecated. PHP_SAPI === 'cli' is a pure PHP constant with no framework dependency, making it future-proof.

github-actions · 2026-03-24T10:03:58Z

Quality Report


Repository	ConductionNL/openregister
Commit	`3acf5c0`
Branch	978/merge
Event	pull_request
Generated	2026-03-24 10:03 UTC
Workflow Run	https://github.com/ConductionNL/openregister/actions/runs/23483695167

Summary

Group	Result
PHP Quality	FAIL
Vue Quality	PASS
Security	PASS
License	PASS
PHPUnit	SKIP
Newman	SKIP
Playwright	SKIP

PHP Quality

Tool	Result
lint	PASS
phpcs	FAIL
phpmd	PASS
psalm	PASS
phpstan	PASS
phpmetrics	PASS

Vue Quality

Tool	Result
eslint	PASS
stylelint	PASS

Security

Ecosystem	Result
composer	PASS
npm	PASS

License Compliance

Ecosystem	Result
composer	PASS
npm	PASS

composer dependencies (147 total)

Metric	Count
Approved (allowlist)	146
Approved (override)	1
Denied	0

npm dependencies (586 total)

Metric	Count
Approved (allowlist)	585
Approved (override)	1
Denied	0

PHPUnit Tests

PHPUnit tests were not enabled for this run.

Integration Tests (Newman)

Newman integration tests were not enabled for this run.

E2E Tests (Playwright)

Playwright E2E tests were not enabled for this run.

Generated automatically by the Quality workflow.

Download the full PDF report from the workflow artifacts.

github-actions · 2026-03-25T12:44:33Z

Quality Report


Repository	ConductionNL/openregister
Commit	`8620abe`
Branch	978/merge
Event	pull_request
Generated	2026-03-25 12:44 UTC
Workflow Run	https://github.com/ConductionNL/openregister/actions/runs/23541525372

Summary

Group	Result
PHP Quality	PASS
Vue Quality	PASS
Security	PASS
License	PASS
PHPUnit	SKIP
Newman	SKIP
Playwright	SKIP

PHP Quality

Tool	Result
lint	PASS
phpcs	PASS
phpmd	PASS
psalm	PASS
phpstan	PASS
phpmetrics	PASS

Vue Quality

Tool	Result
eslint	PASS
stylelint	PASS

Security

Ecosystem	Result
composer	PASS
npm	PASS

License Compliance

Ecosystem	Result
composer	PASS
npm	PASS

composer dependencies (147 total)

Metric	Count
Approved (allowlist)	146
Approved (override)	1
Denied	0

npm dependencies (595 total)

Metric	Count
Approved (allowlist)	592
Approved (override)	3
Denied	0

PHPUnit Tests

PHPUnit tests were not enabled for this run.

Integration Tests (Newman)

Newman integration tests were not enabled for this run.

E2E Tests (Playwright)

Playwright E2E tests were not enabled for this run.

Generated automatically by the Quality workflow.

Download the full PDF report from the workflow artifacts.

github-actions · 2026-03-25T15:52:29Z

Quality Report


Repository	ConductionNL/openregister
Commit	`ec6fb03`
Branch	978/merge
Event	pull_request
Generated	2026-03-25 15:52 UTC
Workflow Run	https://github.com/ConductionNL/openregister/actions/runs/23550288430

Summary

Group	Result
PHP Quality	PASS
Vue Quality	PASS
Security	PASS
License	PASS
PHPUnit	SKIP
Newman	SKIP
Playwright	SKIP

PHP Quality

Tool	Result
lint	PASS
phpcs	PASS
phpmd	PASS
psalm	PASS
phpstan	PASS
phpmetrics	PASS

Vue Quality

Tool	Result
eslint	PASS
stylelint	PASS

Security

Ecosystem	Result
composer	PASS
npm	PASS

License Compliance

Ecosystem	Result
composer	PASS
npm	PASS

composer dependencies (147 total)

Metric	Count
Approved (allowlist)	146
Approved (override)	1
Denied	0

npm dependencies (595 total)

Metric	Count
Approved (allowlist)	592
Approved (override)	3
Denied	0

PHPUnit Tests

PHPUnit tests were not enabled for this run.

Integration Tests (Newman)

Newman integration tests were not enabled for this run.

E2E Tests (Playwright)

Playwright E2E tests were not enabled for this run.

Generated automatically by the Quality workflow.

Download the full PDF report from the workflow artifacts.

rjzondervan previously approved these changes Mar 24, 2026

View reviewed changes

refactor: Use PHP_SAPI instead of \OC::$CLI for CLI detection

c719e7c

\OC::$CLI is a legacy Nextcloud accessor that may be deprecated. PHP_SAPI === 'cli' is a pure PHP constant with no framework dependency, making it future-proof.

rubenvdlinde dismissed rjzondervan’s stale review via c719e7c March 24, 2026 10:01

rjzondervan approved these changes Mar 24, 2026

View reviewed changes

Merge branch 'development' into fix/973-cli-rbac-bypass

425c3c7

chore: retrigger checks

ad3b257

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: Bypass RBAC and multitenancy checks in CLI context#978

fix: Bypass RBAC and multitenancy checks in CLI context#978
rubenvdlinde wants to merge 4 commits intodevelopmentfrom
fix/973-cli-rbac-bypass

rubenvdlinde commented Mar 24, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Mar 24, 2026

Uh oh!

rjzondervan Mar 24, 2026

Uh oh!

rubenvdlinde Mar 24, 2026

Uh oh!

github-actions bot commented Mar 24, 2026

Uh oh!

github-actions bot commented Mar 25, 2026

Uh oh!

github-actions bot commented Mar 25, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

rubenvdlinde commented Mar 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Test plan

Uh oh!

github-actions bot commented Mar 24, 2026

Quality Report

Summary

PHP Quality

Vue Quality

Security

License Compliance

composer dependencies (147 total)

npm dependencies (586 total)

PHPUnit Tests

Integration Tests (Newman)

E2E Tests (Playwright)

Uh oh!

rjzondervan Mar 24, 2026

Choose a reason for hiding this comment

Uh oh!

rubenvdlinde Mar 24, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Mar 24, 2026

Quality Report

Summary

PHP Quality

Vue Quality

Security

License Compliance

composer dependencies (147 total)

npm dependencies (586 total)

PHPUnit Tests

Integration Tests (Newman)

E2E Tests (Playwright)

Uh oh!

github-actions bot commented Mar 25, 2026

Quality Report

Summary

PHP Quality

Vue Quality

Security

License Compliance

composer dependencies (147 total)

npm dependencies (595 total)

PHPUnit Tests

Integration Tests (Newman)

E2E Tests (Playwright)

Uh oh!

github-actions bot commented Mar 25, 2026

Quality Report

Summary

PHP Quality

Vue Quality

Security

License Compliance

composer dependencies (147 total)

npm dependencies (595 total)

PHPUnit Tests

Integration Tests (Newman)

E2E Tests (Playwright)

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

rubenvdlinde commented Mar 24, 2026 •

edited

Loading