Merge pull request #59603 from nextcloud/backport/59599/stable32

nickvergessen · web-flow · commit 32462cdccca0 · 2026-04-13T15:52:04.000+02:00
[stable32] test: Add integration test to confirm a user can not add themselves t…
diff --git a/build/integration/features/provisioning-v1.feature b/build/integration/features/provisioning-v1.feature
@@ -484,11 +484,26 @@ Feature: provisioning
     Given As an "admin"
     And user "brand-new-user" exists
     And group "new-group" exists
+    And group "other-group" exists
     When sending "POST" to "/cloud/users/brand-new-user/subadmins" with
       | groupid | new-group |
     Then the OCS status code should be "100"
     And the HTTP status code should be "200"
 
+    # Ensure self promotion is not possible
+    Given As an "brand-new-user"
+    When sending "POST" to "/cloud/users/brand-new-user/groups" with
+      | groupid | admin |
+    Then the OCS status code should be "104"
+    And the HTTP status code should be "200"
+
+    # Ensure self adding to other groups is not possible
+    Given As an "brand-new-user"
+    When sending "POST" to "/cloud/users/brand-new-user/groups" with
+      | groupid | other-group |
+    Then the OCS status code should be "104"
+    And the HTTP status code should be "200"
+
   Scenario: get users using a subadmin
     Given As an "admin"
     And user "brand-new-user" exists
@@ -790,7 +805,7 @@ Feature: provisioning
     Then the HTTP status code should be "200"
     And user "subadmin" is disabled
 
-  Scenario: Admin user cannot disable himself
+  Scenario: Admin user cannot disable themself
     Given As an "admin"
     And user "another-admin" exists
     And user "another-admin" belongs to group "admin"
@@ -801,7 +816,7 @@ Feature: provisioning
     And As an "admin"
     And user "another-admin" is enabled
 
-  Scenario:Admin user cannot enable himself
+  Scenario: Admin user cannot enable themself
     Given As an "admin"
     And user "another-admin" exists
     And user "another-admin" belongs to group "admin"
@@ -834,7 +849,7 @@ Feature: provisioning
     And As an "admin"
     And user "user2" is disabled
 
-  Scenario: Subadmin should not be able to disable himself
+  Scenario: Subadmin should not be able to disable themself
     Given As an "admin"
     And user "subadmin" exists
     And group "new-group" exists
@@ -847,7 +862,7 @@ Feature: provisioning
     And As an "admin"
     And user "subadmin" is enabled
 
-  Scenario: Subadmin should not be able to enable himself
+  Scenario: Subadmin should not be able to enable themself
     Given As an "admin"
     And user "subadmin" exists
     And group "new-group" exists
