also block certificate management in the back-end if external storages are disabled for the user

settings/application.php

@@ -107,7 +107,8 @@ class Application extends App {
 				$c->query('AppName'),
 				$c->query('Request'),
 				$c->query('CertificateManager'),
-				$c->query('L10N')
+				$c->query('L10N'),
+				$c->query('IAppManager')
 			);
 		});
 		$container->registerService('GroupsController', function(IContainer $c) {

settings/controller/certificatecontroller.php

@@ -21,6 +21,7 @@
 
 namespace OC\Settings\Controller;
 
+use OCP\App\IAppManager;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataResponse;
@@ -36,20 +37,25 @@ class CertificateController extends Controller {
 	private $certificateManager;
 	/** @var IL10N */
 	private $l10n;
+	/** @var IAppManager */
+	private $appManager;
 
 	/**
 	 * @param string $appName
 	 * @param IRequest $request
 	 * @param ICertificateManager $certificateManager
 	 * @param IL10N $l10n
+	 * @param IAppManager $appManager
 	 */
 	public function __construct($appName,
 								IRequest $request,
 								ICertificateManager $certificateManager,
-								IL10N $l10n) {
+								IL10N $l10n,
+								IAppManager $appManager) {
 		parent::__construct($appName, $request);
 		$this->certificateManager = $certificateManager;
 		$this->l10n = $l10n;
+		$this->appManager = $appManager;
 	}
 
 	/**
@@ -60,6 +66,11 @@ class CertificateController extends Controller {
 	 * @return array
 	 */
 	public function addPersonalRootCertificate() {
+
+		if ($this->isCertificateImportAllowed() === false) {
+			return new DataResponse('Individual certificate management disabled', Http::STATUS_FORBIDDEN);
+		}
+
 		$file = $this->request->getUploadedFile('rootcert_import');
 		if(empty($file)) {
 			return new DataResponse(['message' => 'No file uploaded'], Http::STATUS_UNPROCESSABLE_ENTITY);
@@ -92,8 +103,29 @@ class CertificateController extends Controller {
 	 * @return DataResponse
 	 */
 	public function removePersonalRootCertificate($certificateIdentifier) {
+
+		if ($this->isCertificateImportAllowed() === false) {
+			return new DataResponse('Individual certificate management disabled', Http::STATUS_FORBIDDEN);
+		}
+
 		$this->certificateManager->removeCertificate($certificateIdentifier);
 		return new DataResponse();
 	}
 
+	/**
+	 * check if certificate import is allowed
+	 *
+	 * @return bool
+	 */
+	protected function isCertificateImportAllowed() {
+		$externalStorageEnabled = $this->appManager->isEnabledForUser('files_external');
+		if ($externalStorageEnabled) {
+			$backends = \OC_Mount_Config::getPersonalBackends();
+			if (!empty($backends)) {
+				return true;
+			}
+		}
+		return false;
+	}
+
 }

tests/settings/controller/CertificateControllerTest.php

@@ -21,6 +21,7 @@
 
 namespace OC\Settings\Controller;
 
+use OCP\App\IAppManager;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IRequest;
@@ -41,6 +42,8 @@ class CertificateControllerTest extends \Test\TestCase {
 	private $certificateManager;
 	/** @var IL10N */
 	private $l10n;
+	/** @var IAppManager */
+	private $appManager;
 
 	public function setUp() {
 		parent::setUp();
@@ -48,13 +51,21 @@ class CertificateControllerTest extends \Test\TestCase {
 		$this->request = $this->getMock('\OCP\IRequest');
 		$this->certificateManager = $this->getMock('\OCP\ICertificateManager');
 		$this->l10n = $this->getMock('\OCP\IL10N');
-
-		$this->certificateController = new CertificateController(
-			'settings',
-			$this->request,
-			$this->certificateManager,
-			$this->l10n
-		);
+		$this->appManager = $this->getMock('OCP\App\IAppManager');
+
+		$this->certificateController = $this->getMockBuilder('OC\Settings\Controller\CertificateController')
+			->setConstructorArgs(
+				[
+					'settings',
+					$this->request,
+					$this->certificateManager,
+					$this->l10n,
+					$this->appManager
+				]
+			)->setMethods(['isCertificateImportAllowed'])->getMock();
+
+		$this->certificateController->expects($this->any())
+			->method('isCertificateImportAllowed')->willReturn(true);
 	}
 
 	public function testAddPersonalRootCertificateWithEmptyFile() {