blindern · henrist · Feb 15, 2026 · Feb 15, 2026 · Feb 15, 2026
diff --git a/backend/app/Http/Controllers/API/GroupController.php b/backend/app/Http/Controllers/API/GroupController.php
@@ -1,7 +1,11 @@
 <?php namespace App\Http\Controllers\API;
 
 use \Blindern\Intern\Auth\Group;
+use \Blindern\Intern\Auth\UsersApiClient;
+use \Blindern\Intern\Responses;
 use \App\Http\Controllers\Controller;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Log;
 
 class GroupController extends Controller
 {
@@ -28,15 +32,122 @@ public function show($group)
         return $group->toArray(array(), 2, $c->exceptFields());
     }
 
-    /*			// get full objects
-                $group['members'] = array();
-                $realnames = array();
-                foreach ($ldap->get_users_by_usernames($members) as $user)
-                {
-                    $group['members'][] = $user->toArray($uc->exceptFields($user));
-                    $realnames[] = $user->realname;
-                }
-
-                // sort by realname
-                array_multisort($realnames, $group['members']);*/
+    private function canManageGroup(string $groupName): bool
+    {
+        return \Auth::member("useradmin") || (\Auth::user() && \Auth::user()->isGroupOwner($groupName));
+    }
+
+    public function addMember(Request $request, string $groupName)
+    {
+        if (!$this->canManageGroup($groupName)) {
+            return Responses::forbidden(['Ingen tilgang til å administrere denne gruppen.']);
+        }
+
+        $memberType = $request->input('memberType');
+        $memberId = $request->input('memberId');
+
+        if (!in_array($memberType, ['users', 'groups'], true) || !$memberId) {
+            return Responses::clientError(['Ugyldig medlemstype eller ID.']);
+        }
+
+        $client = new UsersApiClient();
+        $response = $client->addMemberToGroup($groupName, $memberType, $memberId);
+
+        if (!$response->successful()) {
+            return Responses::serverError(['Kunne ikke legge til medlem.']);
+        }
+
+        Log::info('Group member added', [
+            'admin' => \Auth::user()->username,
+            'group' => $groupName,
+            'memberType' => $memberType,
+            'memberId' => $memberId,
+        ]);
+
+        return Responses::success(['Medlem lagt til.']);
+    }
+
+    public function removeMember(string $groupName, string $memberType, string $memberId)
+    {
+        if (!$this->canManageGroup($groupName)) {
+            return Responses::forbidden(['Ingen tilgang til å administrere denne gruppen.']);
+        }
+
+        if (!in_array($memberType, ['users', 'groups'], true)) {
+            return Responses::clientError(['Ugyldig medlemstype.']);
+        }
+
+        $client = new UsersApiClient();
+        $response = $client->removeMemberFromGroup($groupName, $memberType, $memberId);
+
+        if (!$response->successful()) {
+            return Responses::serverError(['Kunne ikke fjerne medlem.']);
+        }
+
+        Log::info('Group member removed', [
+            'admin' => \Auth::user()->username,
+            'group' => $groupName,
+            'memberType' => $memberType,
+            'memberId' => $memberId,
+        ]);
+
+        return Responses::success(['Medlem fjernet.']);
+    }
+
+    public function addOwner(Request $request, string $groupName)
+    {
+        if (!$this->canManageGroup($groupName)) {
+            return Responses::forbidden(['Ingen tilgang til å administrere denne gruppen.']);
+        }
+
+        $ownerType = $request->input('ownerType');
+        $ownerId = $request->input('ownerId');
+
+        if (!in_array($ownerType, ['users', 'groups'], true) || !$ownerId) {
+            return Responses::clientError(['Ugyldig eiertype eller ID.']);
+        }
+
+        $client = new UsersApiClient();
+        $response = $client->addOwnerToGroup($groupName, $ownerType, $ownerId);
+
+        if (!$response->successful()) {
+            return Responses::serverError(['Kunne ikke legge til administrator.']);
+        }
+
+        Log::info('Group owner added', [
+            'admin' => \Auth::user()->username,
+            'group' => $groupName,
+            'ownerType' => $ownerType,
+            'ownerId' => $ownerId,
+        ]);
+
+        return Responses::success(['Administrator lagt til.']);
+    }
+
+    public function removeOwner(string $groupName, string $ownerType, string $ownerId)
+    {
+        if (!$this->canManageGroup($groupName)) {
+            return Responses::forbidden(['Ingen tilgang til å administrere denne gruppen.']);
+        }
+
+        if (!in_array($ownerType, ['users', 'groups'], true)) {
+            return Responses::clientError(['Ugyldig eiertype.']);
+        }
+
+        $client = new UsersApiClient();
+        $response = $client->removeOwnerFromGroup($groupName, $ownerType, $ownerId);
+
+        if (!$response->successful()) {
+            return Responses::serverError(['Kunne ikke fjerne administrator.']);
+        }
+
+        Log::info('Group owner removed', [
+            'admin' => \Auth::user()->username,
+            'group' => $groupName,
+            'ownerType' => $ownerType,
+            'ownerId' => $ownerId,
+        ]);
+
+        return Responses::success(['Administrator fjernet.']);
+    }
 }
diff --git a/backend/app/Http/Controllers/API/RegistrationRequestController.php b/backend/app/Http/Controllers/API/RegistrationRequestController.php
@@ -72,7 +72,7 @@ public function approve(string $id)
 
             // Add user to groups
             foreach ($groups as $group) {
-                $groupResponse = $client->addUserToGroup($group, $request->username);
+                $groupResponse = $client->addMemberToGroup($group, 'users', $request->username);
                 if (!$groupResponse->successful()) {
                     Log::error('Failed to add user to group', [
                         'username' => $request->username,

diff --git a/backend/app/src/Auth/User.php b/backend/app/src/Auth/User.php
@@ -240,6 +240,15 @@ public function inGroup($group, $allow_superadmin = true)
         return false;
     }
 
+    /**
+     * Check if user is an owner of a group
+     */
+    public function isGroupOwner(string $groupName): bool
+    {
+        $this->loadGroups();
+        return isset($this->groupowner_relations[$groupName]);
+    }
+
     /**
      * Get list of groupnames
      *
@@ -286,7 +295,7 @@ protected function setGroups($list)
      */
     public function loadGroups($force_full_structure = false)
     {
-        if (is_null($this->groups) || ($force_full_structure && isset($this->groups[0]) && !($this->groups[0] instanceof Group))) {
+        if (is_null($this->groups) || is_null($this->groupowner_relations) || ($force_full_structure && isset($this->groups[0]) && !($this->groups[0] instanceof Group))) {
             $response = Helper::get('user/'.$this->unique_id."?grouplevel=2");
 
             $this->groups = null;

diff --git a/backend/app/src/Auth/UsersApiClient.php b/backend/app/src/Auth/UsersApiClient.php
@@ -98,8 +98,23 @@ public function verifyCredentials(string $username, string $password): bool
         return $response->successful();
     }
 
-    public function addUserToGroup(string $groupname, string $username)
+    public function addMemberToGroup(string $groupname, string $memberType, string $memberId)
     {
-        return $this->jsonRequest('PUT', "v2/groups/" . rawurlencode($groupname) . "/members/users/" . rawurlencode($username));
+        return $this->jsonRequest('PUT', "v2/groups/" . rawurlencode($groupname) . "/members/" . rawurlencode($memberType) . "/" . rawurlencode($memberId));
+    }
+
+    public function removeMemberFromGroup(string $groupname, string $memberType, string $memberId)
+    {
+        return $this->jsonRequest('DELETE', "v2/groups/" . rawurlencode($groupname) . "/members/" . rawurlencode($memberType) . "/" . rawurlencode($memberId));
+    }
+
+    public function addOwnerToGroup(string $groupname, string $ownerType, string $ownerId)
+    {
+        return $this->jsonRequest('PUT', "v2/groups/" . rawurlencode($groupname) . "/owners/" . rawurlencode($ownerType) . "/" . rawurlencode($ownerId));
+    }
+
+    public function removeOwnerFromGroup(string $groupname, string $ownerType, string $ownerId)
+    {
+        return $this->jsonRequest('DELETE', "v2/groups/" . rawurlencode($groupname) . "/owners/" . rawurlencode($ownerType) . "/" . rawurlencode($ownerId));
     }
 }
diff --git a/backend/routes/app.php b/backend/routes/app.php
@@ -69,6 +69,12 @@
         Route::resource('user', UserController::class, array('only' => array('index', 'show', 'edit')));
         Route::resource('group', GroupController::class, array('only' => array('index', 'show')));
 
+        // group management
+        Route::post('group/{groupName}/members', [GroupController::class, 'addMember']);
+        Route::delete('group/{groupName}/members/{memberType}/{memberId}', [GroupController::class, 'removeMember']);
+        Route::post('group/{groupName}/owners', [GroupController::class, 'addOwner']);
+        Route::delete('group/{groupName}/owners/{ownerType}/{ownerId}', [GroupController::class, 'removeOwner']);
+
         // change password (logged-in user)
         Route::post('change-password', [ChangePasswordController::class, 'change']);