If enforced server, allow QR scanner, but validate url

app/src/main/java/com/owncloud/android/authentication/AuthenticatorActivity.java

@@ -67,7 +67,6 @@
 import com.nextcloud.operations.PostMethod;
 import com.nextcloud.utils.extensions.BundleExtensionsKt;
 import com.nextcloud.utils.mdm.MDMConfig;
-import com.owncloud.android.BuildConfig;
 import com.owncloud.android.MainApp;
 import com.owncloud.android.R;
 import com.owncloud.android.databinding.AccountSetupBinding;
@@ -351,7 +350,6 @@ private void showEnforcedServers() {
         showAuthStatus();
         accountSetupBinding.hostUrlFrame.setVisibility(View.GONE);
         accountSetupBinding.hostUrlInputHelperText.setVisibility(View.GONE);
-        accountSetupBinding.scanQr.setVisibility(View.GONE);
         accountSetupBinding.serversSpinner.setVisibility(View.VISIBLE);
 
         ArrayAdapter<String> adapter = new ArrayAdapter<>(this, R.layout.enforced_servers_spinner);
@@ -639,6 +637,13 @@ private void parseAndLoginFromWebView(String dataString) {
             String prefix = getString(R.string.login_data_own_scheme) + PROTOCOL_SUFFIX + "login/";
             LoginUrlInfo loginUrlInfo = parseLoginDataUrl(prefix, dataString);
 
+            if (!checkAllowedServers(loginUrlInfo.getServer())) {
+                mServerStatusIcon = R.drawable.ic_alert;
+                mServerStatusText = getString(R.string.server_not_allowed);
+                showServerStatus();
+                return;
+            }
+
             if (accountSetupBinding != null) {
                 accountSetupBinding.hostUrlInput.setText("");
             }
@@ -649,10 +654,36 @@ private void parseAndLoginFromWebView(String dataString) {
             mServerStatusIcon = R.drawable.ic_alert;
             mServerStatusText = getString(R.string.qr_could_not_be_read);
             showServerStatus();
+            return;
         }
         checkOcServer();
     }
 
+    private boolean checkAllowedServers(@NonNull String server) {
+        String webviewLogin = getString(R.string.webview_login_url);
+
+        if (!webviewLogin.isEmpty() && webviewLogin.startsWith(server)) {
+            return true;
+        }
+
+        String enforcedServerList = getString(R.string.enforce_servers);
+
+        if (!enforcedServerList.isEmpty()) {
+            ArrayList<EnforcedServer> enforcedServers = new Gson().fromJson(enforcedServerList,
+                                                                            new TypeToken<ArrayList<EnforcedServer>>() {
+                                                                            }
+                                                                                .getType());
+
+            for (EnforcedServer enforcedServer : enforcedServers) {
+                if (enforcedServer.getUrl().startsWith(server)) {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
+
     /**
      * parses a URI string and returns a login data object with the information from the URI string.
      *

app/src/main/res/values/strings.xml

@@ -1506,4 +1506,5 @@
     <string name="sync_conflict_notification_title">File upload conflicts</string>
     <string name="sync_conflict_notification_description">Upload conflicts detected. Open uploads to resolve.</string>
     <string name="sync_conflict_notification_action_title">Resolve conflicts</string>
+    <string name="server_not_allowed">Server not allowed</string>
 </resources>