diff options
| author | Côme Chilliet <come.chilliet@nextcloud.com> | 2024-05-16 14:34:12 +0200 |
|---|---|---|
| committer | backportbot[bot] <backportbot[bot]@users.noreply.github.com> | 2025-01-27 16:29:02 +0000 |
| commit | 140c6c8c7f82e144e34c0e6884b58ac0084138b6 (patch) | |
| tree | ecf9c6bb92ea32d67ef43f0c1d941af47a294145 | |
| parent | 901c6450f031d084f100a6276043ab5c7939a17e (diff) | |
| download | nextcloud-server-backport/45364/stable29.tar.gz nextcloud-server-backport/45364/stable29.zip | |
fix(user_ldap): Do not map groups we do not know if they match filterbackport/45364/stable29
When nesting is enabled, filterValidGroups is supposed to check for each
groups if it actually exist, because it may not be visible to
Nextcloud. So in this codepath we disable automapping of groups.
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
[skip ci]
| -rw-r--r-- | apps/user_ldap/lib/Access.php | 8 | ||||
| -rw-r--r-- | apps/user_ldap/lib/Group_LDAP.php | 2 |
2 files changed, 6 insertions, 4 deletions
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php index 31f88c4bf0b..2f30b832bdd 100644 --- a/apps/user_ldap/lib/Access.php +++ b/apps/user_ldap/lib/Access.php @@ -449,10 +449,11 @@ class Access extends LDAPUtility { * * @param string $fdn the dn of the group object * @param string $ldapName optional, the display name of the object + * @param bool $autoMapping Should the group be mapped if not yet mapped * @return string|false with the name to use in Nextcloud, false on DN outside of search DN * @throws \Exception */ - public function dn2groupname($fdn, $ldapName = null) { + public function dn2groupname($fdn, $ldapName = null, bool $autoMapping = true) { //To avoid bypassing the base DN settings under certain circumstances //with the group support, check whether the provided DN matches one of //the given Bases @@ -460,7 +461,7 @@ class Access extends LDAPUtility { return false; } - return $this->dn2ocname($fdn, $ldapName, false); + return $this->dn2ocname($fdn, $ldapName, false, autoMapping:$autoMapping); } /** @@ -490,10 +491,11 @@ class Access extends LDAPUtility { * @param bool $isUser optional, whether it is a user object (otherwise group assumed) * @param bool|null $newlyMapped * @param array|null $record + * @param bool $autoMapping Should the group be mapped if not yet mapped * @return false|string with with the name to use in Nextcloud * @throws \Exception */ - public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, ?array $record = null) { + public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, ?array $record = null, bool $autoMapping = true) { static $intermediates = []; if (isset($intermediates[($isUser ? 'user-' : 'group-') . $fdn])) { return false; // is a known intermediate diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php index 699205cf501..8fa07e9338b 100644 --- a/apps/user_ldap/lib/Group_LDAP.php +++ b/apps/user_ldap/lib/Group_LDAP.php @@ -1219,7 +1219,7 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis continue; } $name = $item[$this->access->connection->ldapGroupDisplayName][0] ?? null; - $gid = $this->access->dn2groupname($dn, $name); + $gid = $this->access->dn2groupname($dn, $name, false); if (!$gid) { continue; } |