diff options
| author | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2020-01-13 12:10:29 +0100 |
|---|---|---|
| committer | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2020-01-13 17:13:08 +0100 |
| commit | 489ed878e15a986e30ec1ea70b4459e6b22fbaa9 (patch) | |
| tree | 7787cbb889f1b69dd8c839e7085a3faff4a8697a | |
| parent | f657ded6ec93de95eec33e19f3d6d528aa397f2d (diff) | |
| download | nextcloud-server-489ed878e15a986e30ec1ea70b4459e6b22fbaa9.tar.gz nextcloud-server-489ed878e15a986e30ec1ea70b4459e6b22fbaa9.zip | |
ensure that only valid group members are returned
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
| -rw-r--r-- | apps/user_ldap/lib/Group_LDAP.php | 35 |
1 files changed, 27 insertions, 8 deletions
diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php index 30d37c13ba2..a38c42035f6 100644 --- a/apps/user_ldap/lib/Group_LDAP.php +++ b/apps/user_ldap/lib/Group_LDAP.php @@ -812,6 +812,7 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD * @param int $limit * @param int $offset * @return array with user ids + * @throws \Exception */ public function usersInGroup($gid, $search = '', $limit = -1, $offset = 0) { if(!$this->enabled) { @@ -863,7 +864,10 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD //we got uids, need to get their DNs to 'translate' them to user names $filter = $this->access->combineFilterWithAnd(array( str_replace('%uid', trim($member), $this->access->connection->ldapLoginFilter), - $this->access->getFilterPartForUserSearch($search) + $this->access->combineFilterWithAnd([ + $this->access->getFilterPartForUserSearch($search), + $this->access->connection->ldapUserFilter + ]) )); $ldap_users = $this->access->fetchListOfUsers($filter, $attrs, 1); if(count($ldap_users) < 1) { @@ -872,17 +876,32 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD $groupUsers[] = $this->access->dn2username($ldap_users[0]['dn'][0]); } else { //we got DNs, check if we need to filter by search or we can give back all of them - if ($search !== '') { - if(!$this->access->readAttribute($member, + $uid = $this->access->dn2username($member); + if(!$uid) { + continue; + } + + $cacheKey = 'userExistsOnLDAP' . $uid; + $userExists = $this->access->connection->getFromCache($cacheKey); + if($userExists === false) { + continue; + } + if($userExists === null || $search !== '') { + if (!$this->access->readAttribute($member, $this->access->connection->ldapUserDisplayName, - $this->access->getFilterPartForUserSearch($search))) { + $this->access->combineFilterWithAnd([ + $this->access->getFilterPartForUserSearch($search), + $this->access->connection->ldapUserFilter + ]))) + { + if($search === '') { + $this->access->connection->writeToCache($cacheKey, false); + } continue; } + $this->access->connection->writeToCache($cacheKey, true); } - // dn2username will also check if the users belong to the allowed base - if($ocname = $this->access->dn2username($member)) { - $groupUsers[] = $ocname; - } + $groupUsers[] = $uid; } } |