summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoland Tapken <roland@bitarbeiter.net>2018-02-07 14:08:08 +0100
committerArthur Schiwon <blizzz@arthur-schiwon.de>2019-03-05 11:07:35 +0100
commitc2d8a36d9a824791234cc4093b79c8a66ee55cbb (patch)
tree1e195a7ae30b709adfc9cf2be3e4405152724e6e
parent1aad0100b53681aba2ee399dbdb1929748483ad8 (diff)
downloadnextcloud-server-c2d8a36d9a824791234cc4093b79c8a66ee55cbb.tar.gz
nextcloud-server-c2d8a36d9a824791234cc4093b79c8a66ee55cbb.zip
user_ldap: Filter groups after nexted groups
Currently groupsMatchFilter is called before nested groups are resolved. This basicly breaks this feature since it is not possible to inherit membership in a group from another group. Minimal example: Group filter: (&(objectClass=group),(cn=nextcloud)) Nested groups: enabled cn=nextcloud,ou=Nextcloud,ou=groups,dn=company,dn=local objectClass: group cn=IT,ou=groups,dn=company,dn=local objectClass: group memberOf: cn=nextcloud,ou=Nextcloud,ou=groups,dn=company,dn=local cn=John Doe,ou=users,dn=company,dn=local objectClass: person memberOf: cn=IT,ou=groups,dn=company,dn=local Since 'cn=IT,ou=groups,dn=company,dn=local' doesn't match the group filter, John wouldn't be a member of group 'nextcloud'. This patch fixes this by filtering the groups after all nested groups have been collected. If nested groups is disabled the result will be the same as without this patch. Signed-off-by: Roland Tapken <roland@bitarbeiter.net>
-rw-r--r--apps/user_ldap/lib/Group_LDAP.php3
1 files changed, 1 insertions, 2 deletions
diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php
index 2240c2ad229..b16cb953021 100644
--- a/apps/user_ldap/lib/Group_LDAP.php
+++ b/apps/user_ldap/lib/Group_LDAP.php
@@ -265,7 +265,6 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD
if (!is_array($groups)) {
return array();
}
- $groups = $this->access->groupsMatchFilter($groups);
$allGroups = $groups;
$nestedGroups = $this->access->connection->ldapNestedGroups;
if ((int)$nestedGroups === 1) {
@@ -274,7 +273,7 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD
$allGroups = array_merge($allGroups, $subGroups);
}
}
- return $allGroups;
+ return $this->access->groupsMatchFilter($allGroups);
}
/**