Merge pull request #13742 from owncloud/fix-12190-2-stable7

[backport #13740] backport #13740 to stable7

5 files changed, 164 insertions, 30 deletions

diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php
index cba19f3791c..0d39b74bbe8 100644
--- a/apps/user_ldap/group_ldap.php
+++ b/apps/user_ldap/group_ldap.php
@@ -249,32 +249,76 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
 	}
 
 	/**
-	 * returns a list of users that have the given group as primary group
+	 * returns a filter for a "users in primary group" search or count operation
 	 *
 	 * @param string $groupDN
-	 * @param $limit
-	 * @param int $offset
-	 * @return string[]
+	 * @param string $search
+	 * @return string
+	 * @throws \Exception
 	 */
-	public function getUsersInPrimaryGroup($groupDN, $limit = -1, $offset = 0) {
+	private function prepareFilterForUsersInPrimaryGroup($groupDN, $search = '') {
 		$groupID = $this->getGroupPrimaryGroupID($groupDN);
 		if($groupID === false) {
-			return array();
+			throw new \Exception('Not a valid group');
 		}
 
-		$filter = $this->access->combineFilterWithAnd(array(
-			$this->access->connection->ldapUserFilter,
-			'primaryGroupID=' . $groupID
-		));
+		$filterParts = [];
+		// part for counting users (see countUsers in user backend)
+		// it is consolidated in OC 8. No big changes for OC 7.
+		$filterParts[] = \OCP\Util::mb_str_replace(
+			'%uid', '*', $this->access->connection->ldapLoginFilter, 'UTF-8');
+		if(!empty($search)) {
+			$search = $this->access->escapeFilterPart($search, true);
+			$filterParts[] = $this->access->getFilterPartForUserSearch($search);
+		}
+		$filterParts[] = 'primaryGroupID=' . $groupID;
 
-		$users = $this->access->fetchListOfUsers(
-			$filter,
-			array($this->access->connection->ldapUserDisplayName, 'dn'),
-			$limit,
-			$offset
-		);
+		$filter = $this->access->combineFilterWithAnd($filterParts);
+
+		return $filter;
+	}
+
+	/**
+	 * returns a list of users that have the given group as primary group
+	 *
+	 * @param string $groupDN
+	 * @param string $search
+	 * @param int $limit
+	 * @param int $offset
+	 * @return string[]
+	 */
+	public function getUsersInPrimaryGroup($groupDN, $search = '', $limit = -1, $offset = 0) {
+		try {
+			$filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search);
+			$users = $this->access->fetchListOfUsers(
+				$filter,
+				array($this->access->connection->ldapUserDisplayName, 'dn'),
+				$limit,
+				$offset
+			);
+			return $this->access->ownCloudUserNames($users);
+		} catch (\Exception $e) {
+			return array();
+		}
+	}
 
-		return $users;
+	/**
+	 * returns the number of users that have the given group as primary group
+	 *
+	 * @param string $groupDN
+	 * @param string $search
+	 * @param int $limit
+	 * @param int $offset
+	 * @return int
+	 */
+	public function countUsersInPrimaryGroup($groupDN, $search = '', $limit = -1, $offset = 0) {
+		try {
+			$filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search);
+			$users = $this->access->countUsers($filter, array('dn'), $limit, $offset);
+			return (int)$users;
+		} catch (\Exception $e) {
+			return 0;
+		}
 	}
 
 	/**
@@ -405,6 +449,7 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
 		if(!$this->groupExists($gid)) {
 			return array();
 		}
+		$search = $this->access->escapeFilterPart($search, true);
 		$cacheKey = 'usersInGroup-'.$gid.'-'.$search.'-'.$limit.'-'.$offset;
 		// check for cache of the exact query
 		$groupUsers = $this->access->connection->getFromCache($cacheKey);
@@ -430,8 +475,9 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
 			return array();
 		}
 
+		$primaryUsers = $this->getUsersInPrimaryGroup($groupDN, $search, $limit, $offset);
 		$members = array_keys($this->_groupMembers($groupDN));
-		if(!$members) {
+		if(!$members && empty($primaryUsers)) {
 			//in case users could not be retrieved, return empty result set
 			$this->access->connection->writeToCache($cacheKey, array());
 			return array();
@@ -468,13 +514,11 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
 			}
 		}
 
+		$groupUsers = array_unique(array_merge($groupUsers, $primaryUsers));
 		natsort($groupUsers);
 		$this->access->connection->writeToCache('usersInGroup-'.$gid.'-'.$search, $groupUsers);
 		$groupUsers = array_slice($groupUsers, $offset, $limit);
 
-		//and get users that have the group as primary
-		$primaryUsers = $this->getUsersInPrimaryGroup($groupDN, $limit, $offset);
-		$groupUsers = array_unique(array_merge($groupUsers, $primaryUsers));
 
 		$this->access->connection->writeToCache($cacheKey, $groupUsers);
 
@@ -505,17 +549,19 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
 		}
 
 		$members = array_keys($this->_groupMembers($groupDN));
-		if(!$members) {
+		$primaryUserCount = $this->countUsersInPrimaryGroup($groupDN, '');
+		if(!$members && $primaryUserCount === 0) {
 			//in case users could not be retrieved, return empty result set
 			$this->access->connection->writeToCache($cacheKey, false);
 			return false;
 		}
 
 		if(empty($search)) {
-			$groupUsers = count($members);
+			$groupUsers = count($members) + $primaryUserCount;
 			$this->access->connection->writeToCache($cacheKey, $groupUsers);
 			return $groupUsers;
 		}
+		$search = $this->access->escapeFilterPart($search, true);
 		$isMemberUid =
 			(strtolower($this->access->connection->ldapGroupMemberAssocAttr)
 			=== 'memberuid');
@@ -557,10 +603,9 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
 		}
 
 		//and get users that have the group as primary
-		$primaryUsers = $this->getUsersInPrimaryGroup($groupDN);
-		$groupUsers = array_unique(array_merge($groupUsers, $primaryUsers));
+		$primaryUsers = $this->countUsersInPrimaryGroup($groupDN, $search);
 
-		return count($groupUsers);
+		return count($groupUsers) + $primaryUsers;
 	}
 
 	/**
@@ -623,6 +668,7 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
 		if(!$this->enabled) {
 			return array();
 		}
+		$search = $this->access->escapeFilterPart($search, true);
 		$pagingSize = $this->access->connection->ldapPagingSize;
 		if ((! $this->access->connection->hasPagedResultSupport)
 		   	|| empty($pagingSize)) {
diff --git a/apps/user_ldap/lib/access.php b/apps/user_ldap/lib/access.php
index a38f6be00e0..9ed8a0e7b69 100644
--- a/apps/user_ldap/lib/access.php
+++ b/apps/user_ldap/lib/access.php
@@ -1069,7 +1069,7 @@ class Access extends LDAPUtility implements user\IUserTools {
 	/**
 	* escapes (user provided) parts for LDAP filter
 	* @param string $input, the provided value
-	* @param bool $allowAsterisk wether in * at the beginning should be preserved
+	* @param bool $allowAsterisk whether in * at the beginning should be preserved
 	* @return string the escaped string
 	*/
 	public function escapeFilterPart($input, $allowAsterisk = false) {
diff --git a/apps/user_ldap/lib/connection.php b/apps/user_ldap/lib/connection.php
index d017fe8029c..f484423cb85 100644
--- a/apps/user_ldap/lib/connection.php
+++ b/apps/user_ldap/lib/connection.php
@@ -32,7 +32,10 @@ use OC\ServerNotAvailableException;
  * @property string ldapUserFilter
  * @property string ldapUserDisplayName
  * @property boolean hasPagedResultSupport
+ * @property string[] ldapBaseUsers
  * @property int|string ldapPagingSize holds an integer
+ * @property string ldapLoginFilter
+ * @property string ldapGroupMemberAssocAttr
  */
 class Connection extends LDAPUtility {
 	private $ldapConnectionRes = null;
diff --git a/apps/user_ldap/lib/wizard.php b/apps/user_ldap/lib/wizard.php
index 0480e5b6b64..a2b86843ea5 100644
--- a/apps/user_ldap/lib/wizard.php
+++ b/apps/user_ldap/lib/wizard.php
@@ -804,13 +804,23 @@ class Wizard extends LDAPUtility {
 						}
 						$base = $this->configuration->ldapBase[0];
 						foreach($cns as $cn) {
-							$rr = $this->ldap->search($cr, $base, 'cn=' . $cn, array('dn'));
+							$rr = $this->ldap->search($cr, $base, 'cn=' . $cn, array('dn', 'primaryGroupToken'));
 							if(!$this->ldap->isResource($rr)) {
 								continue;
 							}
 							$er = $this->ldap->firstEntry($cr, $rr);
+							$attrs = $this->ldap->getAttributes($cr, $er);
 							$dn = $this->ldap->getDN($cr, $er);
-							$filter .= '(memberof=' . $dn . ')';
+							if(empty($dn)) {
+								continue;
+							}
+							$filterPart = '(memberof=' . $dn . ')';
+							if(isset($attrs['primaryGroupToken'])) {
+								$pgt = $attrs['primaryGroupToken'][0];
+								$primaryFilterPart = '(primaryGroupID=' . $pgt .')';
+								$filterPart = '(|' . $filterPart . $primaryFilterPart . ')';
+							}
+							$filter .= $filterPart;
 						}
 						$filter .= ')';
 					}
diff --git a/apps/user_ldap/tests/group_ldap.php b/apps/user_ldap/tests/group_ldap.php
index 8066bce02e3..b18ebb50efa 100644
--- a/apps/user_ldap/tests/group_ldap.php
+++ b/apps/user_ldap/tests/group_ldap.php
@@ -77,10 +77,15 @@ class Test_Group_Ldap extends \PHPUnit_Framework_TestCase {
 			->method('readAttribute')
 			->will($this->returnValue(array('u11', 'u22', 'u33', 'u34')));
 
+		// for primary groups
+		$access->expects($this->once())
+			->method('countUsers')
+			->will($this->returnValue(2));
+
 		$groupBackend = new GroupLDAP($access);
 		$users = $groupBackend->countUsersInGroup('group');
 
-		$this->assertSame(4, $users);
+		$this->assertSame(6, $users);
 	}
 
 	public function testCountWithSearchString() {
@@ -308,4 +313,74 @@ class Test_Group_Ldap extends \PHPUnit_Framework_TestCase {
 		$this->assertSame(2, count($groups));
 	}
 
+	/**
+	 * tests that a user listing is complete, if all it's members have the group
+	 * as their primary.
+	 */
+	public function  testUsersInGroupPrimaryMembersOnly() {
+		$access = $this->getAccessMock();
+		$this->enableGroups($access);
+
+		$access->connection->expects($this->any())
+			->method('getFromCache')
+			->will($this->returnValue(null));
+
+		$access->expects($this->any())
+			->method('readAttribute')
+			->will($this->returnCallback(function($dn, $attr) {
+				if($attr === 'primaryGroupToken') {
+					return array(1337);
+				}
+				return array();
+			}));
+
+		$access->expects($this->any())
+			->method('groupname2dn')
+			->will($this->returnValue('cn=foobar,dc=foo,dc=bar'));
+
+		$access->expects($this->once())
+			->method('ownCloudUserNames')
+			->will($this->returnValue(array('lisa', 'bart', 'kira', 'brad')));
+
+		$groupBackend = new GroupLDAP($access);
+		$users = $groupBackend->usersInGroup('foobar');
+
+		$this->assertSame(4, count($users));
+	}
+
+	/**
+	 * tests that a user counting is complete, if all it's members have the group
+	 * as their primary.
+	 */
+	public function  testCountUsersInGroupPrimaryMembersOnly() {
+		$access = $this->getAccessMock();
+		$this->enableGroups($access);
+
+		$access->connection->expects($this->any())
+			->method('getFromCache')
+			->will($this->returnValue(null));
+
+		$access->expects($this->any())
+			->method('readAttribute')
+			->will($this->returnCallback(function($dn, $attr) {
+				if($attr === 'primaryGroupToken') {
+					return array(1337);
+				}
+				return array();
+			}));
+
+		$access->expects($this->any())
+			->method('groupname2dn')
+			->will($this->returnValue('cn=foobar,dc=foo,dc=bar'));
+
+		$access->expects($this->once())
+			->method('countUsers')
+			->will($this->returnValue(4));
+
+		$groupBackend = new GroupLDAP($access);
+		$users = $groupBackend->countUsersInGroup('foobar');
+
+		$this->assertSame(4, $users);
+	}
+
 }