Limit enumeration in principal search

Signed-off-by: Julius Härtl <jus@bitgrid.net>
author: Julius Härtl <jus@bitgrid.net> 2020-02-20 18:52:23 +0100
committer: Julius Härtl <jus@bitgrid.net> 2020-03-20 10:43:56 +0100
commit: 0fa897fcfcfc404c3b8bb3d25a61328cb43949f2 (patch)
tree: 692c3c152fa30d90b5d83e90bf4027511839d943 /apps/dav/lib/Connector
parent: 8edc824526570fcfbd0b5f48606015ba0ae2b81b (diff)
download: nextcloud-server-0fa897fcfcfc404c3b8bb3d25a61328cb43949f2.tar.gz
nextcloud-server-0fa897fcfcfc404c3b8bb3d25a61328cb43949f2.zip
1 files changed, 28 insertions, 1 deletions
diff --git a/apps/dav/lib/Connector/Sabre/Principal.php b/apps/dav/lib/Connector/Sabre/Principal.php
index 449275e982f..41b85f162c8 100644
--- a/apps/dav/lib/Connector/Sabre/Principal.php
+++ b/apps/dav/lib/Connector/Sabre/Principal.php
@@ -245,7 +245,8 @@ class Principal implements BackendInterface {
 			return [];
 		}
 
-		$allowEnumeration = $this->config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes';
+		$allowEnumeration = $this->shareManager->allowEnumeration();
+		$limitEnumeration = $this->shareManager->limitEnumerationToGroups();
 
 		// If sharing is restricted to group members only,
 		// return only members that have groups in common
@@ -259,6 +260,14 @@ class Principal implements BackendInterface {
 			$restrictGroups = $this->groupManager->getUserGroupIds($user);
 		}
 
+		$currentUserGroups = [];
+		if ($limitEnumeration) {
+			$currentUser = $this->userSession->getUser();
+			if ($currentUser) {
+				$currentUserGroups = $this->groupManager->getUserGroupIds($currentUser);
+			}
+		}
+
 		foreach ($searchProperties as $prop => $value) {
 			switch ($prop) {
 				case '{http://sabredav.org/ns}email-address':
@@ -270,6 +279,15 @@ class Principal implements BackendInterface {
 						});
 					}
 
+					if ($limitEnumeration) {
+						$users = \array_filter($users, function (IUser $user) use ($currentUserGroups, $value) {
+							return !empty(array_intersect(
+									$this->groupManager->getUserGroupIds($user),
+									$currentUserGroups
+								)) || $user->getEMailAddress() === $value;
+						});
+					}
+
 					$results[] = array_reduce($users, function(array $carry, IUser $user) use ($restrictGroups) {
 						// is sharing restricted to groups only?
 						if ($restrictGroups !== false) {
@@ -293,6 +311,15 @@ class Principal implements BackendInterface {
 						});
 					}
 
+					if ($limitEnumeration) {
+						$users = \array_filter($users, function (IUser $user) use ($currentUserGroups, $value) {
+							return !empty(array_intersect(
+									$this->groupManager->getUserGroupIds($user),
+									$currentUserGroups
+								)) || $user->getDisplayName() === $value;
+						});
+					}
+
 					$results[] = array_reduce($users, function(array $carry, IUser $user) use ($restrictGroups) {
 						// is sharing restricted to groups only?
 						if ($restrictGroups !== false) {
author	Julius Härtl <jus@bitgrid.net>	2020-02-20 18:52:23 +0100
committer	Julius Härtl <jus@bitgrid.net>	2020-03-20 10:43:56 +0100
commit	0fa897fcfcfc404c3b8bb3d25a61328cb43949f2 (patch)
tree	692c3c152fa30d90b5d83e90bf4027511839d943 /apps/dav/lib/Connector
parent	8edc824526570fcfbd0b5f48606015ba0ae2b81b (diff)
download	nextcloud-server-0fa897fcfcfc404c3b8bb3d25a61328cb43949f2.tar.gz nextcloud-server-0fa897fcfcfc404c3b8bb3d25a61328cb43949f2.zip