respect shareapi_allow_share_dialog_user_enumeration in Principal backend for Sabre/DAV

Signed-off-by: Georg Ehrke <developer@georgehrke.com>
author: Georg Ehrke <developer@georgehrke.com> 2019-11-26 16:37:57 +0100
committer: Georg Ehrke <developer@georgehrke.com> 2019-12-03 09:44:07 +0100
commit: c3748cfee35e0c8122ea8fa73d452e7796f1a0e5 (patch)
tree: d5d88b3348495429cd50b74704ab1555ac0e3220 /apps/dav/lib
parent: 9fce87b2df43debdb2dc76c70b9af0d980535d3c (diff)
download: nextcloud-server-c3748cfee35e0c8122ea8fa73d452e7796f1a0e5.tar.gz
nextcloud-server-c3748cfee35e0c8122ea8fa73d452e7796f1a0e5.zip
3 files changed, 26 insertions, 3 deletions
diff --git a/apps/dav/lib/Command/CreateCalendar.php b/apps/dav/lib/Command/CreateCalendar.php
index c6bfffb2425..1efe4202368 100644
--- a/apps/dav/lib/Command/CreateCalendar.php
+++ b/apps/dav/lib/Command/CreateCalendar.php
@@ -81,7 +81,8 @@ class CreateCalendar extends Command {
 			\OC::$server->getShareManager(),
 			\OC::$server->getUserSession(),
 			\OC::$server->getAppManager(),
-			\OC::$server->query(ProxyMapper::class)
+			\OC::$server->query(ProxyMapper::class),
+			\OC::$server->getConfig()
 		);
 		$random = \OC::$server->getSecureRandom();
 		$logger = \OC::$server->getLogger();
diff --git a/apps/dav/lib/Connector/Sabre/Principal.php b/apps/dav/lib/Connector/Sabre/Principal.php
index 5c61b8371f2..880f082ec42 100644
--- a/apps/dav/lib/Connector/Sabre/Principal.php
+++ b/apps/dav/lib/Connector/Sabre/Principal.php
@@ -40,6 +40,7 @@ use OCA\DAV\CalDAV\Proxy\ProxyMapper;
 use OCA\DAV\Traits\PrincipalProxyTrait;
 use OCP\App\IAppManager;
 use OCP\AppFramework\QueryException;
+use OCP\IConfig;
 use OCP\IGroup;
 use OCP\IGroupManager;
 use OCP\IUser;
@@ -79,6 +80,9 @@ class Principal implements BackendInterface {
 	/** @var ProxyMapper */
 	private $proxyMapper;
 
+	/** @var IConfig */
+	private $config;
+
 	/**
 	 * Principal constructor.
 	 *
@@ -88,6 +92,7 @@ class Principal implements BackendInterface {
 	 * @param IUserSession $userSession
 	 * @param IAppManager $appManager
 	 * @param ProxyMapper $proxyMapper
+	 * @param IConfig $config
 	 * @param string $principalPrefix
 	 */
 	public function __construct(IUserManager $userManager,
@@ -96,6 +101,7 @@ class Principal implements BackendInterface {
 								IUserSession $userSession,
 								IAppManager $appManager,
 								ProxyMapper $proxyMapper,
+								IConfig $config,
 								string $principalPrefix = 'principals/users/') {
 		$this->userManager = $userManager;
 		$this->groupManager = $groupManager;
@@ -105,6 +111,7 @@ class Principal implements BackendInterface {
 		$this->principalPrefix = trim($principalPrefix, '/');
 		$this->hasGroups = $this->hasCircles = ($principalPrefix === 'principals/users/');
 		$this->proxyMapper = $proxyMapper;
+		$this->config = $config;
 	}
 
 	use PrincipalProxyTrait {
@@ -240,6 +247,8 @@ class Principal implements BackendInterface {
 			return [];
 		}
 
+		$allowEnumeration = $this->config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes';
+
 		// If sharing is restricted to group members only,
 		// return only members that have groups in common
 		$restrictGroups = false;
@@ -257,6 +266,12 @@ class Principal implements BackendInterface {
 				case '{http://sabredav.org/ns}email-address':
 					$users = $this->userManager->getByEmail($value);
 
+					if (!$allowEnumeration) {
+						$users = \array_filter($users, static function(IUser $user) use ($value) {
+							return $user->getEMailAddress() === $value;
+						});
+					}
+
 					$results[] = array_reduce($users, function(array $carry, IUser $user) use ($restrictGroups) {
 						// is sharing restricted to groups only?
 						if ($restrictGroups !== false) {
@@ -274,6 +289,12 @@ class Principal implements BackendInterface {
 				case '{DAV:}displayname':
 					$users = $this->userManager->searchDisplayName($value);
 
+					if (!$allowEnumeration) {
+						$users = \array_filter($users, static function(IUser $user) use ($value) {
+							return $user->getDisplayName() === $value;
+						});
+					}
+
 					$results[] = array_reduce($users, function(array $carry, IUser $user) use ($restrictGroups) {
 						// is sharing restricted to groups only?
 						if ($restrictGroups !== false) {
diff --git a/apps/dav/lib/RootCollection.php b/apps/dav/lib/RootCollection.php
index 8c66609ed66..6458f2e1dc2 100644
--- a/apps/dav/lib/RootCollection.php
+++ b/apps/dav/lib/RootCollection.php
@@ -63,9 +63,10 @@ class RootCollection extends SimpleCollection {
 			$shareManager,
 			\OC::$server->getUserSession(),
 			\OC::$server->getAppManager(),
-			$proxyMapper
+			$proxyMapper,
+			\OC::$server->getConfig()
 		);
-		$groupPrincipalBackend = new GroupPrincipalBackend($groupManager, $userSession, $shareManager, $l10n);
+		$groupPrincipalBackend = new GroupPrincipalBackend($groupManager, $userSession, $shareManager);
 		$calendarResourcePrincipalBackend = new ResourcePrincipalBackend($db, $userSession, $groupManager, $logger, $proxyMapper);
 		$calendarRoomPrincipalBackend = new RoomPrincipalBackend($db, $userSession, $groupManager, $logger, $proxyMapper);
 		// as soon as debug mode is enabled we allow listing of principals
author	Georg Ehrke <developer@georgehrke.com>	2019-11-26 16:37:57 +0100
committer	Georg Ehrke <developer@georgehrke.com>	2019-12-03 09:44:07 +0100
commit	c3748cfee35e0c8122ea8fa73d452e7796f1a0e5 (patch)
tree	d5d88b3348495429cd50b74704ab1555ac0e3220 /apps/dav/lib
parent	9fce87b2df43debdb2dc76c70b9af0d980535d3c (diff)
download	nextcloud-server-c3748cfee35e0c8122ea8fa73d452e7796f1a0e5.tar.gz nextcloud-server-c3748cfee35e0c8122ea8fa73d452e7796f1a0e5.zip