Merge pull request #33945 from nextcloud/fix/noid/fair-use-ldap

LDAP to not register new users when outside of fair use or over limits

1 files changed, 39 insertions, 0 deletions

diff --git a/apps/user_ldap/lib/Mapping/UserMapping.php b/apps/user_ldap/lib/Mapping/UserMapping.php
index 899cc015c9f..ade9c67213a 100644
--- a/apps/user_ldap/lib/Mapping/UserMapping.php
+++ b/apps/user_ldap/lib/Mapping/UserMapping.php
@@ -22,12 +22,51 @@
  */
 namespace OCA\User_LDAP\Mapping;
 
+use OCP\HintException;
+use OCP\IDBConnection;
+use OCP\IRequest;
+use OCP\Server;
+use OCP\Support\Subscription\IAssertion;
+
 /**
  * Class UserMapping
+ *
  * @package OCA\User_LDAP\Mapping
  */
 class UserMapping extends AbstractMapping {
 
+	private IAssertion $assertion;
+	protected const PROV_API_REGEX = '/\/ocs\/v[1-9].php\/cloud\/(groups|users)/';
+
+	public function __construct(IDBConnection $dbc, IAssertion $assertion) {
+		$this->assertion = $assertion;
+		parent::__construct($dbc);
+	}
+
+	/**
+	 * @throws HintException
+	 */
+	public function map($fdn, $name, $uuid): bool {
+		try {
+			$this->assertion->createUserIsLegit();
+		} catch (HintException $e) {
+			static $isProvisioningApi = null;
+
+			if ($isProvisioningApi === null) {
+				$request = Server::get(IRequest::class);
+				$isProvisioningApi = \preg_match(self::PROV_API_REGEX, $request->getRequestUri()) === 1;
+			}
+			if ($isProvisioningApi) {
+				// only throw when prov API is being used, since functionality
+				// should not break for end users (e.g. when sharing).
+				// On direct API usage, e.g. on users page, this is desired.
+				throw $e;
+			}
+			return false;
+		}
+		return parent::map($fdn, $name, $uuid);
+	}
+
 	/**
 	 * returns the DB table name which holds the mappings
 	 * @return string