summaryrefslogtreecommitdiffstats
path: root/apps/user_ldap
diff options
context:
space:
mode:
authorArthur Schiwon <blizzz@arthur-schiwon.de>2020-01-13 12:10:29 +0100
committerArthur Schiwon <blizzz@arthur-schiwon.de>2020-01-13 17:13:08 +0100
commit489ed878e15a986e30ec1ea70b4459e6b22fbaa9 (patch)
tree7787cbb889f1b69dd8c839e7085a3faff4a8697a /apps/user_ldap
parentf657ded6ec93de95eec33e19f3d6d528aa397f2d (diff)
downloadnextcloud-server-489ed878e15a986e30ec1ea70b4459e6b22fbaa9.tar.gz
nextcloud-server-489ed878e15a986e30ec1ea70b4459e6b22fbaa9.zip
ensure that only valid group members are returned
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Diffstat (limited to 'apps/user_ldap')
-rw-r--r--apps/user_ldap/lib/Group_LDAP.php35
1 files changed, 27 insertions, 8 deletions
diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php
index 30d37c13ba2..a38c42035f6 100644
--- a/apps/user_ldap/lib/Group_LDAP.php
+++ b/apps/user_ldap/lib/Group_LDAP.php
@@ -812,6 +812,7 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD
* @param int $limit
* @param int $offset
* @return array with user ids
+ * @throws \Exception
*/
public function usersInGroup($gid, $search = '', $limit = -1, $offset = 0) {
if(!$this->enabled) {
@@ -863,7 +864,10 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD
//we got uids, need to get their DNs to 'translate' them to user names
$filter = $this->access->combineFilterWithAnd(array(
str_replace('%uid', trim($member), $this->access->connection->ldapLoginFilter),
- $this->access->getFilterPartForUserSearch($search)
+ $this->access->combineFilterWithAnd([
+ $this->access->getFilterPartForUserSearch($search),
+ $this->access->connection->ldapUserFilter
+ ])
));
$ldap_users = $this->access->fetchListOfUsers($filter, $attrs, 1);
if(count($ldap_users) < 1) {
@@ -872,17 +876,32 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD
$groupUsers[] = $this->access->dn2username($ldap_users[0]['dn'][0]);
} else {
//we got DNs, check if we need to filter by search or we can give back all of them
- if ($search !== '') {
- if(!$this->access->readAttribute($member,
+ $uid = $this->access->dn2username($member);
+ if(!$uid) {
+ continue;
+ }
+
+ $cacheKey = 'userExistsOnLDAP' . $uid;
+ $userExists = $this->access->connection->getFromCache($cacheKey);
+ if($userExists === false) {
+ continue;
+ }
+ if($userExists === null || $search !== '') {
+ if (!$this->access->readAttribute($member,
$this->access->connection->ldapUserDisplayName,
- $this->access->getFilterPartForUserSearch($search))) {
+ $this->access->combineFilterWithAnd([
+ $this->access->getFilterPartForUserSearch($search),
+ $this->access->connection->ldapUserFilter
+ ])))
+ {
+ if($search === '') {
+ $this->access->connection->writeToCache($cacheKey, false);
+ }
continue;
}
+ $this->access->connection->writeToCache($cacheKey, true);
}
- // dn2username will also check if the users belong to the allowed base
- if($ocname = $this->access->dn2username($member)) {
- $groupUsers[] = $ocname;
- }
+ $groupUsers[] = $uid;
}
}