diff options
| author | Arthur Schiwon <blizzz@owncloud.com> | 2015-06-25 12:41:17 +0200 |
|---|---|---|
| committer | Arthur Schiwon <blizzz@owncloud.com> | 2015-06-26 16:42:11 +0200 |
| commit | 8625a8cf23f1583bd84778d46383f46e86469955 (patch) | |
| tree | f8e6a8f8afac5ab1a13fbd7dfe98ed27148275db /apps | |
| parent | 58439c337c2e242c199f153d0529e0b0b482f03a (diff) | |
| download | nextcloud-server-8625a8cf23f1583bd84778d46383f46e86469955.tar.gz nextcloud-server-8625a8cf23f1583bd84778d46383f46e86469955.zip | |
ensure groups match filter when using memberOf to read users group, refs #17119
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/user_ldap/group_ldap.php | 4 | ||||
| -rw-r--r-- | apps/user_ldap/lib/access.php | 27 |
2 files changed, 30 insertions, 1 deletions
diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php index 0395a4a80e3..a7a90c75832 100644 --- a/apps/user_ldap/group_ldap.php +++ b/apps/user_ldap/group_ldap.php @@ -378,9 +378,11 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { && intval($this->access->connection->useMemberOfToDetectMembership) === 1 ) { $groupDNs = $this->access->readAttribute($userDN, 'memberOf'); + if (is_array($groupDNs)) { + $groupDNs = $this->access->groupsMatchFilter($groupDNs); foreach ($groupDNs as $dn) { - $groups[] = $this->access->dn2groupname($dn);; + $groups[] = $this->access->dn2groupname($dn); } } if($primaryGroup !== false) { diff --git a/apps/user_ldap/lib/access.php b/apps/user_ldap/lib/access.php index f38d11d4be3..b201220d725 100644 --- a/apps/user_ldap/lib/access.php +++ b/apps/user_ldap/lib/access.php @@ -347,6 +347,33 @@ class Access extends LDAPUtility implements user\IUserTools { } /** + * accepts an array of group DNs and tests whether they match the user + * filter by doing read operations against the group entries. Returns an + * array of DNs that match the filter. + * + * @param string[] $groupDNs + * @return string[] + */ + public function groupsMatchFilter($groupDNs) { + $validGroupDNs = []; + foreach($groupDNs as $dn) { + $cacheKey = 'groupsMatchFilter-'.$dn; + if($this->connection->isCached($cacheKey)) { + if($this->connection->getFromCache($cacheKey)) { + $validGroupDNs[] = $dn; + } + continue; + } + + $result = $this->readAttribute($dn, 'cn', $this->connection->ldapGroupFilter); + if(is_array($result)) { + $validGroupDNs[] = $dn; + } + } + return $validGroupDNs; + } + + /** * returns the internal ownCloud name for the given LDAP DN of the user, false on DN outside of search DN or failure * @param string $dn the dn of the user object * @param string $ldapName optional, the display name of the object |