Merge pull request #13740 from owncloud/fix-12190-2
Include primary groups in user and login filter when restricting group access and also fix user counting in primary groups
This commit is contained in:
commit
52495dc995
|
@ -253,33 +253,72 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
|
|||
return $this->getEntryGroupID($dn, 'primaryGroupID');
|
||||
}
|
||||
|
||||
/**
|
||||
* returns a filter for a "users in primary group" search or count operation
|
||||
*
|
||||
* @param string $groupDN
|
||||
* @param string $search
|
||||
* @return string
|
||||
* @throws \Exception
|
||||
*/
|
||||
private function prepareFilterForUsersInPrimaryGroup($groupDN, $search = '') {
|
||||
$groupID = $this->getGroupPrimaryGroupID($groupDN);
|
||||
if($groupID === false) {
|
||||
throw new \Exception('Not a valid group');
|
||||
}
|
||||
|
||||
$filterParts = [];
|
||||
$filterParts[] = $this->access->getFilterForUserCount();
|
||||
if(!empty($search)) {
|
||||
$filterParts[] = $this->access->getFilterPartForUserSearch($search);
|
||||
}
|
||||
$filterParts[] = 'primaryGroupID=' . $groupID;
|
||||
|
||||
$filter = $this->access->combineFilterWithAnd($filterParts);
|
||||
|
||||
return $filter;
|
||||
}
|
||||
|
||||
/**
|
||||
* returns a list of users that have the given group as primary group
|
||||
*
|
||||
* @param string $groupDN
|
||||
* @param $limit
|
||||
* @param string $search
|
||||
* @param int $limit
|
||||
* @param int $offset
|
||||
* @return string[]
|
||||
*/
|
||||
public function getUsersInPrimaryGroup($groupDN, $limit = -1, $offset = 0) {
|
||||
$groupID = $this->getGroupPrimaryGroupID($groupDN);
|
||||
if($groupID === false) {
|
||||
public function getUsersInPrimaryGroup($groupDN, $search = '', $limit = -1, $offset = 0) {
|
||||
try {
|
||||
$filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search);
|
||||
return $this->access->fetchListOfUsers(
|
||||
$filter,
|
||||
array($this->access->connection->ldapUserDisplayName, 'dn'),
|
||||
$limit,
|
||||
$offset
|
||||
);
|
||||
} catch (\Exception $e) {
|
||||
return array();
|
||||
}
|
||||
}
|
||||
|
||||
$filter = $this->access->combineFilterWithAnd(array(
|
||||
$this->access->connection->ldapUserFilter,
|
||||
'primaryGroupID=' . $groupID
|
||||
));
|
||||
|
||||
$users = $this->access->fetchListOfUsers(
|
||||
$filter,
|
||||
array($this->access->connection->ldapUserDisplayName, 'dn'),
|
||||
$limit,
|
||||
$offset
|
||||
);
|
||||
|
||||
return $users;
|
||||
/**
|
||||
* returns the number of users that have the given group as primary group
|
||||
*
|
||||
* @param string $groupDN
|
||||
* @param string $search
|
||||
* @param int $limit
|
||||
* @param int $offset
|
||||
* @return int
|
||||
*/
|
||||
public function countUsersInPrimaryGroup($groupDN, $search = '', $limit = -1, $offset = 0) {
|
||||
try {
|
||||
$filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search);
|
||||
$users = $this->access->countUsers($filter, array('dn'), $limit, $offset);
|
||||
return (int)$users;
|
||||
} catch (\Exception $e) {
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -410,6 +449,7 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
|
|||
if(!$this->groupExists($gid)) {
|
||||
return array();
|
||||
}
|
||||
$search = $this->access->escapeFilterPart($search, true);
|
||||
$cacheKey = 'usersInGroup-'.$gid.'-'.$search.'-'.$limit.'-'.$offset;
|
||||
// check for cache of the exact query
|
||||
$groupUsers = $this->access->connection->getFromCache($cacheKey);
|
||||
|
@ -478,7 +518,7 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
|
|||
$groupUsers = array_slice($groupUsers, $offset, $limit);
|
||||
|
||||
//and get users that have the group as primary
|
||||
$primaryUsers = $this->getUsersInPrimaryGroup($groupDN, $limit, $offset);
|
||||
$primaryUsers = $this->getUsersInPrimaryGroup($groupDN, $search, $limit, $offset);
|
||||
$groupUsers = array_unique(array_merge($groupUsers, $primaryUsers));
|
||||
|
||||
$this->access->connection->writeToCache($cacheKey, $groupUsers);
|
||||
|
@ -517,10 +557,13 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
|
|||
}
|
||||
|
||||
if(empty($search)) {
|
||||
$groupUsers = count($members);
|
||||
$primaryUsers = $this->countUsersInPrimaryGroup($groupDN, '');
|
||||
$groupUsers = count($members) + $primaryUsers;
|
||||
|
||||
$this->access->connection->writeToCache($cacheKey, $groupUsers);
|
||||
return $groupUsers;
|
||||
}
|
||||
$search = $this->access->escapeFilterPart($search, true);
|
||||
$isMemberUid =
|
||||
(strtolower($this->access->connection->ldapGroupMemberAssocAttr)
|
||||
=== 'memberuid');
|
||||
|
@ -562,10 +605,9 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
|
|||
}
|
||||
|
||||
//and get users that have the group as primary
|
||||
$primaryUsers = $this->getUsersInPrimaryGroup($groupDN);
|
||||
$groupUsers = array_unique(array_merge($groupUsers, $primaryUsers));
|
||||
$primaryUsers = $this->countUsersInPrimaryGroup($groupDN, $search);
|
||||
|
||||
return count($groupUsers);
|
||||
return count($groupUsers) + $primaryUsers;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -628,6 +670,7 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
|
|||
if(!$this->enabled) {
|
||||
return array();
|
||||
}
|
||||
$search = $this->access->escapeFilterPart($search, true);
|
||||
$pagingSize = $this->access->connection->ldapPagingSize;
|
||||
if ((! $this->access->connection->hasPagedResultSupport)
|
||||
|| empty($pagingSize)) {
|
||||
|
|
|
@ -968,7 +968,7 @@ class Access extends LDAPUtility implements user\IUserTools {
|
|||
/**
|
||||
* escapes (user provided) parts for LDAP filter
|
||||
* @param string $input, the provided value
|
||||
* @param bool $allowAsterisk wether in * at the beginning should be preserved
|
||||
* @param bool $allowAsterisk whether in * at the beginning should be preserved
|
||||
* @return string the escaped string
|
||||
*/
|
||||
public function escapeFilterPart($input, $allowAsterisk = false) {
|
||||
|
|
|
@ -38,6 +38,7 @@ namespace OCA\user_ldap\lib;
|
|||
* @property boolean hasPagedResultSupport
|
||||
* @property string[] ldapBaseUsers
|
||||
* @property int|string ldapPagingSize holds an integer
|
||||
* @property bool|mixed|void ldapGroupMemberAssocAttr
|
||||
*/
|
||||
class Connection extends LDAPUtility {
|
||||
private $ldapConnectionRes = null;
|
||||
|
|
|
@ -857,13 +857,23 @@ class Wizard extends LDAPUtility {
|
|||
}
|
||||
$base = $this->configuration->ldapBase[0];
|
||||
foreach($cns as $cn) {
|
||||
$rr = $this->ldap->search($cr, $base, 'cn=' . $cn, array('dn'));
|
||||
$rr = $this->ldap->search($cr, $base, 'cn=' . $cn, array('dn', 'primaryGroupToken'));
|
||||
if(!$this->ldap->isResource($rr)) {
|
||||
continue;
|
||||
}
|
||||
$er = $this->ldap->firstEntry($cr, $rr);
|
||||
$attrs = $this->ldap->getAttributes($cr, $er);
|
||||
$dn = $this->ldap->getDN($cr, $er);
|
||||
$filter .= '(memberof=' . $dn . ')';
|
||||
if(empty($dn)) {
|
||||
continue;
|
||||
}
|
||||
$filterPart = '(memberof=' . $dn . ')';
|
||||
if(isset($attrs['primaryGroupToken'])) {
|
||||
$pgt = $attrs['primaryGroupToken'][0];
|
||||
$primaryFilterPart = '(primaryGroupID=' . $pgt .')';
|
||||
$filterPart = '(|' . $filterPart . $primaryFilterPart . ')';
|
||||
}
|
||||
$filter .= $filterPart;
|
||||
}
|
||||
$filter .= ')';
|
||||
}
|
||||
|
|
|
@ -75,10 +75,15 @@ class Test_Group_Ldap extends \Test\TestCase {
|
|||
->method('readAttribute')
|
||||
->will($this->returnValue(array('u11', 'u22', 'u33', 'u34')));
|
||||
|
||||
// for primary groups
|
||||
$access->expects($this->once())
|
||||
->method('countUsers')
|
||||
->will($this->returnValue(2));
|
||||
|
||||
$groupBackend = new GroupLDAP($access);
|
||||
$users = $groupBackend->countUsersInGroup('group');
|
||||
|
||||
$this->assertSame(4, $users);
|
||||
$this->assertSame(6, $users);
|
||||
}
|
||||
|
||||
public function testCountWithSearchString() {
|
||||
|
|
Loading…
Reference in New Issue