ensure groups match filter when using memberOf to read users group, refs #17119
This commit is contained in:
parent
58439c337c
commit
8625a8cf23
|
@ -378,9 +378,11 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
|
||||||
&& intval($this->access->connection->useMemberOfToDetectMembership) === 1
|
&& intval($this->access->connection->useMemberOfToDetectMembership) === 1
|
||||||
) {
|
) {
|
||||||
$groupDNs = $this->access->readAttribute($userDN, 'memberOf');
|
$groupDNs = $this->access->readAttribute($userDN, 'memberOf');
|
||||||
|
|
||||||
if (is_array($groupDNs)) {
|
if (is_array($groupDNs)) {
|
||||||
|
$groupDNs = $this->access->groupsMatchFilter($groupDNs);
|
||||||
foreach ($groupDNs as $dn) {
|
foreach ($groupDNs as $dn) {
|
||||||
$groups[] = $this->access->dn2groupname($dn);;
|
$groups[] = $this->access->dn2groupname($dn);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if($primaryGroup !== false) {
|
if($primaryGroup !== false) {
|
||||||
|
|
|
@ -346,6 +346,33 @@ class Access extends LDAPUtility implements user\IUserTools {
|
||||||
return $this->dn2ocname($fdn, $ldapName, false);
|
return $this->dn2ocname($fdn, $ldapName, false);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* accepts an array of group DNs and tests whether they match the user
|
||||||
|
* filter by doing read operations against the group entries. Returns an
|
||||||
|
* array of DNs that match the filter.
|
||||||
|
*
|
||||||
|
* @param string[] $groupDNs
|
||||||
|
* @return string[]
|
||||||
|
*/
|
||||||
|
public function groupsMatchFilter($groupDNs) {
|
||||||
|
$validGroupDNs = [];
|
||||||
|
foreach($groupDNs as $dn) {
|
||||||
|
$cacheKey = 'groupsMatchFilter-'.$dn;
|
||||||
|
if($this->connection->isCached($cacheKey)) {
|
||||||
|
if($this->connection->getFromCache($cacheKey)) {
|
||||||
|
$validGroupDNs[] = $dn;
|
||||||
|
}
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
$result = $this->readAttribute($dn, 'cn', $this->connection->ldapGroupFilter);
|
||||||
|
if(is_array($result)) {
|
||||||
|
$validGroupDNs[] = $dn;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return $validGroupDNs;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* returns the internal ownCloud name for the given LDAP DN of the user, false on DN outside of search DN or failure
|
* returns the internal ownCloud name for the given LDAP DN of the user, false on DN outside of search DN or failure
|
||||||
* @param string $dn the dn of the user object
|
* @param string $dn the dn of the user object
|
||||||
|
|
Loading…
Reference in New Issue