From c2d8a36d9a824791234cc4093b79c8a66ee55cbb Mon Sep 17 00:00:00 2001 From: Roland Tapken Date: Wed, 7 Feb 2018 14:08:08 +0100 Subject: [PATCH] user_ldap: Filter groups after nexted groups Currently groupsMatchFilter is called before nested groups are resolved. This basicly breaks this feature since it is not possible to inherit membership in a group from another group. Minimal example: Group filter: (&(objectClass=group),(cn=nextcloud)) Nested groups: enabled cn=nextcloud,ou=Nextcloud,ou=groups,dn=company,dn=local objectClass: group cn=IT,ou=groups,dn=company,dn=local objectClass: group memberOf: cn=nextcloud,ou=Nextcloud,ou=groups,dn=company,dn=local cn=John Doe,ou=users,dn=company,dn=local objectClass: person memberOf: cn=IT,ou=groups,dn=company,dn=local Since 'cn=IT,ou=groups,dn=company,dn=local' doesn't match the group filter, John wouldn't be a member of group 'nextcloud'. This patch fixes this by filtering the groups after all nested groups have been collected. If nested groups is disabled the result will be the same as without this patch. Signed-off-by: Roland Tapken --- apps/user_ldap/lib/Group_LDAP.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php index 2240c2ad22..b16cb95302 100644 --- a/apps/user_ldap/lib/Group_LDAP.php +++ b/apps/user_ldap/lib/Group_LDAP.php @@ -265,7 +265,6 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD if (!is_array($groups)) { return array(); } - $groups = $this->access->groupsMatchFilter($groups); $allGroups = $groups; $nestedGroups = $this->access->connection->ldapNestedGroups; if ((int)$nestedGroups === 1) { @@ -274,7 +273,7 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD $allGroups = array_merge($allGroups, $subGroups); } } - return $allGroups; + return $this->access->groupsMatchFilter($allGroups); } /**