Skip to content

Commit

Permalink
ensure that only valid group members are returned
Browse files Browse the repository at this point in the history 
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
  • Loading branch information
@blizzz
blizzz committed Jan 13, 2020
1 parent f657ded commit 489ed87
Showing 1 changed file with 27 additions and 8 deletions.
35 changes: 27 additions & 8 deletions apps/user_ldap/lib/Group_LDAP.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -812,6 +812,7 @@ private function getGroupsByMember($dn, &$seen = null) {
* @param int $limit
* @param int $offset
* @return array with user ids
* @throws \Exception
*/
public function usersInGroup($gid, $search = '', $limit = -1, $offset = 0) {
if(!$this->enabled) {
Expand Down Expand Up @@ -863,7 +864,10 @@ public function usersInGroup($gid, $search = '', $limit = -1, $offset = 0) {
//we got uids, need to get their DNs to 'translate' them to user names
$filter = $this->access->combineFilterWithAnd(array(
str_replace('%uid', trim($member), $this->access->connection->ldapLoginFilter),
$this->access->getFilterPartForUserSearch($search)
$this->access->combineFilterWithAnd([
$this->access->getFilterPartForUserSearch($search),
$this->access->connection->ldapUserFilter
])
));
$ldap_users = $this->access->fetchListOfUsers($filter, $attrs, 1);
if(count($ldap_users) < 1) {
Expand All @@ -872,17 +876,32 @@ public function usersInGroup($gid, $search = '', $limit = -1, $offset = 0) {
$groupUsers[] = $this->access->dn2username($ldap_users[0]['dn'][0]);
} else {
//we got DNs, check if we need to filter by search or we can give back all of them
if ($search !== '') {
if(!$this->access->readAttribute($member,
$uid = $this->access->dn2username($member);
if(!$uid) {
continue;
}

$cacheKey = 'userExistsOnLDAP' . $uid;
$userExists = $this->access->connection->getFromCache($cacheKey);
if($userExists === false) {
continue;
}
if($userExists === null || $search !== '') {
if (!$this->access->readAttribute($member,
$this->access->connection->ldapUserDisplayName,
$this->access->getFilterPartForUserSearch($search))) {
$this->access->combineFilterWithAnd([
$this->access->getFilterPartForUserSearch($search),
$this->access->connection->ldapUserFilter
])))
{
if($search === '') {
$this->access->connection->writeToCache($cacheKey, false);
}
continue;
}
$this->access->connection->writeToCache($cacheKey, true);
}
// dn2username will also check if the users belong to the allowed base
if($ocname = $this->access->dn2username($member)) {
$groupUsers[] = $ocname;
}
$groupUsers[] = $uid;
}
}

Expand Down

0 comments on commit 489ed87

Please sign in to comment.