Hide the LDAP password in the client side #25702

Merged
merged 1 commit into from Aug 11, 2016

Projects

None yet

6 participants

@jvillafanez
Contributor

Connection checks will be done by using the configuration id, with the
stored password. LDAP password won't be sent to the client.

Fix owncloud/enterprise#1489

@DeepDiver1975 backports are required

@jvillafanez jvillafanez added this to the 9.2 milestone Aug 5, 2016
@CLAassistant
CLAassistant commented Aug 5, 2016 edited

CLA assistant check
All committers have signed the CLA.

@mention-bot

@jvillafanez, thanks for your PR! By analyzing the annotation information on this pull request, we identified @blizzz, @nickvergessen and @Kondou-ger to be potential reviewers

@PVince81 PVince81 commented on the diff Aug 8, 2016
apps/user_ldap/js/wizard/configModel.js
@@ -318,7 +318,7 @@ OCA = OCA || {};
*/
requestConfigurationTest: function() {
var url = OC.generateUrl('apps/user_ldap/ajax/testConfiguration.php');
- var params = OC.buildQueryString(this.configuration);
+ var params = OC.buildQueryString({ldap_serverconfig_chooser: this.configID});
@PVince81
PVince81 Aug 8, 2016 Collaborator

Does it mean that ldap_serverconfig_chooser is all we need from this.configuration ? This looks slightly suspicious

@jvillafanez
jvillafanez Aug 9, 2016 Contributor

Yes, we'll test it against the stored configuration, not against whatever is showing.

@PVince81
Collaborator
PVince81 commented Aug 8, 2016

Tested, works ๐Ÿ‘
After refreshing the page, the password is replaced properly and the connection check and other checks still work fine.

@jvillafanez please solve the conflicts

@jvillafanez jvillafanez Hide the LDAP password in the client side
Connection checks will be done by using the configuration id, with the
stored password. LDAP password won't be sent to the client.
7641292
@jvillafanez
Contributor

Rebased

@butonic butonic commented on the diff Aug 11, 2016
apps/user_ldap/ajax/getConfiguration.php
@@ -31,4 +31,9 @@
$prefix = (string)$_POST['ldap_serverconfig_chooser'];
$ldapWrapper = new OCA\User_LDAP\LDAP();
$connection = new \OCA\User_LDAP\Connection($ldapWrapper, $prefix);
-OCP\JSON::success(array('configuration' => $connection->getConfiguration()));
+$configuration = $connection->getConfiguration();
+if (isset($configuration['ldap_agent_password']) && $configuration['ldap_agent_password'] !== '') {
@butonic
butonic Aug 11, 2016 Member

use !empty()? well that will also return true if $configuration['ldap_agent_password'] is "0". hmm nevermind

@PVince81
Collaborator

Pffff... another case where Jenkins couldn't check out the code.

As this code isn't covered by any tests, merging directly.

@PVince81 PVince81 merged commit 2b29177 into master Aug 11, 2016

3 of 4 checks passed

Jenkins This commit cannot be built
Details
Scrutinizer 160 new issues, 65 updated code elements
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
licence/cla Contributor License Agreement is signed.
Details
@PVince81 PVince81 deleted the ldap_hide_configured_password branch Aug 11, 2016
@PVince81
Collaborator

@jvillafanez please backport

@jvillafanez
Contributor

@PVince81 do we need more backports? Original issue was for 9.0 so I guess we don't need more.

@PVince81
Collaborator

I think it's fine to stop here as it's not critical

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment