-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When checking memberof, apply the group filter after getting all groups #683
Conversation
Tested with OC 10.6 and 10.8, works in both cases. Note that the patch can't be applied cleanly in any user_ldap's released version. |
@jvillafanez PR #684 has been merged. You can rebase this PR. |
3134455
to
4a225ef
Compare
💥 Acceptance tests pipeline webUIProvisioning-master-chrome-mysql8.0-php7.4 failed. The build has been cancelled. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ahh makes sense, probably was overlooked / not tested. will approve after integration test passing
💥 Acceptance tests pipeline webUIProvisioning-master-chrome-mysql8.0-php7.4 failed. The build has been cancelled. |
💥 Acceptance tests pipeline webUIProvisioning-master-chrome-mysql8.0-php7.3 failed. The build has been cancelled. |
@janackermann @JammingBen it seems we broke something with the group UI and it's breaking these tests. If it's intentional we need to adjust or drop the failing tests |
@jvillafanez Is everything else working correctly? So I think this is an advancement, IF everything else is working |
Note: I am making a core PR to |
You're right. Makes sense to me. |
💥 Acceptance tests pipeline webUIProvisioningS-master-chrome-mysql8.0-php7.3 failed. The build has been cancelled. |
Some core skips that I missed yesterday are coming in core PR owncloud/core#39305 |
PR #686 has been merged - CI is green now. This PR and any others should be rebased. |
d632f7e
to
576b8f4
Compare
💥 Acceptance tests pipeline apiUserLDAP-latest-postgres9.4-php7.3 failed. The build has been cancelled. |
@phil-davis this seems to be a problem in the core tests. |
576b8f4
to
eeb16d1
Compare
💥 Acceptance tests pipeline core-apiAll-21-20-master-mysql8.0-php7.3 failed. The build has been cancelled. |
eeb16d1
to
b9025be
Compare
|
b9025be
to
b70e224
Compare
f389f71
to
7b29a9a
Compare
For nested groups, this was a problem because the group filter could remove the nested group, so we couldn't check the memberof attribute of the nested group and we couldn't go upwards in the group tree. GroupA contains GroupB, and GroupB contains User1. If the group filter contains just GroupA (not GroupB), checking the "memberof" of User1 would return no group. This PR fixes this by returning GroupA, which is part of the group filter (if the "nested groups" checkbox is active)
7b29a9a
to
184ca44
Compare
Kudos, SonarCloud Quality Gate passed! |
Confirmed fixed in 10.9.0 RC2 But it works in more cases than specifed above:
Note: |
To clarify a bit, this PR just fixes the linked issue, whose steps to reproduce are described at the beginning. It doesn't have anything to do with the group membership algorithm because they were introduced later. There might be some interactions between the algorithm and the checkbox that we should investigate. |
@jvillafanez @jnweiger is the way how the query string is used docs relevant? |
I don't think it's doc relevant by itself. I mean, it fixes an issue with recursive group membership in AD, but you should know about recursive group membership in the first place. If we don't have docs about recursive group membership, we could decide whether we should document something or not, but I think it's out of the scope of this ticket. In addition, this is mainly for AD (I'm not sure how many providers support this feature, but I don't think is too common) |
As far I know, we dont have that, therefore I think it is a good idea to have a docs ticket to keep track on. |
For nested groups, this was a problem because the group filter could
remove the nested group, so we couldn't check the memberof attribute of
the nested group and we couldn't go upwards in the group tree.
GroupA contains GroupB, and GroupB contains User1. If the group filter
contains just GroupA (not GroupB), checking the "memberof" of User1
would return no group. This PR fixes this by returning GroupA, which is
part of the group filter (if the "nested groups" checkbox is active)
Related to https://github.com/owncloud/enterprise/issues/4754
Steps to reproduce
(&(|(objectclass=user))(|(|(memberof:1.2.840.113556.1.4.1941:=CN=GroupA,CN=Users,DC=forest,DC=dungeon,DC=prv)(primaryGroupID=2048))))
Basically, only members of the GroupA will be allowed. Note the1.2.840.113556.1.4.1941
for the recursive search in AD.(&(&(|(objectclass=user))(|(|(memberof:1.2.840.113556.1.4.1941:=CN=GroupA,CN=Users,DC=forest,DC=dungeon,DC=prv)(primaryGroupID=2048))))(samaccoutname=%uid))
(&(|(objectclass=group))(|(|(cn=GroupA))))
Previous behavior
PR's behavior