From cd5110a64e2d70a55a8497e3ff068bd4a65150b5 Mon Sep 17 00:00:00 2001
From: Jens Pfeifer <jens.pfeifer@znuny.com>
Date: Wed, 26 Jul 2023 06:20:27 +0000
Subject: [PATCH] Fixed removal of all permissions of a user if LDAP auth sync
 is being executed without any configured group or role definition.

---
 CHANGES.md                      |  1 +
 Kernel/System/Auth/Sync/LDAP.pm | 68 ++++++++++++++++++++-------------
 2 files changed, 42 insertions(+), 27 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index 4f11e7c0679..640c81a08b3 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,4 +1,5 @@
 # 7.0.9 2023-07-26
+ - 2023-07-26 Fixed removal of all permissions of a user if LDAP auth sync is being executed without any configured group or role definition.
  - 2023-07-25 Fixed search limitations for AgentTicketWatchView. [#372](https://github.com/znuny/Znuny/issues/372)
  - 2023-07-24 Added system address check for customer email address given in AgentTicketPhone.
  - 2023-07-21 Fixed double encoding for dynamic field values in linked-tickets-table. Thanks to Tim Püttmanns (@tipue-dev), maxence. [PR#300](https://github.com/znuny/Znuny/pull/300)
diff --git a/Kernel/System/Auth/Sync/LDAP.pm b/Kernel/System/Auth/Sync/LDAP.pm
index f859040623c..542e65ca659 100644
--- a/Kernel/System/Auth/Sync/LDAP.pm
+++ b/Kernel/System/Auth/Sync/LDAP.pm
@@ -644,7 +644,14 @@ sub Sync {
     }
 
     # update changed group permissions
-    if (%GroupPermissionsChanged) {
+    if (
+        %GroupPermissionsChanged
+        && (
+            $UserSyncGroupsDefinition
+            || $UserSyncAttributeGroupsDefinition
+        )
+        )
+    {
         for my $GroupID ( sort keys %GroupPermissionsChanged ) {
 
             $Kernel::OM->Get('Kernel::System::Log')->Log(
@@ -806,34 +813,41 @@ sub Sync {
 
     # compare role permissions from ldap with current user role permissions and update if necessary
 
-    # get current user roles
-    my %UserRoles = $GroupObject->PermissionUserRoleGet(
-        UserID => $UserID,
-    );
-
-    ROLEID:
-    for my $RoleID ( sort keys %SystemRoles ) {
-
-        # if old and new permission for role matches, do nothing
-        if (
-            ( $UserRoles{$RoleID} && $RolePermissionsFromLDAP{$RoleID} )
-            ||
-            ( !$UserRoles{$RoleID} && !$RolePermissionsFromLDAP{$RoleID} )
-            )
-        {
-            next ROLEID;
-        }
+    if (
+        $UserSyncRolesDefinition
+        || $UserSyncAttributeRolesDefinition
+        )
+    {
 
-        $Kernel::OM->Get('Kernel::System::Log')->Log(
-            Priority => 'notice',
-            Message  => "User: '$Param{User}' sync ldap role $SystemRoles{$RoleID}!",
-        );
-        $GroupObject->PermissionRoleUserAdd(
-            UID    => $UserID,
-            RID    => $RoleID,
-            Active => $RolePermissionsFromLDAP{$RoleID} || 0,
-            UserID => 1,
+        # get current user roles
+        my %UserRoles = $GroupObject->PermissionUserRoleGet(
+            UserID => $UserID,
         );
+
+        ROLEID:
+        for my $RoleID ( sort keys %SystemRoles ) {
+
+            # if old and new permission for role matches, do nothing
+            if (
+                ( $UserRoles{$RoleID} && $RolePermissionsFromLDAP{$RoleID} )
+                ||
+                ( !$UserRoles{$RoleID} && !$RolePermissionsFromLDAP{$RoleID} )
+                )
+            {
+                next ROLEID;
+            }
+
+            $Kernel::OM->Get('Kernel::System::Log')->Log(
+                Priority => 'notice',
+                Message  => "User: '$Param{User}' sync ldap role $SystemRoles{$RoleID}!",
+            );
+            $GroupObject->PermissionRoleUserAdd(
+                UID    => $UserID,
+                RID    => $RoleID,
+                Active => $RolePermissionsFromLDAP{$RoleID} || 0,
+                UserID => 1,
+            );
+        }
     }
 
     # take down session