[webservice] User with admin ACL on department can ls objects at root base in WS

Hi

Description

Users that has been declared admin on a department can ls objects at root base through WS

Distribution Name and Version

Ubuntu 17.04

FusionDirectory Version

1.2

Plugin with the defect

fusiondirectory-plugin-webservice

PHP version used

PHP 7.0.22-0ubuntu0.17.04.1 (cli) (built: Aug 8 2017 22:03:30)

Origin of php packages

Official ubuntu repositories

Steps to Reproduce

1. set up a tree of departments
2. create users bob and alice in base root (under a ou=users,<base>)
3. as fd-admin, assign admin ACL to bob on a department that contains sub-departments.
4. as bob, try to assign admin ACL to alice on a sub-department : you should not be able to access the root of users branch to pick her up as you're not supposed to see these users,
5. using web service, logged in as bob, we can see alice and other user when calling ls method on ou=users, (tested with JMeter or fusiondirectory-shell), and fetch all its ldap

Expected behavior:

Same behaviour as in UI (Access denied message)

Actual behavior:

User can be listed, and user can access their dn and ldap attributes.

Reproduces how often: 100%

Additional Information

We have noticed this issue while looking for a simple way to automatically allow users that are admin on department to see users at root base without giving read rights on ou=users,<base> to everyone or asking FD users to assign another ACL alongside the admin ACL (through UI or WS), as it may get forgotten (2 steps instead of one) or desynchronized (old admins still having read rights even though they are no longer admins...).