Merge branch '5531-give-acl-based-on-an-ldap-filter' into '1.4-dev'

Resolve "Give ACL based on an LDAP filter" See merge request fusiondirectory/fd!682

Merge branch '5531-give-acl-based-on-an-ldap-filter' into '1.4-dev'
Resolve "Give ACL based on an LDAP filter" See merge request fusiondirectory/fd!682
3fcc1df6 · Côme Chilliet · e3b55318 · 1f48583b · 3fcc1df6 · 3fcc1df6
Commit 3fcc1df6 authored 5 years ago by Côme Chilliet
Hide whitespace changes
Inline Side-by-side

Showing

with 20 additions and 2 deletions
+20 -2
--- a/include/class_userinfo.inc
+++ b/include/class_userinfo.inc
@@ -137,6 +137,7 @@ class userinfo
    $this->reset_acl_cache();
    $ldap = $config->get_ldap_link();
    $ldap->cd($config->current['BASE']);
+    $targetFilterLimit  = 100;

    /* Get member groups... */
    $ldap->search('(&(objectClass=groupOfNames)(member='.ldap_escape_f($this->dn).'))', ['dn']);
@@ -229,12 +230,24 @@ class userinfo

        if (!empty($ACLRule['targetfilter'])) {
          $ldap->cd($dn);
+          $ldap->set_size_limit($targetFilterLimit);
          $targetFilter = templateHandling::parseString($ACLRule['targetfilter'], $this->cachedAttrs, 'ldap_escape_f');
          $ldap->search($targetFilter, ['dn']);
+          if ($ldap->hitSizeLimit()) {
+            msg_dialog::display(
+              _('Error'),
+              sprintf(
+                _('An ACL assignment for the connected user matched more than than the %d objects limit. This user will not have the ACL rights he should.'),
+                $targetFilterLimit
+              ),
+              ERROR_DIALOG
+            );
+          }
          $targetDns = [];
          while ($targetAttrs = $ldap->fetch()) {
            $targetDns[] = $targetAttrs['dn'];
          }
+          $ldap->set_size_limit(0);
        } else {
          $targetDns = [$dn];
        }

--- a/plugins/admin/acl/class_aclAssignmentDialogWindow.inc
+++ b/plugins/admin/acl/class_aclAssignmentDialogWindow.inc
@@ -61,12 +61,17 @@ class aclAssignmentDialogWindow extends simplePlugin
      'advanced' => [
        'name'  => _('Advanced'),
        'attrs' => [
+          new DisplayAttribute(
+            '', _('Warning message'),
+            'advancedWarning', FALSE,
+            _('These options allow you to restrict members or targets by LDAP filter. The member filter cannot use masks, and is safe to return any number of results as it will only be applied to the logged in user. For target filter, please avoid using a filter returning too many results, and if using template masks, avoid doing so on user-editable fields.')
+          ),
          new StringAttribute(
-            _('Restrict users with filter'), _('LDAP filter which a member must match to actually get the rights'),
+            _('Member filter'), _('LDAP filter which a member must match to actually get the rights'),
            'aclUserFilter', FALSE
          ),
          new StringAttribute(
-            _('Restrict targets with filter'), _('LDAP filter which a dn must match to actually be concerned. May use %dn% mask for user dn. Example: (manager=%dn%).'),
+            _('Target filter'), _('LDAP filter which a dn must match to actually be concerned. May use template masks for user fields. Example: (manager=%dn%).'),
            'aclTargetFilter', FALSE
          ),
        ]