From 6d5c023bcf6dee21233262dd65c40a6b8e8aa7ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come.chilliet@fusiondirectory.org>
Date: Wed, 9 Oct 2019 11:43:53 +0200
Subject: [PATCH] :ambulance: fix(acl) Move ACL target filter limit to a
 configuration option

This is to avoid hard coded values

issue #5531
---
 contrib/openldap/core-fd-conf.schema  | 7 +++++++
 include/class_userinfo.inc            | 2 +-
 plugins/config/class_configInLdap.inc | 5 +++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/contrib/openldap/core-fd-conf.schema b/contrib/openldap/core-fd-conf.schema
index 399caefad..e9cf5c270 100644
--- a/contrib/openldap/core-fd-conf.schema
+++ b/contrib/openldap/core-fd-conf.schema
@@ -406,6 +406,13 @@ attributetype ( 1.3.6.1.4.1.38414.8.18.11 NAME 'fdManagementUserConfig'
   SUBSTR caseIgnoreSubstringsMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
 
+attributetype ( 1.3.6.1.4.1.38414.8.18.12 NAME 'fdAclTargetFilterLimit'
+  DESC 'Fusion Directory - Size limit for LDAP filter on ACL targets'
+  EQUALITY integerMatch
+  ORDERING integerOrderingMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
 # Plugins
 
 attributetype ( 1.3.6.1.4.1.38414.8.19.1 NAME 'fdOGroupRDN'
diff --git a/include/class_userinfo.inc b/include/class_userinfo.inc
index 968185b6d..5ecbfec2d 100644
--- a/include/class_userinfo.inc
+++ b/include/class_userinfo.inc
@@ -137,7 +137,7 @@ class userinfo
     $this->reset_acl_cache();
     $ldap = $config->get_ldap_link();
     $ldap->cd($config->current['BASE']);
-    $targetFilterLimit  = 100;
+    $targetFilterLimit  = $config->get_cfg_value('AclTargetFilterLimit', 100);
 
     /* Get member groups... */
     $ldap->search('(&(objectClass=groupOfNames)(member='.ldap_escape_f($this->dn).'))', ['dn']);
diff --git a/plugins/config/class_configInLdap.inc b/plugins/config/class_configInLdap.inc
index 8b6eccade..93e8055c3 100644
--- a/plugins/config/class_configInLdap.inc
+++ b/plugins/config/class_configInLdap.inc
@@ -366,6 +366,11 @@ class configInLdap extends simplePlugin
           ),
           // Needed here for ACLs
           new HiddenAttribute('fdManagementConfig'),
+          new IntAttribute(
+            _('ACL target filter limit'), _('Defines the maximum number of entries an ACL target filter is allowed to return'),
+            'fdAclTargetFilterLimit', FALSE,
+            0 /*min*/, FALSE /*no max*/, 100
+          ),
         ]
       ],
     ];
-- 
GitLab