Fixes #4560 Added an option to restrict roles members to group members

contrib/openldap/core-fd-conf.schema

@@ -166,6 +166,12 @@ attributetype ( 1.3.6.1.4.1.38414.8.12.18 NAME 'fdCnPattern'
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
   SINGLE-VALUE)
 
+attributetype ( 1.3.6.1.4.1.38414.8.12.19 NAME 'fdRestrictRoleMembers'
+  DESC 'FusionDirectory - Restrict role members to users from the same LDAP branch'
+  EQUALITY booleanMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+  SINGLE-VALUE )
+
 # Password
 
 attributetype ( 1.3.6.1.4.1.38414.8.13.1 NAME 'fdPasswordDefaultHash'
@@ -568,7 +574,7 @@ objectclass ( 1.3.6.1.4.1.38414.8.2.1 NAME 'fusionDirectoryConf'
     fdStrictNamingRules $ fdMinId $ fdUidNumberBase $
     fdGidNumberBase $ fdUserRDN $ fdGroupRDN $ fdIdAllocationMethod $
     fdGidNumberPoolMin $ fdUidNumberPoolMin $ fdGidNumberPoolMax $ fdUidNumberPoolMax $
-    fdAclRoleRDN $ fdCnPattern $
+    fdAclRoleRDN $ fdCnPattern $ fdRestrictRoleMembers $
     fdPasswordDefaultHash $ fdPasswordMinLength $ fdPasswordMinDiffer $
     fdPasswordHook $ fdHandleExpiredAccounts $ fdSaslRealm $ fdSaslExop $
     fdForcePasswordDefaultHash $

include/select/class_filterLDAPBlacklist.inc

@@ -22,30 +22,51 @@
 
 class filterLDAPBlacklist {
 
-  static function query($parent,$base, $scope, $filter, $attributes, $category, $objectStorage= "")
+  static function query($parent, $base, $scope, $filter, $attributes, $category, $objectStorage = "")
   {
-    $result = filterLDAP::query($parent,$base, $scope, $filter, $attributes, $category, $objectStorage);
-    return(filterLDAPBlacklist::filterByBlacklist($result));
+    $result = filterLDAP::query($parent, $base, $scope, $filter, $attributes, $category, $objectStorage);
+    return filterLDAPBlacklist::filterByBlacklist($result);
   }
 
   static function filterByBlacklist($entries)
   {
-    if(session::is_set('filterBlacklist')){
+    if (session::is_set('filterWhitelist')) {
+      $wlist = session::get('filterWhitelist');
+      if (!empty($wlist)) {
+        foreach ($entries as $id => $entry) {
+          $dn1 = $entry['dn'];
+          $dn2 = $wlist['dn'];
+          if (in_array($entry['dn'], $wlist['dn'])) {
+            continue;
+          }
+          foreach ($wlist['branches'] as $branch) {
+            if (preg_match('/'.preg_quote($branch, '/').'$/', $entry['dn'])) {
+              continue 2;
+            }
+          }
+          unset($entries[$id]);
+        }
+      }
+    }
+    if (session::is_set('filterBlacklist')) {
       $blist = session::get('filterBlacklist');
-      foreach($blist as $attr_name => $attr_values){
-        foreach($attr_values as $match){
-          foreach($entries as $id => $entry){
-            if(isset($entry[$attr_name])){
+      foreach ($blist as $attr_name => $attr_values) {
+        foreach ($attr_values as $match) {
+          foreach ($entries as $id => $entry) {
+            if (isset($entry[$attr_name])) {
               $test = $entry[$attr_name];
-              if(!is_array($test)) $test = array($test);
-              if(in_array($match, $test)) unset($entries[$id]);
+              if (!is_array($test)) {
+                $test = array($test);
+              }
+              if (in_array($match, $test)) {
+                unset($entries[$id]);
+              }
             }
           }
         }
       }
     }
-    return(array_values($entries));
+    return array_values($entries);
   }
 }
-
 ?>

include/simpleplugin/class_dialogAttributes.inc

@@ -66,6 +66,7 @@ class GenericSelectDialog extends GenericDialog
   function dialog_execute ()
   {
     session::set('filterBlacklist', $this->attribute->getFilterBlackList());
+    session::set('filterWhitelist', $this->attribute->getFilterWhiteList());
     return parent::dialog_execute();
   }
 
@@ -189,6 +190,11 @@ class DialogAttribute extends SetAttribute
     trigger_error("abstract method");
   }
 
+  function getFilterWhiteList ()
+  {
+    return array();
+  }
+
   function loadPostValue ()
   {
     parent::loadPostValue();

plugins/admin/groups/class_roleGeneric.inc

@@ -18,6 +18,29 @@
   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
 */
 
+class RoleMembersAttribute extends UsersAttribute
+{
+  protected $whitelistDns = NULL;
+
+  function getFilterWhiteList()
+  {
+    global $config;
+    if ($config->get_cfg_value('RestrictRoleMembers') == 'TRUE') {
+      if ($this->whitelistDns === NULL) {
+        /* Computes a list of members of all groups within our branch */
+        $groups = objects::ls('ogroup', array('member' => '*'), $this->plugin->base);
+        $this->whitelistDns = call_user_func_array('array_merge_recursive', $groups)['member'];
+      }
+      return array(
+        'branches'  => array($this->plugin->base),
+        'dn'        => $this->whitelistDns,
+      );
+    } else {
+      return array();
+    }
+  }
+}
+
 class roleGeneric extends simplePlugin
 {
   var $mainTab = TRUE;
@@ -74,7 +97,7 @@ class roleGeneric extends simplePlugin
             _('Fax number'), _('Fax number'),
             'facsimileTelephoneNumber'
           ),
-          new UsersAttribute(
+          new RoleMembersAttribute (
             _('Users'), _('Add users for the role'),
             'roleOccupant', FALSE
           )

plugins/config/class_configInLdap.inc

@@ -363,6 +363,10 @@ class configInLdap extends simplePlugin
             'fdGidNumberPoolMax', FALSE,
             0, FALSE, 40000
           ),
+          new BooleanAttribute (
+            _('Restrict role members'), _('When enabled only users from the same branch or members of groups from the same branch can be added to a role.'),
+            'fdRestrictRoleMembers'
+          ),
         )
       ),
       'debug' => array(