Commit 1f48583b authored by Côme Chilliet's avatar Côme Chilliet

feat(acl) Add a hard limit of 100 targets matched for an ACL target filter

This avoids performanance problems and RAM exhaustion.

issue #5531
parent 655596b8
......@@ -137,6 +137,7 @@ class userinfo
$this->reset_acl_cache();
$ldap = $config->get_ldap_link();
$ldap->cd($config->current['BASE']);
$targetFilterLimit = 100;
/* Get member groups... */
$ldap->search('(&(objectClass=groupOfNames)(member='.ldap_escape_f($this->dn).'))', ['dn']);
......@@ -229,12 +230,24 @@ class userinfo
if (!empty($ACLRule['targetfilter'])) {
$ldap->cd($dn);
$ldap->set_size_limit($targetFilterLimit);
$targetFilter = templateHandling::parseString($ACLRule['targetfilter'], $this->cachedAttrs, 'ldap_escape_f');
$ldap->search($targetFilter, ['dn']);
if ($ldap->hitSizeLimit()) {
msg_dialog::display(
_('Error'),
sprintf(
_('An ACL assignment for the connected user matched more than than the %d objects limit. This user will not have the ACL rights he should.'),
$targetFilterLimit
),
ERROR_DIALOG
);
}
$targetDns = [];
while ($targetAttrs = $ldap->fetch()) {
$targetDns[] = $targetAttrs['dn'];
}
$ldap->set_size_limit(0);
} else {
$targetDns = [$dn];
}
......
  • SonarQube analysis reported 1 issue

    • 1 major

    Note: The following issues were found on lines that were not modified in the commit. Because these issues can't be reported as line comments, they are summarized here:

    1. This function "loadACL" has 158 lines, which is greater than the 150 lines authorized. Split it into smaller functions. 📘
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment