Commit 3fcc1df6 authored by Côme Chilliet's avatar Côme Chilliet

Merge branch '5531-give-acl-based-on-an-ldap-filter' into '1.4-dev'

Resolve "Give ACL based on an LDAP filter"

See merge request fusiondirectory/fd!682
parents e3b55318 1f48583b
......@@ -137,6 +137,7 @@ class userinfo
$this->reset_acl_cache();
$ldap = $config->get_ldap_link();
$ldap->cd($config->current['BASE']);
$targetFilterLimit = 100;
/* Get member groups... */
$ldap->search('(&(objectClass=groupOfNames)(member='.ldap_escape_f($this->dn).'))', ['dn']);
......@@ -229,12 +230,24 @@ class userinfo
if (!empty($ACLRule['targetfilter'])) {
$ldap->cd($dn);
$ldap->set_size_limit($targetFilterLimit);
$targetFilter = templateHandling::parseString($ACLRule['targetfilter'], $this->cachedAttrs, 'ldap_escape_f');
$ldap->search($targetFilter, ['dn']);
if ($ldap->hitSizeLimit()) {
msg_dialog::display(
_('Error'),
sprintf(
_('An ACL assignment for the connected user matched more than than the %d objects limit. This user will not have the ACL rights he should.'),
$targetFilterLimit
),
ERROR_DIALOG
);
}
$targetDns = [];
while ($targetAttrs = $ldap->fetch()) {
$targetDns[] = $targetAttrs['dn'];
}
$ldap->set_size_limit(0);
} else {
$targetDns = [$dn];
}
......
......@@ -61,12 +61,17 @@ class aclAssignmentDialogWindow extends simplePlugin
'advanced' => [
'name' => _('Advanced'),
'attrs' => [
new DisplayAttribute(
'', _('Warning message'),
'advancedWarning', FALSE,
_('These options allow you to restrict members or targets by LDAP filter. The member filter cannot use masks, and is safe to return any number of results as it will only be applied to the logged in user. For target filter, please avoid using a filter returning too many results, and if using template masks, avoid doing so on user-editable fields.')
),
new StringAttribute(
_('Restrict users with filter'), _('LDAP filter which a member must match to actually get the rights'),
_('Member filter'), _('LDAP filter which a member must match to actually get the rights'),
'aclUserFilter', FALSE
),
new StringAttribute(
_('Restrict targets with filter'), _('LDAP filter which a dn must match to actually be concerned. May use %dn% mask for user dn. Example: (manager=%dn%).'),
_('Target filter'), _('LDAP filter which a dn must match to actually be concerned. May use template masks for user fields. Example: (manager=%dn%).'),
'aclTargetFilter', FALSE
),
]
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment