NB-Public/circles
14
0
Fork 0
mirror of https://github.com/netzbegruenung/circles.git synced 2024-04-29 02:14:51 +02:00
Code Issues Projects Releases Wiki Activity

lib/Search: optionally prevent user and group enumeration

Browse source 
Enumeration of users is limited to users of common groups if the
following flag is set: shareapi_allow_share_dialog_user_enumeration

Enumeration of groups is limited to common groups if the following
flag is set: shareapi_only_share_with_group_members
This commit is contained in:
Leon Klingele 2019-05-15 13:35:49 +02:00
parent d6f0d95cf7
commit bf81f725e8
No known key found for this signature in database
GPG key ID: 3E8EC5542D0D1913
2 changed files with 45 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
lib/Search/LocalGroups.php
View file

@ -39,6 +39,22 @@ class LocalGroups implements ISearch {
$result = [];
$groupManager = \OC::$server->getGroupManager();
$config = \OC::$server->getConfig();
$listOwnGroupsOnly = $config->getAppValue('core', 'shareapi_only_share_with_group_members', 'no') === 'yes';
$self = \OC::$server->getUserSession()->getUser();
if ($self === null) {
// This will probably never happen, just to stay consistent with the rest of the codebase.
return $result;
}
if ($listOwnGroupsOnly) {
// TODO: Add support for 'shareapi_exclude_groups' / 'shareapi_exclude_groups_list'
$ownGroupIDs = $groupManager->getUserGroupIds($self);
foreach ($ownGroupIDs as $gid) {
$result[] = new SearchResult($gid, Member::TYPE_GROUP);
}
return $result;
}
$groups = $groupManager->search($search);
foreach ($groups as $group) {
@ -48,4 +64,4 @@ class LocalGroups implements ISearch {
return $result;
}
}
}

28
lib/Search/LocalUsers.php
View file

@ -39,6 +39,34 @@ class LocalUsers implements ISearch {
$result = [];
$userManager = \OC::$server->getUserManager();
$groupManager = \OC::$server->getGroupManager();
$config = \OC::$server->getConfig();
$disallowUserEnumeration = $config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'no') !== 'yes';
$self = \OC::$server->getUserSession()->getUser();
if ($self === null) {
// This will probably never happen, just to stay consistent with the rest of the codebase.
return $result;
}
if ($disallowUserEnumeration) {
// Only list users in common groups.
// TODO: Add support for 'shareapi_exclude_groups' / 'shareapi_exclude_groups_list'
$ownGroups = $groupManager->getUserGroups($self);
$allMembersByID = [];
foreach ($ownGroups as $g) {
$members = $g->getUsers();
foreach ($members as $m) {
$allMembersByID[$m->getUID()] = $m;
}
}
foreach ($allMembersByID as $uid => $m) {
$result[] =
new SearchResult(
$uid, Member::TYPE_USER, ['display' => $m->getDisplayName()]
);
}
return $result;
}
$users = $userManager->search($search);
foreach ($users as $user) {