mirror of
https://github.com/netzbegruenung/circles.git
synced 2024-04-29 02:14:51 +02:00
lib/Search: optionally prevent user and group enumeration
Enumeration of users is limited to users of common groups if the following flag is set: shareapi_allow_share_dialog_user_enumeration Enumeration of groups is limited to common groups if the following flag is set: shareapi_only_share_with_group_members
This commit is contained in:
parent
d6f0d95cf7
commit
bf81f725e8
|
@ -39,6 +39,22 @@ class LocalGroups implements ISearch {
|
|||
|
||||
$result = [];
|
||||
$groupManager = \OC::$server->getGroupManager();
|
||||
$config = \OC::$server->getConfig();
|
||||
$listOwnGroupsOnly = $config->getAppValue('core', 'shareapi_only_share_with_group_members', 'no') === 'yes';
|
||||
$self = \OC::$server->getUserSession()->getUser();
|
||||
if ($self === null) {
|
||||
// This will probably never happen, just to stay consistent with the rest of the codebase.
|
||||
return $result;
|
||||
}
|
||||
|
||||
if ($listOwnGroupsOnly) {
|
||||
// TODO: Add support for 'shareapi_exclude_groups' / 'shareapi_exclude_groups_list'
|
||||
$ownGroupIDs = $groupManager->getUserGroupIds($self);
|
||||
foreach ($ownGroupIDs as $gid) {
|
||||
$result[] = new SearchResult($gid, Member::TYPE_GROUP);
|
||||
}
|
||||
return $result;
|
||||
}
|
||||
|
||||
$groups = $groupManager->search($search);
|
||||
foreach ($groups as $group) {
|
||||
|
@ -48,4 +64,4 @@ class LocalGroups implements ISearch {
|
|||
return $result;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
|
|
@ -39,6 +39,34 @@ class LocalUsers implements ISearch {
|
|||
|
||||
$result = [];
|
||||
$userManager = \OC::$server->getUserManager();
|
||||
$groupManager = \OC::$server->getGroupManager();
|
||||
$config = \OC::$server->getConfig();
|
||||
$disallowUserEnumeration = $config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'no') !== 'yes';
|
||||
$self = \OC::$server->getUserSession()->getUser();
|
||||
if ($self === null) {
|
||||
// This will probably never happen, just to stay consistent with the rest of the codebase.
|
||||
return $result;
|
||||
}
|
||||
|
||||
if ($disallowUserEnumeration) {
|
||||
// Only list users in common groups.
|
||||
// TODO: Add support for 'shareapi_exclude_groups' / 'shareapi_exclude_groups_list'
|
||||
$ownGroups = $groupManager->getUserGroups($self);
|
||||
$allMembersByID = [];
|
||||
foreach ($ownGroups as $g) {
|
||||
$members = $g->getUsers();
|
||||
foreach ($members as $m) {
|
||||
$allMembersByID[$m->getUID()] = $m;
|
||||
}
|
||||
}
|
||||
foreach ($allMembersByID as $uid => $m) {
|
||||
$result[] =
|
||||
new SearchResult(
|
||||
$uid, Member::TYPE_USER, ['display' => $m->getDisplayName()]
|
||||
);
|
||||
}
|
||||
return $result;
|
||||
}
|
||||
|
||||
$users = $userManager->search($search);
|
||||
foreach ($users as $user) {
|
||||
|
|
Loading…
Reference in a new issue