bugfix: Don't return disabled users on GetUser call

cs3org · Dec 20, 2023 · 9b7ec1e · 9b7ec1e
1 parent 6e8505c
commit 9b7ec1e
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/changelog/unreleased/fix-hide-disabled-users.md b/changelog/unreleased/fix-hide-disabled-users.md
@@ -0,0 +1,7 @@
+Bugfix: Don't return disabled users in GetUser call
+
+We fixed a bug where it was still possible to lookup a disabled User if
+the user's ID was known.
+
+https://github.com/cs3org/reva/pull/4426
+https://github.com/owncloud/ocis/issues/7962
diff --git a/pkg/user/manager/ldap/ldap.go b/pkg/user/manager/ldap/ldap.go
@@ -116,6 +116,10 @@ func (m *manager) GetUser(ctx context.Context, uid *userpb.UserId, skipFetchingG
 		return nil, err
 	}
 
+	if m.c.LDAPIdentity.IsLDAPUserInDisabledGroup(log, m.ldapClient, userEntry) {
+		return nil, errtypes.NotFound("user is locally disabled")
+	}
+
 	if skipFetchingGroups {
 		return u, nil
 	}

diff --git a/pkg/utils/ldap/identity.go b/pkg/utils/ldap/identity.go
@@ -503,11 +503,12 @@ func (i *Identity) getUserFilter(uid string) (string, error) {
 		escapedUUID = ldap.EscapeFilter(uid)
 	}
 
-	return fmt.Sprintf("(&%s(objectclass=%s)(%s=%s))",
+	return fmt.Sprintf("(&%s(objectclass=%s)(%s=%s)%s)",
 		i.User.Filter,
 		i.User.Objectclass,
 		i.User.Schema.ID,
 		escapedUUID,
+		i.disabledFilter(),
 	), nil
 }