From 9b7ec1e4afc754b9ce39cd053aa793febec478a7 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Wed, 20 Dec 2023 13:30:24 +0100 Subject: [PATCH] bugfix: Don't return disabled users on GetUser call --- changelog/unreleased/fix-hide-disabled-users.md | 7 +++++++ pkg/user/manager/ldap/ldap.go | 4 ++++ pkg/utils/ldap/identity.go | 3 ++- 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 changelog/unreleased/fix-hide-disabled-users.md diff --git a/changelog/unreleased/fix-hide-disabled-users.md b/changelog/unreleased/fix-hide-disabled-users.md new file mode 100644 index 0000000000..39e8b84182 --- /dev/null +++ b/changelog/unreleased/fix-hide-disabled-users.md @@ -0,0 +1,7 @@ +Bugfix: Don't return disabled users in GetUser call + +We fixed a bug where it was still possible to lookup a disabled User if +the user's ID was known. + +https://github.com/cs3org/reva/pull/4426 +https://github.com/owncloud/ocis/issues/7962 diff --git a/pkg/user/manager/ldap/ldap.go b/pkg/user/manager/ldap/ldap.go index 6b8eeb66cd..a996dbee2d 100644 --- a/pkg/user/manager/ldap/ldap.go +++ b/pkg/user/manager/ldap/ldap.go @@ -116,6 +116,10 @@ func (m *manager) GetUser(ctx context.Context, uid *userpb.UserId, skipFetchingG return nil, err } + if m.c.LDAPIdentity.IsLDAPUserInDisabledGroup(log, m.ldapClient, userEntry) { + return nil, errtypes.NotFound("user is locally disabled") + } + if skipFetchingGroups { return u, nil } diff --git a/pkg/utils/ldap/identity.go b/pkg/utils/ldap/identity.go index f438d33203..0a9af35c18 100644 --- a/pkg/utils/ldap/identity.go +++ b/pkg/utils/ldap/identity.go @@ -503,11 +503,12 @@ func (i *Identity) getUserFilter(uid string) (string, error) { escapedUUID = ldap.EscapeFilter(uid) } - return fmt.Sprintf("(&%s(objectclass=%s)(%s=%s))", + return fmt.Sprintf("(&%s(objectclass=%s)(%s=%s)%s)", i.User.Filter, i.User.Objectclass, i.User.Schema.ID, escapedUUID, + i.disabledFilter(), ), nil }