upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-03-09 09:51:03 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
nextcloud/lib/private/Collaboration/Collaborators/UserPlugin.php
Christoph Wurst fb966b49b5 Do not match sharees on an empty email address 
When asking for sharees we compare not only UID and displayname but also
the email address. And if that matches we return the sharee as an exact
match. This logic had a flaw as in that it also matched the empty string
to users with no email address.

This is most noticeable when you disable sharee enumeration and open the
ownership transfer dialog. It suggested other users of the instance
before. This has stopped now.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-09-29 07:33:49 +00:00

175 lines
5.2 KiB
PHP
Raw Blame History

<?php
/**
* @copyright Copyright (c) 2017 Arthur Schiwon <blizzz@arthur-schiwon.de>
*
* @author Arthur Schiwon <blizzz@arthur-schiwon.de>
* @author Joas Schilling <coding@schilljs.com>
* @author Morris Jobke <hey@morrisjobke.de>
* @author Thomas Citharel <tcit@tcit.fr>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Collaboration\Collaborators;
use OCP\Collaboration\Collaborators\ISearchPlugin;
use OCP\Collaboration\Collaborators\ISearchResult;
use OCP\Collaboration\Collaborators\SearchResultType;
use OCP\IConfig;
use OCP\IGroupManager;
use OCP\IUser;
use OCP\IUserManager;
use OCP\IUserSession;
use OCP\Share;
class UserPlugin implements ISearchPlugin {
/* @var bool */
protected $shareWithGroupOnly;
protected $shareeEnumeration;
/** @var IConfig */
private $config;
/** @var IGroupManager */
private $groupManager;
/** @var IUserSession */
private $userSession;
/** @var IUserManager */
private $userManager;
public function __construct(IConfig $config, IUserManager $userManager, IGroupManager $groupManager, IUserSession $userSession) {
$this->config = $config;
$this->groupManager = $groupManager;
$this->userSession = $userSession;
$this->userManager = $userManager;
$this->shareWithGroupOnly = $this->config->getAppValue('core', 'shareapi_only_share_with_group_members', 'no') === 'yes';
$this->shareeEnumeration = $this->config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes';
}
public function search($search, $limit, $offset, ISearchResult $searchResult) {
$result = ['wide' => [], 'exact' => []];
$users = [];
$hasMoreResults = false;
$currentUserGroups = $this->groupManager->getUserGroupIds($this->userSession->getUser());
if ($this->shareWithGroupOnly) {
// Search in all the groups this user is part of
foreach ($currentUserGroups as $userGroupId) {
$usersInGroup = $this->groupManager->displayNamesInGroup($userGroupId, $search, $limit, $offset);
foreach ($usersInGroup as $userId => $displayName) {
$userId = (string) $userId;
$users[$userId] = $this->userManager->get($userId);
}
}
} else {
// Search in all users
$usersTmp = $this->userManager->searchDisplayName($search, $limit, $offset);
foreach ($usersTmp as $user) {
if ($user->isEnabled()) { // Don't keep deactivated users
$users[(string) $user->getUID()] = $user;
}
}
}
$this->takeOutCurrentUser($users);
if (!$this->shareeEnumeration || count($users) < $limit) {
$hasMoreResults = true;
}
$foundUserById = false;
$lowerSearch = strtolower($search);
foreach ($users as $uid => $user) {
$userDisplayName = $user->getDisplayName();
$userEmail = $user->getEMailAddress();
$uid = (string) $uid;
if (
$lowerSearch !== '' && (strtolower($uid) === $lowerSearch ||
strtolower($userDisplayName) === $lowerSearch ||
strtolower($userEmail) === $lowerSearch)
) {
if (strtolower($uid) === $lowerSearch) {
$foundUserById = true;
}
$result['exact'][] = [
'label' => $userDisplayName,
'value' => [
'shareType' => Share::SHARE_TYPE_USER,
'shareWith' => $uid,
],
];
} else {
$result['wide'][] = [
'label' => $userDisplayName,
'value' => [
'shareType' => Share::SHARE_TYPE_USER,
'shareWith' => $uid,
],
];
}
}
if ($offset === 0 && !$foundUserById) {
// On page one we try if the search result has a direct hit on the
// user id and if so, we add that to the exact match list
$user = $this->userManager->get($search);
if ($user instanceof IUser) {
$addUser = true;
if ($this->shareWithGroupOnly) {
// Only add, if we have a common group
$commonGroups = array_intersect($currentUserGroups, $this->groupManager->getUserGroupIds($user));
$addUser = !empty($commonGroups);
}
if ($addUser) {
$result['exact'][] = [
'label' => $user->getDisplayName(),
'value' => [
'shareType' => Share::SHARE_TYPE_USER,
'shareWith' => $user->getUID(),
],
];
}
}
}
if (!$this->shareeEnumeration) {
$result['wide'] = [];
}
$type = new SearchResultType('users');
$searchResult->addResultSet($type, $result['wide'], $result['exact']);
if (count($result['exact'])) {
$searchResult->markExactIdMatch($type);
}
return $hasMoreResults;
}
public function takeOutCurrentUser(array &$users) {
$currentUser = $this->userSession->getUser();
if(!is_null($currentUser)) {
if (isset($users[$currentUser->getUID()])) {
unset($users[$currentUser->getUID()]);
}
}
}
}
Reference in a new issue View git blame Copy permalink