Fix LDAP search error for individual users
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/tag Build is passing

This commit is contained in:
Garrett Mills 2020-10-18 17:06:34 -05:00
parent a4695a7ecd
commit ce7349565e
Signed by: garrettmills
GPG Key ID: D2BF5FBA8298F246
2 changed files with 12 additions and 2 deletions

View File

@ -218,10 +218,12 @@ class UsersController extends LDAPController {
// TODO flitter-orm chunk query // TODO flitter-orm chunk query
// TODO generalize scoped search logic // TODO generalize scoped search logic
async search_people(req, res, next) { async search_people(req, res, next) {
if ( !req.user.can('ldap:search:users') ) { if ( !req.user.can('ldap:search:users:me') ) {
return next(new LDAP.InsufficientAccessRightsError()) return next(new LDAP.InsufficientAccessRightsError())
} }
const can_search_all = req.user.can('ldap:search:users')
const iam_targets = this.parse_iam_targets(req.filter) const iam_targets = this.parse_iam_targets(req.filter)
if ( req.scope === 'base' ) { if ( req.scope === 'base' ) {
// If scope is base, check if the base DN matches the filter. // If scope is base, check if the base DN matches the filter.
@ -231,7 +233,12 @@ class UsersController extends LDAPController {
const user = await this.get_resource_from_dn(req.dn) const user = await this.get_resource_from_dn(req.dn)
// Make sure the user is ldap visible && match the filter // Make sure the user is ldap visible && match the filter
if ( user && user.ldap_visible && req.filter.matches(await user.to_ldap(iam_targets)) ) { if (
user
&& user.ldap_visible
&& req.filter.matches(await user.to_ldap(iam_targets))
&& (req.user.id === user.id || can_search_all)
) {
// If so, send the object // If so, send the object
res.send({ res.send({
@ -255,6 +262,7 @@ class UsersController extends LDAPController {
// Fetch the LDAP-visible users // Fetch the LDAP-visible users
const users = await this.User.ldap_directory() const users = await this.User.ldap_directory()
for ( const user of users ) { for ( const user of users ) {
if ( user.id !== req.user.id && !can_search_all ) continue
// Make sure the user os of the appropriate scope // Make sure the user os of the appropriate scope
if ( req.dn.equals(user.dn) || user.dn.parent().equals(req.dn) ) { if ( req.dn.equals(user.dn) || user.dn.parent().equals(req.dn) ) {
@ -283,6 +291,7 @@ class UsersController extends LDAPController {
this.output.debug(`Filter:`) this.output.debug(`Filter:`)
this.output.debug(this.filter_to_obj(req.filter.json)) this.output.debug(this.filter_to_obj(req.filter.json))
for ( const user of users ) { for ( const user of users ) {
if ( user.id !== req.user.id && !can_search_all ) continue
this.output.debug(`Checking ${user.uid}...`) this.output.debug(`Checking ${user.uid}...`)
this.output.debug(`DN: ${user.dn}`) this.output.debug(`DN: ${user.dn}`)
this.output.debug(`Req DN equals: ${req.dn.equals(user.dn)}`) this.output.debug(`Req DN equals: ${req.dn.equals(user.dn)}`)

View File

@ -194,6 +194,7 @@ const auth_config = {
// LDAP Binding // LDAP Binding
'ldap:bind', 'ldap:bind',
'ldap:search:users:me',
], ],
root: ['v1', 'ldap', 'saml', 'profile', 'oauth', 'app', 'auth', 'iam'], root: ['v1', 'ldap', 'saml', 'profile', 'oauth', 'app', 'auth', 'iam'],