Guarantee req.oauth in APIRoute middleware

Fix LDAP search error for individual users
2020-10-18 17:19:26 -05:00 · 2020-10-18 17:06:34 -05:00
3 changed files with 13 additions and 2 deletions
--- a/app/ldap/controllers/Users.controller.js
+++ b/app/ldap/controllers/Users.controller.js
@@ -218,10 +218,12 @@ class UsersController extends LDAPController {
    // TODO flitter-orm chunk query
    // TODO generalize scoped search logic
    async search_people(req, res, next) {
-        if ( !req.user.can('ldap:search:users') ) {
+        if ( !req.user.can('ldap:search:users:me') ) {
            return next(new LDAP.InsufficientAccessRightsError())
        }

+        const can_search_all = req.user.can('ldap:search:users')
+
        const iam_targets = this.parse_iam_targets(req.filter)
        if ( req.scope === 'base' ) {
            // If scope is base, check if the base DN matches the filter.
@@ -231,7 +233,12 @@ class UsersController extends LDAPController {
            const user = await this.get_resource_from_dn(req.dn)

            // Make sure the user is ldap visible && match the filter
-            if ( user && user.ldap_visible && req.filter.matches(await user.to_ldap(iam_targets)) ) {
+            if (
+                user
+                && user.ldap_visible
+                && req.filter.matches(await user.to_ldap(iam_targets))
+                && (req.user.id === user.id || can_search_all)
+            ) {

                // If so, send the object
                res.send({
@@ -255,6 +262,7 @@ class UsersController extends LDAPController {
            // Fetch the LDAP-visible users
            const users = await this.User.ldap_directory()
            for ( const user of users ) {
+                if ( user.id !== req.user.id && !can_search_all ) continue

                // Make sure the user os of the appropriate scope
                if ( req.dn.equals(user.dn) || user.dn.parent().equals(req.dn) ) {
@@ -283,6 +291,7 @@ class UsersController extends LDAPController {
            this.output.debug(`Filter:`)
            this.output.debug(this.filter_to_obj(req.filter.json))
            for ( const user of users ) {
+                if ( user.id !== req.user.id && !can_search_all ) continue
                this.output.debug(`Checking ${user.uid}...`)
                this.output.debug(`DN: ${user.dn}`)
                this.output.debug(`Req DN equals: ${req.dn.equals(user.dn)}`)
--- a/app/routing/middleware/auth/APIRoute.middleware.js
+++ b/app/routing/middleware/auth/APIRoute.middleware.js
@@ -10,6 +10,7 @@ class APIRouteMiddleware extends Middleware {
        if ( allow_user && req.is_auth ) {
            return next()
        } else if ( allow_token ) {
+            if ( !req.oauth ) req.oauth = {}
            return req.app.oauth2.authorise()(req, res, async e => {
                if ( e ) return next(e)
                // Look up the OAuth2 client an inject it into the route
--- a/config/auth.config.js
+++ b/config/auth.config.js
@@ -194,6 +194,7 @@ const auth_config = {

            // LDAP Binding
            'ldap:bind',
+            'ldap:search:users:me',
        ],

        root: ['v1', 'ldap', 'saml', 'profile', 'oauth', 'app', 'auth', 'iam'],
Author	SHA1	Message	Date
garrettmills	efdea10b14	Guarantee req.oauth in APIRoute middleware All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 17:19:26 -05:00
garrettmills	ce7349565e	Fix LDAP search error for individual users All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 17:06:34 -05:00