Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
fd06e17d7d
|
|||
|
efdea10b14
|
|||
|
ce7349565e
|
@@ -218,10 +218,12 @@ class UsersController extends LDAPController {
|
||||
// TODO flitter-orm chunk query
|
||||
// TODO generalize scoped search logic
|
||||
async search_people(req, res, next) {
|
||||
if ( !req.user.can('ldap:search:users') ) {
|
||||
if ( !req.user.can('ldap:search:users:me') ) {
|
||||
return next(new LDAP.InsufficientAccessRightsError())
|
||||
}
|
||||
|
||||
const can_search_all = req.user.can('ldap:search:users')
|
||||
|
||||
const iam_targets = this.parse_iam_targets(req.filter)
|
||||
if ( req.scope === 'base' ) {
|
||||
// If scope is base, check if the base DN matches the filter.
|
||||
@@ -231,7 +233,12 @@ class UsersController extends LDAPController {
|
||||
const user = await this.get_resource_from_dn(req.dn)
|
||||
|
||||
// Make sure the user is ldap visible && match the filter
|
||||
if ( user && user.ldap_visible && req.filter.matches(await user.to_ldap(iam_targets)) ) {
|
||||
if (
|
||||
user
|
||||
&& user.ldap_visible
|
||||
&& req.filter.matches(await user.to_ldap(iam_targets))
|
||||
&& (req.user.id === user.id || can_search_all)
|
||||
) {
|
||||
|
||||
// If so, send the object
|
||||
res.send({
|
||||
@@ -255,6 +262,7 @@ class UsersController extends LDAPController {
|
||||
// Fetch the LDAP-visible users
|
||||
const users = await this.User.ldap_directory()
|
||||
for ( const user of users ) {
|
||||
if ( user.id !== req.user.id && !can_search_all ) continue
|
||||
|
||||
// Make sure the user os of the appropriate scope
|
||||
if ( req.dn.equals(user.dn) || user.dn.parent().equals(req.dn) ) {
|
||||
@@ -283,6 +291,7 @@ class UsersController extends LDAPController {
|
||||
this.output.debug(`Filter:`)
|
||||
this.output.debug(this.filter_to_obj(req.filter.json))
|
||||
for ( const user of users ) {
|
||||
if ( user.id !== req.user.id && !can_search_all ) continue
|
||||
this.output.debug(`Checking ${user.uid}...`)
|
||||
this.output.debug(`DN: ${user.dn}`)
|
||||
this.output.debug(`Req DN equals: ${req.dn.equals(user.dn)}`)
|
||||
|
||||
@@ -7,9 +7,10 @@ class APIRouteMiddleware extends Middleware {
|
||||
|
||||
async test(req, res, next, { allow_token = true, allow_user = true }) {
|
||||
// First, check if there is a user in the session.
|
||||
if ( allow_user && req.is_auth ) {
|
||||
if ( allow_user && req.user ) {
|
||||
return next()
|
||||
} else if ( allow_token ) {
|
||||
if ( !req.oauth ) req.oauth = {}
|
||||
return req.app.oauth2.authorise()(req, res, async e => {
|
||||
if ( e ) return next(e)
|
||||
// Look up the OAuth2 client an inject it into the route
|
||||
|
||||
@@ -194,6 +194,7 @@ const auth_config = {
|
||||
|
||||
// LDAP Binding
|
||||
'ldap:bind',
|
||||
'ldap:search:users:me',
|
||||
],
|
||||
|
||||
root: ['v1', 'ldap', 'saml', 'profile', 'oauth', 'app', 'auth', 'iam'],
|
||||
|
||||
Reference in New Issue
Block a user