user_ldap: Filter groups after nexted groups

Currently groupsMatchFilter is called before nested groups are resolved. This basicly breaks this feature since it is not possible to inherit membership in a group from another group. Minimal example: Group filter: (&(objectClass=group),(cn=nextcloud)) Nested groups: enabled cn=nextcloud,ou=Nextcloud,ou=groups,dn=company,dn=local objectClass: group cn=IT,ou=groups,dn=company,dn=local objectClass: group memberOf: cn=nextcloud,ou=Nextcloud,ou=groups,dn=company,dn=local cn=John Doe,ou=users,dn=company,dn=local objectClass: person memberOf: cn=IT,ou=groups,dn=company,dn=local Since 'cn=IT,ou=groups,dn=company,dn=local' doesn't match the group filter, John wouldn't be a member of group 'nextcloud'. This patch fixes this by filtering the groups after all nested groups have been collected. If nested groups is disabled the result will be the same as without this patch. Signed-off-by: Roland Tapken <[email protected]>
nextcloud · MorrisJobke · Mar 8, 2019 · Feb 7, 2018 · Feb 7, 2018 · Feb 7, 2018
commit fe169b021d31b1a1a165f82c85d79fd49449bf51
diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php
@@ -265,7 +265,6 @@ private function _getGroupDNsFromMemberOf($DN, &$seen = null) {
 		if (!is_array($groups)) {
 			return array();
 		}
-		$groups = $this->access->groupsMatchFilter($groups);
 		$allGroups =  $groups;
 		$nestedGroups = $this->access->connection->ldapNestedGroups;
 		if ((int)$nestedGroups === 1) {
@@ -274,7 +273,7 @@ private function _getGroupDNsFromMemberOf($DN, &$seen = null) {
 				$allGroups = array_merge($allGroups, $subGroups);
 			}
 		}
-		return $allGroups;
+		return $this->access->groupsMatchFilter($allGroups);
 	}
 
 	/**