Skip to content

[stable28] fix(contacts): Do not expose SAB in /contactsmenu #55703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sorbaugh merged 1 commit into from
Oct 15, 2025
Merged

[stable28] fix(contacts): Do not expose SAB in /contactsmenu #55703

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
fix(contacts): Do not expose SAB in /contactsmenu 
When hitting the `/contactsmenu/contacts` endpoint with the `dav.system_addressbook_exposed` config switch set to `"no"`, the system address book content is still listed in the response.

This ensure that we do not expose unexpectedly the system address book.

Signed-off-by: Louis Chmn <[email protected]>
  • Loading branch information
@artonge
artonge committed Oct 15, 2025
commit a61dadffb35cc1503096e5128823836a972b1605
12 changes: 11 additions & 1 deletion apps/dav/lib/CardDAV/ContactsManager.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
namespace OCA\DAV\CardDAV;

use OCP\Contacts\IManager;
use OCP\IConfig;
use OCP\IL10N;
use OCP\IURLGenerator;

Expand All @@ -36,15 +37,19 @@ class ContactsManager {
/** @var IL10N */
private $l10n;

/** @var IConfig */
private $config;

/**
* ContactsManager constructor.
*
* @param CardDavBackend $backend
* @param IL10N $l10n
*/
public function __construct(CardDavBackend $backend, IL10N $l10n) {
public function __construct(CardDavBackend $backend, IL10N $l10n, IConfig $config) {
$this->backend = $backend;
$this->l10n = $l10n;
$this->config = $config;
}

/**
Expand All @@ -63,6 +68,11 @@ public function setupContactsProvider(IManager $cm, $userId, IURLGenerator $urlG
* @param IURLGenerator $urlGenerator
*/
public function setupSystemContactsProvider(IManager $cm, IURLGenerator $urlGenerator) {
$systemAddressBookExposed = $this->config->getAppValue('dav', 'system_addressbook_exposed', 'yes') === 'yes';
if (!$systemAddressBookExposed) {
return;
}

$addressBooks = $this->backend->getAddressBooksForUser("principals/system/system");
$this->register($cm, $addressBooks, $urlGenerator);
}
Expand Down
9 changes: 7 additions & 2 deletions apps/dav/tests/unit/CardDAV/ContactsManagerTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
use OCA\DAV\CardDAV\CardDavBackend;
use OCA\DAV\CardDAV\ContactsManager;
use OCP\Contacts\IManager;
use OCP\IConfig;
use OCP\IL10N;
use OCP\IURLGenerator;
use Test\TestCase;
Expand All @@ -36,16 +37,20 @@ class ContactsManagerTest extends TestCase {
public function test(): void {
/** @var IManager | \PHPUnit\Framework\MockObject\MockObject $cm */
$cm = $this->getMockBuilder(IManager::class)->disableOriginalConstructor()->getMock();
$cm->expects($this->exactly(2))->method('registerAddressBook');
$cm->expects($this->exactly(1))->method('registerAddressBook');
/** @var IURLGenerator&MockObject $urlGenerator */
$urlGenerator = $this->getMockBuilder(IURLGenerator::class)->disableOriginalConstructor()->getMock();
/** @var CardDavBackend | \PHPUnit\Framework\MockObject\MockObject $backEnd */
$backEnd = $this->getMockBuilder(CardDavBackend::class)->disableOriginalConstructor()->getMock();
$backEnd->method('getAddressBooksForUser')->willReturn([
['{DAV:}displayname' => 'Test address book', 'uri' => 'default'],
]);
/** @var IConfig&MockObject $config */
$config = $this->createMock(IConfig::class);

/** @var IL10N&MockObject $l */
$l = $this->createMock(IL10N::class);
$app = new ContactsManager($backEnd, $l);
$app = new ContactsManager($backEnd, $l, $config);
$app->setupContactsProvider($cm, 'user01', $urlGenerator);
}
}
20 changes: 20 additions & 0 deletions build/integration/features/contacts-menu.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,3 +192,23 @@ Feature: contacts-menu
And searching for contacts matching with "test"
# Disabled because it regularly fails on drone:
# Then the list of searched contacts has "0" contacts

Scenario: users cannot list other users from the system address book
Given user "user1" exists
And As an "admin"
And Deleting the user "user0"
And user "user0" exists
And invoking occ with "config:app:set dav system_addressbook_exposed --value false"
And Logging in using web as "user1"
And searching for contacts matching with "test"
Then the list of searched contacts has "0" contacts
And invoking occ with "config:app:delete dav system_addressbook_exposed"

Scenario: users can list other users from the system address book
Given user "user1" exists
And As an "admin"
And Deleting the user "user0"
And user "user0" exists
And Logging in using web as "user1"
And searching for contacts matching with ""
Then the list of searched contacts has "1" contacts
Loading