Skip to content

Commit af760d1

Browse files
come-nccome-nc
committed
feat: Implement new interface in LDAP user backend to reflect permissions
This will prevent users from editing profile fields if those are configured to be sync from LDAP. I did not include the avatar in this because it has a special handling. Signed-off-by: Côme Chilliet <[email protected]>
1 parent 82ec3df commit af760d1

File tree

2 files changed

+28
-2
lines changed

2 files changed

+28
-2
lines changed

apps/user_ldap/lib/User_LDAP.php

Lines changed: 22 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,15 +14,17 @@
1414
use OCA\User_LDAP\User\DeletedUsersIndex;
1515
use OCA\User_LDAP\User\OfflineUser;
1616
use OCA\User_LDAP\User\User;
17+
use OCP\Accounts\IAccountManager;
1718
use OCP\IUserBackend;
1819
use OCP\Notification\IManager as INotificationManager;
1920
use OCP\User\Backend\ICountMappedUsersBackend;
2021
use OCP\User\Backend\ILimitAwareCountUsersBackend;
22+
use OCP\User\Backend\IPropertyPermissionBackend;
2123
use OCP\User\Backend\IProvideEnabledStateBackend;
2224
use OCP\UserInterface;
2325
use Psr\Log\LoggerInterface;
2426

25-
class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, IUserLDAP, ILimitAwareCountUsersBackend, ICountMappedUsersBackend, IProvideEnabledStateBackend {
27+
class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, IUserLDAP, ILimitAwareCountUsersBackend, ICountMappedUsersBackend, IProvideEnabledStateBackend, IPropertyPermissionBackend {
2628
public function __construct(
2729
Access $access,
2830
protected INotificationManager $notificationManager,
@@ -643,4 +645,23 @@ public function setUserEnabled(string $uid, bool $enabled, callable $queryDataba
643645
public function getDisabledUserList(?int $limit = null, int $offset = 0, string $search = ''): array {
644646
throw new \Exception('This is implemented directly in User_Proxy');
645647
}
648+
649+
public function canEditProperty(string $uid, string $property): bool {
650+
return match($property) {
651+
// Display name is always set by LDAP
652+
IAccountManager::PROPERTY_DISPLAYNAME => false,
653+
IAccountManager::PROPERTY_EMAIL => ((string)$this->access->connection->ldapEmailAttribute !== ''),
654+
IAccountManager::PROPERTY_PHONE => ((string)$this->access->connection->ldapAttributePhone !== ''),
655+
IAccountManager::PROPERTY_WEBSITE => ((string)$this->access->connection->ldapAttributeWebsite !== ''),
656+
IAccountManager::PROPERTY_ADDRESS => ((string)$this->access->connection->ldapAttributeAddress !== ''),
657+
IAccountManager::PROPERTY_FEDIVERSE => ((string)$this->access->connection->ldapAttributeFediverse !== ''),
658+
IAccountManager::PROPERTY_ORGANISATION => ((string)$this->access->connection->ldapAttributeOrganisation !== ''),
659+
IAccountManager::PROPERTY_ROLE => ((string)$this->access->connection->ldapAttributeRole !== ''),
660+
IAccountManager::PROPERTY_HEADLINE => ((string)$this->access->connection->ldapAttributeHeadline !== ''),
661+
IAccountManager::PROPERTY_BIOGRAPHY => ((string)$this->access->connection->ldapAttributeBiography !== ''),
662+
IAccountManager::PROPERTY_BIRTHDATE => ((string)$this->access->connection->ldapAttributeBirthDate !== ''),
663+
IAccountManager::PROPERTY_PRONOUNS => ((string)$this->access->connection->ldapAttributePronouns !== ''),
664+
default => true,
665+
};
666+
}
646667
}

apps/user_ldap/lib/User_Proxy.php

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,14 +15,15 @@
1515
use OCP\User\Backend\ICountMappedUsersBackend;
1616
use OCP\User\Backend\IGetDisplayNameBackend;
1717
use OCP\User\Backend\ILimitAwareCountUsersBackend;
18+
use OCP\User\Backend\IPropertyPermissionBackend;
1819
use OCP\User\Backend\IProvideEnabledStateBackend;
1920
use OCP\UserInterface;
2021
use Psr\Log\LoggerInterface;
2122

2223
/**
2324
* @template-extends Proxy<User_LDAP>
2425
*/
25-
class User_Proxy extends Proxy implements IUserBackend, UserInterface, IUserLDAP, ILimitAwareCountUsersBackend, ICountMappedUsersBackend, IProvideEnabledStateBackend, IGetDisplayNameBackend {
26+
class User_Proxy extends Proxy implements IUserBackend, UserInterface, IUserLDAP, ILimitAwareCountUsersBackend, ICountMappedUsersBackend, IProvideEnabledStateBackend, IGetDisplayNameBackend, IPropertyPermissionBackend {
2627
public function __construct(
2728
private Helper $helper,
2829
ILDAPWrapper $ldap,
@@ -432,4 +433,8 @@ public function getDisabledUserList(?int $limit = null, int $offset = 0, string
432433
)
433434
);
434435
}
436+
437+
public function canEditProperty(string $uid, string $property): bool {
438+
return $this->handleRequest($uid, 'canEditProperty', [$uid, $property]);
439+
}
435440
}

0 commit comments

Comments
 (0)