Merge pull request #18120 from nextcloud/bugfix/11087/dav_principal_backend_respect_sharing_settings

respect shareapi_allow_share_dialog_user_enumeration in Principal backend for Sabre/DAV

Author: skjnldsv

apps/dav/appinfo/v1/caldav.php

@@ -48,6 +48,7 @@
 	\OC::$server->getUserSession(),
 	\OC::$server->getAppManager(),
 	\OC::$server->query(\OCA\DAV\CalDAV\Proxy\ProxyMapper::class),
+	\OC::$server->getConfig(),
 	'principals/'
 );
 $db = \OC::$server->getDatabaseConnection();

apps/dav/appinfo/v1/carddav.php

@@ -49,6 +49,7 @@
 	\OC::$server->getUserSession(),
 	\OC::$server->getAppManager(),
 	\OC::$server->query(\OCA\DAV\CalDAV\Proxy\ProxyMapper::class),
+	\OC::$server->getConfig(),
 	'principals/'
 );
 $db = \OC::$server->getDatabaseConnection();

apps/dav/lib/Command/CreateCalendar.php

@@ -81,7 +81,8 @@ protected function execute(InputInterface $input, OutputInterface $output) {
 			\OC::$server->getShareManager(),
 			\OC::$server->getUserSession(),
 			\OC::$server->getAppManager(),
-			\OC::$server->query(ProxyMapper::class)
+			\OC::$server->query(ProxyMapper::class),
+			\OC::$server->getConfig()
 		);
 		$random = \OC::$server->getSecureRandom();
 		$logger = \OC::$server->getLogger();

apps/dav/lib/Connector/Sabre/Principal.php

@@ -40,6 +40,7 @@
 use OCA\DAV\Traits\PrincipalProxyTrait;
 use OCP\App\IAppManager;
 use OCP\AppFramework\QueryException;
+use OCP\IConfig;
 use OCP\IGroup;
 use OCP\IGroupManager;
 use OCP\IUser;
@@ -79,6 +80,9 @@ class Principal implements BackendInterface {
 	/** @var ProxyMapper */
 	private $proxyMapper;
 
+	/** @var IConfig */
+	private $config;
+
 	/**
 	 * Principal constructor.
 	 *
@@ -88,6 +92,7 @@ class Principal implements BackendInterface {
 	 * @param IUserSession $userSession
 	 * @param IAppManager $appManager
 	 * @param ProxyMapper $proxyMapper
+	 * @param IConfig $config
 	 * @param string $principalPrefix
 	 */
 	public function __construct(IUserManager $userManager,
@@ -96,6 +101,7 @@ public function __construct(IUserManager $userManager,
 								IUserSession $userSession,
 								IAppManager $appManager,
 								ProxyMapper $proxyMapper,
+								IConfig $config,
 								string $principalPrefix = 'principals/users/') {
 		$this->userManager = $userManager;
 		$this->groupManager = $groupManager;
@@ -105,6 +111,7 @@ public function __construct(IUserManager $userManager,
 		$this->principalPrefix = trim($principalPrefix, '/');
 		$this->hasGroups = $this->hasCircles = ($principalPrefix === 'principals/users/');
 		$this->proxyMapper = $proxyMapper;
+		$this->config = $config;
 	}
 
 	use PrincipalProxyTrait {
@@ -240,6 +247,8 @@ protected function searchUserPrincipals(array $searchProperties, $test = 'allof'
 			return [];
 		}
 
+		$allowEnumeration = $this->config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes';
+
 		// If sharing is restricted to group members only,
 		// return only members that have groups in common
 		$restrictGroups = false;
@@ -257,6 +266,12 @@ protected function searchUserPrincipals(array $searchProperties, $test = 'allof'
 				case '{http://sabredav.org/ns}email-address':
 					$users = $this->userManager->getByEmail($value);
 
+					if (!$allowEnumeration) {
+						$users = \array_filter($users, static function(IUser $user) use ($value) {
+							return $user->getEMailAddress() === $value;
+						});
+					}
+
 					$results[] = array_reduce($users, function(array $carry, IUser $user) use ($restrictGroups) {
 						// is sharing restricted to groups only?
 						if ($restrictGroups !== false) {
@@ -274,6 +289,12 @@ protected function searchUserPrincipals(array $searchProperties, $test = 'allof'
 				case '{DAV:}displayname':
 					$users = $this->userManager->searchDisplayName($value);
 
+					if (!$allowEnumeration) {
+						$users = \array_filter($users, static function(IUser $user) use ($value) {
+							return $user->getDisplayName() === $value;
+						});
+					}
+
 					$results[] = array_reduce($users, function(array $carry, IUser $user) use ($restrictGroups) {
 						// is sharing restricted to groups only?
 						if ($restrictGroups !== false) {

apps/dav/lib/RootCollection.php

@@ -63,9 +63,10 @@ public function __construct() {
 			$shareManager,
 			\OC::$server->getUserSession(),
 			\OC::$server->getAppManager(),
-			$proxyMapper
+			$proxyMapper,
+			\OC::$server->getConfig()
 		);
-		$groupPrincipalBackend = new GroupPrincipalBackend($groupManager, $userSession, $shareManager, $l10n);
+		$groupPrincipalBackend = new GroupPrincipalBackend($groupManager, $userSession, $shareManager);
 		$calendarResourcePrincipalBackend = new ResourcePrincipalBackend($db, $userSession, $groupManager, $logger, $proxyMapper);
 		$calendarRoomPrincipalBackend = new RoomPrincipalBackend($db, $userSession, $groupManager, $logger, $proxyMapper);
 		// as soon as debug mode is enabled we allow listing of principals

apps/dav/tests/unit/CalDAV/AbstractCalDavBackend.php

@@ -86,6 +86,7 @@ protected function setUp(): void {
 				$this->createMock(IUserSession::class),
 				$this->createMock(IAppManager::class),
 				$this->createMock(ProxyMapper::class),
+				$this->createMock(IConfig::class),
 			])
 			->setMethods(['getPrincipalByPath', 'getGroupMembership'])
 			->getMock();

apps/dav/tests/unit/CardDAV/CardDavBackendTest.php

@@ -134,6 +134,7 @@ protected function setUp(): void {
 				$this->createMock(IUserSession::class),
 				$this->createMock(IAppManager::class),
 				$this->createMock(ProxyMapper::class),
+				$this->createMock(IConfig::class),
 				])
 			->setMethods(['getPrincipalByPath', 'getGroupMembership'])
 			->getMock();
@@ -396,7 +397,7 @@ public function testMultipleUIDDenied() {
 		// create a card
 		$uri0 = $this->getUniqueID('card');
 		$this->backend->createCard($bookId, $uri0, $this->vcardTest0);
-		
+
 		// create another card with same uid
 		$uri1 = $this->getUniqueID('card');
 		$this->expectException(BadRequest::class);

apps/dav/tests/unit/Connector/Sabre/PrincipalTest.php

@@ -65,21 +65,26 @@ class PrincipalTest extends TestCase {
 	/** @var ProxyMapper | \PHPUnit_Framework_MockObject_MockObject */
 	private $proxyMapper;
 
+	/** @var IConfig | \PHPUnit_Framework_MockObject_MockObject */
+	private $config;
+
 	protected function setUp(): void {
 		$this->userManager = $this->createMock(IUserManager::class);
 		$this->groupManager = $this->createMock(IGroupManager::class);
 		$this->shareManager = $this->createMock(IManager::class);
 		$this->userSession = $this->createMock(IUserSession::class);
 		$this->appManager = $this->createMock(IAppManager::class);
 		$this->proxyMapper = $this->createMock(ProxyMapper::class);
+		$this->config = $this->createMock(IConfig::class);
 
 		$this->connector = new \OCA\DAV\Connector\Sabre\Principal(
 			$this->userManager,
 			$this->groupManager,
 			$this->shareManager,
 			$this->userSession,
 			$this->appManager,
-			$this->proxyMapper
+			$this->proxyMapper,
+			$this->config
 		);
 		parent::setUp();
 	}
@@ -209,7 +214,7 @@ public function testGetGroupMemberSet() {
 		$this->assertSame([], $response);
 	}
 
-	
+
 	public function testGetGroupMemberSetEmpty() {
 		$this->expectException(\Sabre\DAV\Exception::class);
 		$this->expectExceptionMessage('Principal not found');
@@ -334,7 +339,7 @@ public function testGetGroupMembership() {
 		$this->assertSame($expectedResponse, $response);
 	}
 
-	
+
 	public function testGetGroupMembershipEmpty() {
 		$this->expectException(\Sabre\DAV\Exception::class);
 		$this->expectExceptionMessage('Principal not found');
@@ -348,7 +353,7 @@ public function testGetGroupMembershipEmpty() {
 		$this->connector->getGroupMembership('principals/users/foo');
 	}
 
-	
+
 	public function testSetGroupMembership() {
 		$this->expectException(\Sabre\DAV\Exception::class);
 		$this->expectExceptionMessage('Setting members of the group is not supported yet');
@@ -403,11 +408,6 @@ public function testSetGroupMembershipProxy() {
 		$this->connector->setGroupMemberSet('principals/users/foo/calendar-proxy-write', ['principals/users/bar']);
 	}
 
-
-
-
-
-
 	public function testUpdatePrincipal() {
 		$this->assertSame(0, $this->connector->updatePrincipal('foo', new PropPatch(array())));
 	}
@@ -430,6 +430,11 @@ public function testSearchPrincipals($sharingEnabled, $groupsOnly, $test, $resul
 			->will($this->returnValue($sharingEnabled));
 
 		if ($sharingEnabled) {
+			$this->config->expects($this->once())
+				->method('getAppValue')
+				->with('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes')
+				->willReturn('yes');
+
 			$this->shareManager->expects($this->once())
 				->method('shareWithGroupMembersOnly')
 				->will($this->returnValue($groupsOnly));
@@ -446,6 +451,8 @@ public function testSearchPrincipals($sharingEnabled, $groupsOnly, $test, $resul
 					->will($this->returnValue(['group1', 'group2', 'group5']));
 			}
 		} else {
+			$this->config->expects($this->never())
+				->method('getAppValue');
 			$this->shareManager->expects($this->never())
 				->method('shareWithGroupMembersOnly');
 			$this->groupManager->expects($this->never())
@@ -518,6 +525,11 @@ public function testSearchPrincipalByCalendarUserAddressSet() {
 			->method('shareAPIEnabled')
 			->will($this->returnValue(true));
 
+		$this->config->expects($this->exactly(2))
+			->method('getAppValue')
+			->with('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes')
+			->willReturn('yes');
+
 		$this->shareManager->expects($this->exactly(2))
 			->method('shareWithGroupMembersOnly')
 			->will($this->returnValue(false));
@@ -539,6 +551,78 @@ public function testSearchPrincipalByCalendarUserAddressSet() {
 			['{urn:ietf:params:xml:ns:caldav}calendar-user-address-set' => 'user@example.com']));
 	}
 
+	public function testSearchPrincipalWithEnumerationDisabledDisplayname() {
+		$this->shareManager->expects($this->once())
+			->method('shareAPIEnabled')
+			->will($this->returnValue(true));
+
+		$this->config->expects($this->once())
+			->method('getAppValue')
+			->with('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes')
+			->willReturn('no');
+
+		$this->shareManager->expects($this->once())
+			->method('shareWithGroupMembersOnly')
+			->will($this->returnValue(false));
+
+		$user2 = $this->createMock(IUser::class);
+		$user2->method('getUID')->will($this->returnValue('user2'));
+		$user2->method('getDisplayName')->will($this->returnValue('User 2'));
+		$user2->method('getEMailAddress')->will($this->returnValue('user2@foo.bar'));
+		$user3 = $this->createMock(IUser::class);
+		$user3->method('getUID')->will($this->returnValue('user3'));
+		$user2->method('getDisplayName')->will($this->returnValue('User 22'));
+		$user2->method('getEMailAddress')->will($this->returnValue('user2@foo.bar123'));
+		$user4 = $this->createMock(IUser::class);
+		$user4->method('getUID')->will($this->returnValue('user4'));
+		$user2->method('getDisplayName')->will($this->returnValue('User 222'));
+		$user2->method('getEMailAddress')->will($this->returnValue('user2@foo.bar456'));
+
+		$this->userManager->expects($this->at(0))
+			->method('searchDisplayName')
+			->with('User 2')
+			->will($this->returnValue([$user2, $user3, $user4]));
+
+		$this->assertEquals(['principals/users/user2'], $this->connector->searchPrincipals('principals/users',
+			['{DAV:}displayname' => 'User 2']));
+	}
+
+	public function testSearchPrincipalWithEnumerationDisabledEmail() {
+		$this->shareManager->expects($this->once())
+			->method('shareAPIEnabled')
+			->will($this->returnValue(true));
+
+		$this->config->expects($this->once())
+			->method('getAppValue')
+			->with('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes')
+			->willReturn('no');
+
+		$this->shareManager->expects($this->once())
+			->method('shareWithGroupMembersOnly')
+			->will($this->returnValue(false));
+
+		$user2 = $this->createMock(IUser::class);
+		$user2->method('getUID')->will($this->returnValue('user2'));
+		$user2->method('getDisplayName')->will($this->returnValue('User 2'));
+		$user2->method('getEMailAddress')->will($this->returnValue('user2@foo.bar'));
+		$user3 = $this->createMock(IUser::class);
+		$user3->method('getUID')->will($this->returnValue('user3'));
+		$user2->method('getDisplayName')->will($this->returnValue('User 22'));
+		$user2->method('getEMailAddress')->will($this->returnValue('user2@foo.bar123'));
+		$user4 = $this->createMock(IUser::class);
+		$user4->method('getUID')->will($this->returnValue('user4'));
+		$user2->method('getDisplayName')->will($this->returnValue('User 222'));
+		$user2->method('getEMailAddress')->will($this->returnValue('user2@foo.bar456'));
+
+		$this->userManager->expects($this->at(0))
+			->method('getByEmail')
+			->with('user2@foo.bar')
+			->will($this->returnValue([$user2, $user3, $user4]));
+
+		$this->assertEquals(['principals/users/user2'], $this->connector->searchPrincipals('principals/users',
+			['{http://sabredav.org/ns}email-address' => 'user2@foo.bar']));
+	}
+
 	public function testFindByUriSharingApiDisabled() {
 		$this->shareManager->expects($this->once())
 			->method('shareApiEnabled')

apps/files_trashbin/lib/AppInfo/Application.php

@@ -58,7 +58,8 @@ public function __construct (array $urlParams = []) {
 				\OC::$server->getShareManager(),
 				\OC::$server->getUserSession(),
 				\OC::$server->getAppManager(),
-				\OC::$server->query(ProxyMapper::class)
+				\OC::$server->query(ProxyMapper::class),
+				\OC::$server->getConfig()
 			);
 		});
 

apps/files_versions/lib/AppInfo/Application.php

@@ -66,7 +66,8 @@ public function __construct(array $urlParams = []) {
 				$server->getShareManager(),
 				$server->getUserSession(),
 				$server->getAppManager(),
-				$server->query(ProxyMapper::class)
+				$server->query(ProxyMapper::class),
+				\OC::$server->getConfig()
 			);
 		});