From 44aa1352e4dea2f9883d7a68a4ac1f5e34bebae2 Mon Sep 17 00:00:00 2001 From: Francis Lachapelle Date: Mon, 26 Sep 2016 16:22:44 -0400 Subject: [PATCH] Caching expiration of ACLs assigned to LDAP groups Fixes #2867 --- NEWS | 1 + SoObjects/SOGo/SOGoGCSFolder.m | 36 +++++++++++++++++++++++++++------- 2 files changed, 30 insertions(+), 7 deletions(-) diff --git a/NEWS b/NEWS index 22e269117..83f9fef00 100644 --- a/NEWS +++ b/NEWS @@ -25,6 +25,7 @@ Bug fixes - [core] strip protocol value from proxyAddresses attribute (#3182) - [core] we now search in all domain sources for Apple Calendar - [core] properly handle groups in Apple Calendar's delegation + - [core] fixed caching expiration of ACLs assigned to LDAP groups (#2867) 3.1.5 (2016-08-10) ------------------ diff --git a/SoObjects/SOGo/SOGoGCSFolder.m b/SoObjects/SOGo/SOGoGCSFolder.m index 77224c6ec..54917f95d 100644 --- a/SoObjects/SOGo/SOGoGCSFolder.m +++ b/SoObjects/SOGo/SOGoGCSFolder.m @@ -1725,7 +1725,7 @@ static NSArray *childRecordFields = nil; { EOQualifier *qualifier; NSString *uid, *uids, *qs, *objectPath, *domain; - NSMutableArray *usersAndGroups; + NSMutableArray *usersAndGroups, *groupsMembers; NSMutableDictionary *aclsForObject; SOGoGroup *group; unsigned int i; @@ -1734,23 +1734,40 @@ static NSArray *childRecordFields = nil; { domain = [[context activeUser] domain]; usersAndGroups = [NSMutableArray arrayWithArray: users]; + groupsMembers = [NSMutableArray array]; for (i = 0; i < [usersAndGroups count]; i++) { uid = [usersAndGroups objectAtIndex: i]; if (![uid hasPrefix: @"@"]) { - // Prefix the UID with the character "@" when dealing with a group group = [SOGoGroup groupWithIdentifier: uid inDomain: domain]; if (group) - [usersAndGroups replaceObjectAtIndex: i - withObject: [NSString stringWithFormat: @"@%@", uid]]; + { + NSArray *members; + SOGoUser *user; + unsigned int j; + + // Fetch members to remove them from the cache along the group + members = [group members]; + for (j = 0; j < [members count]; j++) + { + user = [members objectAtIndex: j]; + [groupsMembers addObject: [user login]]; + } + + // Prefix the UID with the character "@" when dealing with a group + [usersAndGroups replaceObjectAtIndex: i + withObject: [NSString stringWithFormat: @"@%@", uid]]; + } } } objectPath = [objectPathArray componentsJoinedByString: @"/"]; aclsForObject = [[SOGoCache sharedCache] aclsForPath: objectPath]; if (aclsForObject) { + // Remove users, groups and groups members from the cache [aclsForObject removeObjectsForKeys: usersAndGroups]; + [aclsForObject removeObjectsForKeys: groupsMembers]; [[SOGoCache sharedCache] setACLs: aclsForObject forPath: objectPath]; } @@ -1805,6 +1822,7 @@ static NSArray *childRecordFields = nil; NSMutableArray *newRoles; SOGoGroup *group; + objectPath = [objectPathArray componentsJoinedByString: @"/"]; aUID = uid; if (![uid hasPrefix: @"@"]) { @@ -1812,7 +1830,12 @@ static NSArray *childRecordFields = nil; domain = [[context activeUser] domain]; group = [SOGoGroup groupWithIdentifier: uid inDomain: domain]; if (group) - aUID = [NSString stringWithFormat: @"@%@", uid]; + { + aUID = [NSString stringWithFormat: @"@%@", uid]; + // Remove all roles when defining ACLs for a group + [[SOGoCache sharedCache] setACLs: nil + forPath: objectPath]; + } } [self removeAclsForUsers: [NSArray arrayWithObject: aUID] forObjectAtPath: objectPathArray]; @@ -1823,12 +1846,11 @@ static NSArray *childRecordFields = nil; [newRoles removeObject: SOGoRole_PublicUser]; [newRoles removeObject: SOGoRole_AuthorizedSubscriber]; [newRoles removeObject: SOGoRole_None]; - objectPath = [objectPathArray componentsJoinedByString: @"/"]; if (![newRoles count]) [newRoles addObject: SOGoRole_None]; - [self _cacheRoles: newRoles forUser: uid + [self _cacheRoles: newRoles forUser: aUID forObjectAtPath: objectPath]; [self _commitRoles: newRoles forUID: aUID forObject: objectPath];