From 5ada0024afbfbcb0af8e6f37356acb6c7a6ba411 Mon Sep 17 00:00:00 2001 From: Francis Lachapelle Date: Mon, 26 Sep 2016 16:22:44 -0400 Subject: [PATCH] Caching expiration of ACLs assigned to LDAP groups Fixes #2867 --- NEWS | 1 + SoObjects/SOGo/SOGoGCSFolder.m | 36 +++++++++++++++++++++++++++------- 2 files changed, 30 insertions(+), 7 deletions(-) diff --git a/NEWS b/NEWS index a8e26eb5e..7d88586cc 100644 --- a/NEWS +++ b/NEWS @@ -22,6 +22,7 @@ Bug fixes - [eas] properly escape all email and address fields - [eas] properly generate yearly rrule - [core] strip protocol value from proxyAddresses attribute (#3182) + - [core] fixed caching expiration of ACLs assigned to LDAP groups (#2867) - [web] handle binary content transfer encoding when displaying mails 2.3.14 (2016-08-17) diff --git a/SoObjects/SOGo/SOGoGCSFolder.m b/SoObjects/SOGo/SOGoGCSFolder.m index 04c465509..9afed6a5d 100644 --- a/SoObjects/SOGo/SOGoGCSFolder.m +++ b/SoObjects/SOGo/SOGoGCSFolder.m @@ -1740,7 +1740,7 @@ static NSArray *childRecordFields = nil; { EOQualifier *qualifier; NSString *uid, *uids, *qs, *objectPath, *domain; - NSMutableArray *usersAndGroups; + NSMutableArray *usersAndGroups, *groupsMembers; NSMutableDictionary *aclsForObject; SOGoGroup *group; unsigned int i; @@ -1749,23 +1749,40 @@ static NSArray *childRecordFields = nil; { domain = [[context activeUser] domain]; usersAndGroups = [NSMutableArray arrayWithArray: users]; + groupsMembers = [NSMutableArray array]; for (i = 0; i < [usersAndGroups count]; i++) { uid = [usersAndGroups objectAtIndex: i]; if (![uid hasPrefix: @"@"]) { - // Prefix the UID with the character "@" when dealing with a group group = [SOGoGroup groupWithIdentifier: uid inDomain: domain]; if (group) - [usersAndGroups replaceObjectAtIndex: i - withObject: [NSString stringWithFormat: @"@%@", uid]]; + { + NSArray *members; + SOGoUser *user; + unsigned int j; + + // Fetch members to remove them from the cache along the group + members = [group members]; + for (j = 0; j < [members count]; j++) + { + user = [members objectAtIndex: j]; + [groupsMembers addObject: [user login]]; + } + + // Prefix the UID with the character "@" when dealing with a group + [usersAndGroups replaceObjectAtIndex: i + withObject: [NSString stringWithFormat: @"@%@", uid]]; + } } } objectPath = [objectPathArray componentsJoinedByString: @"/"]; aclsForObject = [[SOGoCache sharedCache] aclsForPath: objectPath]; if (aclsForObject) { + // Remove users, groups and groups members from the cache [aclsForObject removeObjectsForKeys: usersAndGroups]; + [aclsForObject removeObjectsForKeys: groupsMembers]; [[SOGoCache sharedCache] setACLs: aclsForObject forPath: objectPath]; } @@ -1813,6 +1830,7 @@ static NSArray *childRecordFields = nil; NSMutableArray *newRoles; SOGoGroup *group; + objectPath = [objectPathArray componentsJoinedByString: @"/"]; aUID = uid; if (![uid hasPrefix: @"@"]) { @@ -1820,7 +1838,12 @@ static NSArray *childRecordFields = nil; domain = [[context activeUser] domain]; group = [SOGoGroup groupWithIdentifier: uid inDomain: domain]; if (group) - aUID = [NSString stringWithFormat: @"@%@", uid]; + { + aUID = [NSString stringWithFormat: @"@%@", uid]; + // Remove all roles when defining ACLs for a group + [[SOGoCache sharedCache] setACLs: nil + forPath: objectPath]; + } } [self removeAclsForUsers: [NSArray arrayWithObject: aUID] forObjectAtPath: objectPathArray]; @@ -1831,12 +1854,11 @@ static NSArray *childRecordFields = nil; [newRoles removeObject: SOGoRole_PublicUser]; [newRoles removeObject: SOGoRole_AuthorizedSubscriber]; [newRoles removeObject: SOGoRole_None]; - objectPath = [objectPathArray componentsJoinedByString: @"/"]; if (![newRoles count]) [newRoles addObject: SOGoRole_None]; - [self _cacheRoles: newRoles forUser: uid + [self _cacheRoles: newRoles forUser: aUID forObjectAtPath: objectPath]; [self _commitRoles: newRoles forUID: aUID forObject: objectPath];