Merge branch '2024.11'

tine-groupware · Dec 9, 2024 · 8bc4a8a · 8bc4a8a
2 parents 2ce5d17 + 253c77e
commit 8bc4a8a
Show file tree

Hide file tree

Showing 4 changed files with 111 additions and 4 deletions.
diff --git a/tine20/Tinebase/User/ActiveDirectory.php b/tine20/Tinebase/User/ActiveDirectory.php
@@ -5,10 +5,15 @@
  * @package     Tinebase
  * @subpackage  User
  * @license     http://www.gnu.org/licenses/agpl.html AGPL Version 3
- * @copyright   Copyright (c) 2007-2023 Metaways Infosystems GmbH (http://www.metaways.de)
+ * @copyright   Copyright (c) 2007-2024 Metaways Infosystems GmbH (http://www.metaways.de)
  * @author      Lars Kneschke <[email protected]>
  */
 
+use Tine\SDDL_Parser\ACE;
+use Tine\SDDL_Parser\GUID;
+use Tine\SDDL_Parser\SDDL;
+use Tine\SDDL_Parser\SID;
+
 /**
  * User Samba4 ldap backend
  *
@@ -111,6 +116,8 @@ public function __construct(array $_options = array())
             $this->_rowNameMapping['accountHomeDirectory'] = 'unixhomedirectory';
             $this->_rowNameMapping['accountLoginShell']    = 'loginshell';
         }
+
+        $this->_additionalLdapAttributesToFetch[] = 'ntsecuritydescriptor';
     }
 
     /**
@@ -165,6 +172,11 @@ public function addUserToSyncBackend(Tinebase_Model_FullUser $_user)
 
         $user = $this->getUserByPropertyFromSyncBackend('accountId', $_user, 'Tinebase_Model_FullUser');
 
+        if (Tinebase_Config::getInstance()->{Tinebase_Config::USERBACKEND}->{Tinebase_Config::SYNCOPTIONS}->{Tinebase_Config::PWD_CANT_CHANGE}) {
+            $this->updateUserInSyncBackend($user);
+            $user = $this->getUserByPropertyFromSyncBackend('accountId', $_user, 'Tinebase_Model_FullUser');
+        }
+
         return $user;
     }
 
@@ -557,8 +569,69 @@ protected function _user2ldap(Tinebase_Model_FullUser $_user, array $_ldapEntry
         $ldapData = array(
             'useraccountcontrol' => isset($_ldapEntry['useraccountcontrol']) ? $_ldapEntry['useraccountcontrol'][0] : self::NORMAL_ACCOUNT
         );
-        if (Tinebase_Config::getInstance()->{Tinebase_Config::USERBACKEND}->{Tinebase_Config::SYNCOPTIONS}->{Tinebase_Config::PWD_CANT_CHANGE}) {
-            $ldapData['useraccountcontrol'] |= self::PASSWD_CANT_CHANGE;
+        if (Tinebase_Config::getInstance()->{Tinebase_Config::USERBACKEND}->{Tinebase_Config::SYNCOPTIONS}->{Tinebase_Config::PWD_CANT_CHANGE}
+                && ($_ldapEntry['ntsecuritydescriptor'][0] ?? false)) {
+            try {
+                $sddl = SDDL::fromBytes($_ldapEntry['ntsecuritydescriptor'][0]);
+                $foundSelf = false;
+                $foundEveryone = false;
+                $setAceData = function(ACE\ObjectAccess $ace): void {
+                    $ace->setType(ACE::ACETYPE_ACCESS_DENIED_OBJECT);
+                    $ace->setAccessMask(ACE::ACCESS_MASK_ADS_RIGHT_DS_CONTROL_ACCESS);
+                    $ace->setInheritedObject(null);
+                    $ace->setFlags(0);
+                    $ace->setUniqueFlags(ACE::ACE_OBJECT_TYPE_PRESENT);
+                };
+
+                foreach ($sddl->getDACL()->getACEs() as $offset => $ace) {
+                    if ($ace instanceof ACE\ObjectAccess && $ace->getObject()?->getStringForm() === GUID::CHANGE_PASSWORD_GUID) {
+                        if ($ace->getSID()->getStringForm() === SID::SID_EVERYONE) {
+                            if ($foundEveryone) {
+                                $sddl->getDACL()->removeACE($offset);
+                            } else {
+                                $foundEveryone = true;
+                                $setAceData($ace);
+                            }
+                        } elseif ($ace->getSID()->getStringForm() === SID::SID_NT_AUTHORITY_SELF) {
+                            if ($foundSelf) {
+                                $sddl->getDACL()->removeACE($offset);
+                            } else {
+                                $foundSelf = true;
+                                $setAceData($ace);
+                            }
+                        }
+                    }
+                }
+
+                if (!$foundSelf) {
+                    $sddl->getDACL()->addACE(new ACE\ObjectAccess(
+                        binaryForm: '',
+                        flags: 0,
+                        type: ACE::ACETYPE_ACCESS_DENIED_OBJECT,
+                        accessMask: ACE::ACCESS_MASK_ADS_RIGHT_DS_CONTROL_ACCESS,
+                        uniqueFlags: ACE::ACE_OBJECT_TYPE_PRESENT,
+                        object: GUID::fromString(GUID::CHANGE_PASSWORD_GUID),
+                        inheritedObject: null,
+                        sid: SID::fromString(SID::SID_NT_AUTHORITY_SELF)
+                    ));
+                }
+                if (!$foundEveryone) {
+                    $sddl->getDACL()->addACE(new ACE\ObjectAccess(
+                        binaryForm: '',
+                        flags: 0,
+                        type: ACE::ACETYPE_ACCESS_DENIED_OBJECT,
+                        accessMask: ACE::ACCESS_MASK_ADS_RIGHT_DS_CONTROL_ACCESS,
+                        uniqueFlags:ACE::ACE_OBJECT_TYPE_PRESENT,
+                        object: GUID::fromString(GUID::CHANGE_PASSWORD_GUID),
+                        inheritedObject: null,
+                        sid: SID::fromString(SID::SID_EVERYONE)
+                    ));
+                }
+
+                $ldapData['ntsecuritydescriptor'] = $sddl->toBytes();
+            } catch (\Tine\SDDL_Parser\ParserException $e) {
+                Tinebase_Exception::log($e);
+            }
         }
 
         if (isset($_user->xprops()['uidnumber'])) {

diff --git a/tine20/Tinebase/js/widgets/grid/FilterPanel.js b/tine20/Tinebase/js/widgets/grid/FilterPanel.js
@@ -256,6 +256,7 @@ Ext.extend(Tine.widgets.grid.FilterPanel, Ext.Panel, {
 
         for (let id in this.filterToolbars) {
             if (this.filterToolbars.hasOwnProperty(id) && this.filterToolbars[id].isActive) {
+                this.quickFilterPlugin.ftb = this.filterToolbars[id];
                 const filterData = this.filterToolbars[id].getValue();
                 filters.push({'condition': 'AND', 'filters': filterData, 'id': id, label: Ext.util.Format.htmlDecode(this.filterToolbars[id].title)});
             }

diff --git a/tine20/composer.json b/tine20/composer.json
@@ -32,6 +32,10 @@
       "type": "git",
       "url": "https://github.com/tine-groupware/ubl-common.git"
     },
+    {
+      "type": "git",
+      "url": "https://github.com/tine-groupware/sddl-parser.git"
+    },
     {
       "type": "git",
       "url": "https://github.com/tine20/OpenDocument.git"
@@ -147,6 +151,7 @@
     "symfony/http-client": "5.2 - 7",
     "symfony/intl": "^5.4",
     "syncroton/syncroton": "^1.5",
+    "tine-groupware/sddl-parser": "0.0.2",
     "tine-groupware/ubl-invoice": "^0.1",
     "tine20/composerapploader": "1.0.*",
     "twig/cssinliner-extra": "^3.7",

diff --git a/tine20/composer.lock b/tine20/composer.lock