diff --git a/tine20/Tinebase/User/ActiveDirectory.php b/tine20/Tinebase/User/ActiveDirectory.php index 24b4c71b31..fa2647a5f0 100644 --- a/tine20/Tinebase/User/ActiveDirectory.php +++ b/tine20/Tinebase/User/ActiveDirectory.php @@ -5,10 +5,15 @@ * @package Tinebase * @subpackage User * @license http://www.gnu.org/licenses/agpl.html AGPL Version 3 - * @copyright Copyright (c) 2007-2023 Metaways Infosystems GmbH (http://www.metaways.de) + * @copyright Copyright (c) 2007-2024 Metaways Infosystems GmbH (http://www.metaways.de) * @author Lars Kneschke */ +use Tine\SDDL_Parser\ACE; +use Tine\SDDL_Parser\GUID; +use Tine\SDDL_Parser\SDDL; +use Tine\SDDL_Parser\SID; + /** * User Samba4 ldap backend * @@ -111,6 +116,8 @@ public function __construct(array $_options = array()) $this->_rowNameMapping['accountHomeDirectory'] = 'unixhomedirectory'; $this->_rowNameMapping['accountLoginShell'] = 'loginshell'; } + + $this->_additionalLdapAttributesToFetch[] = 'ntsecuritydescriptor'; } /** @@ -165,6 +172,11 @@ public function addUserToSyncBackend(Tinebase_Model_FullUser $_user) $user = $this->getUserByPropertyFromSyncBackend('accountId', $_user, 'Tinebase_Model_FullUser'); + if (Tinebase_Config::getInstance()->{Tinebase_Config::USERBACKEND}->{Tinebase_Config::SYNCOPTIONS}->{Tinebase_Config::PWD_CANT_CHANGE}) { + $this->updateUserInSyncBackend($user); + $user = $this->getUserByPropertyFromSyncBackend('accountId', $_user, 'Tinebase_Model_FullUser'); + } + return $user; } @@ -557,8 +569,69 @@ protected function _user2ldap(Tinebase_Model_FullUser $_user, array $_ldapEntry $ldapData = array( 'useraccountcontrol' => isset($_ldapEntry['useraccountcontrol']) ? $_ldapEntry['useraccountcontrol'][0] : self::NORMAL_ACCOUNT ); - if (Tinebase_Config::getInstance()->{Tinebase_Config::USERBACKEND}->{Tinebase_Config::SYNCOPTIONS}->{Tinebase_Config::PWD_CANT_CHANGE}) { - $ldapData['useraccountcontrol'] |= self::PASSWD_CANT_CHANGE; + if (Tinebase_Config::getInstance()->{Tinebase_Config::USERBACKEND}->{Tinebase_Config::SYNCOPTIONS}->{Tinebase_Config::PWD_CANT_CHANGE} + && ($_ldapEntry['ntsecuritydescriptor'][0] ?? false)) { + try { + $sddl = SDDL::fromBytes($_ldapEntry['ntsecuritydescriptor'][0]); + $foundSelf = false; + $foundEveryone = false; + $setAceData = function(ACE\ObjectAccess $ace): void { + $ace->setType(ACE::ACETYPE_ACCESS_DENIED_OBJECT); + $ace->setAccessMask(ACE::ACCESS_MASK_ADS_RIGHT_DS_CONTROL_ACCESS); + $ace->setInheritedObject(null); + $ace->setFlags(0); + $ace->setUniqueFlags(ACE::ACE_OBJECT_TYPE_PRESENT); + }; + + foreach ($sddl->getDACL()->getACEs() as $offset => $ace) { + if ($ace instanceof ACE\ObjectAccess && $ace->getObject()?->getStringForm() === GUID::CHANGE_PASSWORD_GUID) { + if ($ace->getSID()->getStringForm() === SID::SID_EVERYONE) { + if ($foundEveryone) { + $sddl->getDACL()->removeACE($offset); + } else { + $foundEveryone = true; + $setAceData($ace); + } + } elseif ($ace->getSID()->getStringForm() === SID::SID_NT_AUTHORITY_SELF) { + if ($foundSelf) { + $sddl->getDACL()->removeACE($offset); + } else { + $foundSelf = true; + $setAceData($ace); + } + } + } + } + + if (!$foundSelf) { + $sddl->getDACL()->addACE(new ACE\ObjectAccess( + binaryForm: '', + flags: 0, + type: ACE::ACETYPE_ACCESS_DENIED_OBJECT, + accessMask: ACE::ACCESS_MASK_ADS_RIGHT_DS_CONTROL_ACCESS, + uniqueFlags: ACE::ACE_OBJECT_TYPE_PRESENT, + object: GUID::fromString(GUID::CHANGE_PASSWORD_GUID), + inheritedObject: null, + sid: SID::fromString(SID::SID_NT_AUTHORITY_SELF) + )); + } + if (!$foundEveryone) { + $sddl->getDACL()->addACE(new ACE\ObjectAccess( + binaryForm: '', + flags: 0, + type: ACE::ACETYPE_ACCESS_DENIED_OBJECT, + accessMask: ACE::ACCESS_MASK_ADS_RIGHT_DS_CONTROL_ACCESS, + uniqueFlags:ACE::ACE_OBJECT_TYPE_PRESENT, + object: GUID::fromString(GUID::CHANGE_PASSWORD_GUID), + inheritedObject: null, + sid: SID::fromString(SID::SID_EVERYONE) + )); + } + + $ldapData['ntsecuritydescriptor'] = $sddl->toBytes(); + } catch (\Tine\SDDL_Parser\ParserException $e) { + Tinebase_Exception::log($e); + } } if (isset($_user->xprops()['uidnumber'])) { diff --git a/tine20/Tinebase/js/widgets/grid/FilterPanel.js b/tine20/Tinebase/js/widgets/grid/FilterPanel.js index 37a290e829..06d39110d4 100644 --- a/tine20/Tinebase/js/widgets/grid/FilterPanel.js +++ b/tine20/Tinebase/js/widgets/grid/FilterPanel.js @@ -256,6 +256,7 @@ Ext.extend(Tine.widgets.grid.FilterPanel, Ext.Panel, { for (let id in this.filterToolbars) { if (this.filterToolbars.hasOwnProperty(id) && this.filterToolbars[id].isActive) { + this.quickFilterPlugin.ftb = this.filterToolbars[id]; const filterData = this.filterToolbars[id].getValue(); filters.push({'condition': 'AND', 'filters': filterData, 'id': id, label: Ext.util.Format.htmlDecode(this.filterToolbars[id].title)}); } diff --git a/tine20/composer.json b/tine20/composer.json index fda36c2304..bbcf9e4500 100644 --- a/tine20/composer.json +++ b/tine20/composer.json @@ -32,6 +32,10 @@ "type": "git", "url": "https://github.com/tine-groupware/ubl-common.git" }, + { + "type": "git", + "url": "https://github.com/tine-groupware/sddl-parser.git" + }, { "type": "git", "url": "https://github.com/tine20/OpenDocument.git" @@ -147,6 +151,7 @@ "symfony/http-client": "5.2 - 7", "symfony/intl": "^5.4", "syncroton/syncroton": "^1.5", + "tine-groupware/sddl-parser": "0.0.2", "tine-groupware/ubl-invoice": "^0.1", "tine20/composerapploader": "1.0.*", "twig/cssinliner-extra": "^3.7", diff --git a/tine20/composer.lock b/tine20/composer.lock index 31bc2c231b..99a9f52779 100644 --- a/tine20/composer.lock +++ b/tine20/composer.lock @@ -12893,6 +12893,34 @@ }, "time": "2023-12-08T13:03:43+00:00" }, + { + "name": "tine-groupware/sddl-parser", + "version": "0.0.2", + "source": { + "type": "git", + "url": "https://github.com/tine-groupware/sddl-parser.git", + "reference": "bf6eaf9ea094394f9c15fb4dd3ad0ccdff320ea4" + }, + "require": { + "php": "8.*" + }, + "type": "library", + "autoload": { + "psr-4": { + "Tine\\SDDL_Parser\\": "src/" + } + }, + "license": [ + "BSD-3-Clause" + ], + "authors": [ + { + "name": "Paul Mehrer", + "email": "p.mehrer@metaways.de" + } + ], + "time": "2024-12-09T14:46:38+00:00" + }, { "name": "tine-groupware/ubl-common", "version": "0.1.3", @@ -15693,5 +15721,5 @@ "ext-xmlwriter": "8.1", "ext-zip": "8.1" }, - "plugin-api-version": "2.6.0" + "plugin-api-version": "2.3.0" }