Add option to restrict users/groups that can autocomplete usernames

By default this is set to @ALL, so the behaviour is backwards-compatible. Tests of this new feature have been added.
cmacmackin · Dec 2, 2023 · 624b85e · 624b85e
1 parent fc61ec9
commit 624b85e
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 1 deletion.
diff --git a/_test/types/UserTest.php b/_test/types/UserTest.php
@@ -35,7 +35,19 @@ public function test_validate_success()
 
     public function test_ajax()
     {
-        global $INPUT;
+        global $INFO, $INPUT, $USERINFO;
+        include(__DIR__ . '/../../conf/default.php');
+        $default_allow_autocomplete = $conf['allow_username_autocomplete'];
+        unset($conf);
+
+        global $conf;
+        $conf['plugin']['struct']['allow_username_autocomplete'] = $default_allow_autocomplete;
+        $_SERVER['REMOTE_USER'] = 'john';
+        $USERINFO['name'] = 'John Smith';
+        $USERINFO['mail'] = '[email protected]';
+        $USERINFO['grps'] = ['user', 'test'];
+        //update info array
+        $INFO['userinfo'] = $USERINFO;
 
         $user = new User(
             [
@@ -56,6 +68,21 @@ public function test_ajax()
         $INPUT->set('search', 'd'); // under mininput
         $this->assertEquals([], $user->handleAjax());
 
+        // Check restrictions on who can access username data are respected
+        $conf['plugin']['struct']['allow_username_autocomplete'] = 'john';
+        $INPUT->set('search', 'dent');
+        $this->assertEquals([['label' => 'Arthur Dent [testuser]', 'value' => 'testuser']], $user->handleAjax());
+
+        $conf['plugin']['struct']['allow_username_autocomplete'] = '@user';
+        $INPUT->set('search', 'dent');
+        $this->assertEquals([['label' => 'Arthur Dent [testuser]', 'value' => 'testuser']], $user->handleAjax());
+
+        $conf['plugin']['struct']['allow_username_autocomplete'] = '@not_in_group,not_this_user';
+        $INPUT->set('search', 'dent');
+        $this->assertEquals([], $user->handleAjax());
+
+        $conf['plugin']['struct']['allow_username_autocomplete'] = $default_allow_autocomplete;
+
         $user = new User(
             [
                 'autocomplete' => [

diff --git a/conf/default.php b/conf/default.php
@@ -4,3 +4,4 @@
 $conf['topoutput'] = 0;
 $conf['disableDeleteSerial'] = 0;
 $conf['show_not_found'] = 1;
+$conf['allow_username_autocomplete'] = '@ALL';
diff --git a/conf/metadata.php b/conf/metadata.php
@@ -4,3 +4,4 @@
 $meta['topoutput'] = ['onoff'];
 $meta['disableDeleteSerial'] = ['onoff'];
 $meta['show_not_found'] = ['onoff'];
+$meta['allow_username_autocomplete'] = ['string'];
diff --git a/lang/en/settings.php b/lang/en/settings.php
@@ -4,3 +4,4 @@
 $lang['topoutput'] = 'Display data at the top of the page';
 $lang['disableDeleteSerial'] = 'Disable delete button for serial data';
 $lang['show_not_found'] = 'Show the default text when no results are returned for struct value syntax';
+$lang['allow_username_autocomplete'] = 'Group, user or comma separated list user1,@group1,user2 to offer autocomplete suggestions for username data';
diff --git a/types/User.php b/types/User.php
@@ -66,12 +66,24 @@ public function handleAjax()
     {
         /** @var AuthPlugin $auth */
         global $auth;
+        global $conf;
         global $INPUT;
+        global $_SERVER;
+        global $USERINFO;
 
         if (!$auth->canDo('getUsers')) {
             return [];
         }
 
+        if (
+            !auth_isMember(
+                $conf['plugin']['struct']['allow_username_autocomplete'],
+                $_SERVER['REMOTE_USER'],
+                (array) $USERINFO['grps'])
+        ) {
+            return [];
+        }
+
         // check minimum length
         $lookup = trim($INPUT->str('search'));
         if (PhpString::strlen($lookup) < $this->config['autocomplete']['mininput']) return [];