Skip to content

Commit 2c43b26

Browse files
artongebackportbot[bot]
artonge
authored and
backportbot[bot]
committed
fix(contacts): Do not expose SAB in /contactsmenu
When hitting the `/contactsmenu/contacts` endpoint with the `dav.system_addressbook_exposed` config switch set to `"no"`, the system address book content is still listed in the response. This ensure that we do not expose unexpectedly the system address book. Signed-off-by: Louis Chemineau <[email protected]> [skip ci]
1 parent 50b6c66 commit 2c43b26

File tree

3 files changed

+19
-0
lines changed

3 files changed

+19
-0
lines changed

apps/dav/lib/CardDAV/ContactsManager.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
namespace OCA\DAV\CardDAV;
2727

2828
use OCP\Contacts\IManager;
29+
use OCP\IAppConfig;
2930
use OCP\IL10N;
3031
use OCP\IURLGenerator;
3132

apps/dav/tests/unit/CardDAV/ContactsManagerTest.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@
2828
use OCA\DAV\CardDAV\CardDavBackend;
2929
use OCA\DAV\CardDAV\ContactsManager;
3030
use OCP\Contacts\IManager;
31+
use OCP\IAppConfig;
3132
use OCP\IL10N;
3233
use OCP\IURLGenerator;
3334
use Test\TestCase;
@@ -44,6 +45,7 @@ public function test(): void {
4445
['{DAV:}displayname' => 'Test address book', 'uri' => 'default'],
4546
]);
4647

48+
/** @var IL10N&MockObject $l */
4749
$l = $this->createMock(IL10N::class);
4850
$app = new ContactsManager($backEnd, $l);
4951
$app->setupContactsProvider($cm, 'user01', $urlGenerator);

build/integration/features/contacts-menu.feature

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -192,3 +192,19 @@ Feature: contacts-menu
192192
And searching for contacts matching with "test"
193193
# Disabled because it regularly fails on drone:
194194
# Then the list of searched contacts has "0" contacts
195+
196+
Scenario: users cannot list other users from the system address book
197+
Given user "user0" exists
198+
And user "user1" exists
199+
And invoking occ with "config:app:set dav system_addressbook_exposed --value false"
200+
And Logging in using web as "user1"
201+
And searching for contacts matching with ""
202+
Then the list of searched contacts has "1" contacts
203+
And invoking occ with "config:app:delete dav system_addressbook_exposed"
204+
205+
Scenario: users can list other users from the system address book
206+
Given user "user0" exists
207+
And user "user1" exists
208+
And Logging in using web as "user1"
209+
And searching for contacts matching with ""
210+
Then the list of searched contacts has "2" contacts

0 commit comments

Comments
 (0)