#2605 check if user permission

src/main/java/org/codelibs/fess/helper/SystemHelper.java

@@ -446,6 +446,13 @@ public class SystemHelper {
         return getCurrentTimeAsLong() > eolTime;
     }
 
+    public boolean isUserPermission(final String permission) {
+        if (StringUtil.isNotBlank(permission)) {
+            return permission.startsWith(ComponentUtil.getFessConfig().getRoleSearchUserPrefix());
+        }
+        return false;
+    }
+
     public String getSearchRoleByUser(final String name) {
         return createSearchRole(ComponentUtil.getFessConfig().getRoleSearchUserPrefix(), name);
     }

src/main/java/org/codelibs/fess/ldap/LdapManager.java

@@ -158,7 +158,7 @@ public class LdapManager {
         try (DirContextHolder holder = getDirContext(() -> env)) {
             final DirContext context = holder.get();
             final LdapUser ldapUser = createLdapUser(username, env);
-            if (!fessConfig.isLdapAllowEmptyPermission() && ldapUser.getPermissions().length == 0) {
+            if (!allowEmptyGroupAndRole(ldapUser)) {
                 if (logger.isDebugEnabled()) {
                     logger.debug("Login failed. No permissions. {}", context);
                 }
@@ -179,7 +179,7 @@ public class LdapManager {
         try (DirContextHolder holder = getDirContext(() -> env)) {
             final DirContext context = holder.get();
             final LdapUser ldapUser = createLdapUser(username, env);
-            if (!fessConfig.isLdapAllowEmptyPermission() && ldapUser.getPermissions().length == 0) {
+            if (!allowEmptyGroupAndRole(ldapUser)) {
                 if (logger.isDebugEnabled()) {
                     logger.debug("Login failed. No permissions. {}", context);
                 }
@@ -195,6 +195,20 @@ public class LdapManager {
         return OptionalEntity.empty();
     }
 
+    protected boolean allowEmptyGroupAndRole(final LdapUser ldapUser) {
+        if (fessConfig.isLdapAllowEmptyPermission()) {
+            return true;
+        }
+
+        final SystemHelper systemHelper = ComponentUtil.getSystemHelper();
+        for (final String permission : ldapUser.getPermissions()) {
+            if (!systemHelper.isUserPermission(permission)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
     protected LdapUser createLdapUser(final String username, final Hashtable<String, String> env) {
         return new LdapUser(env, username);
     }

src/main/java/org/codelibs/fess/util/ComponentUtil.java

@@ -559,6 +559,7 @@ public final class ComponentUtil {
     public static void setFessConfig(final FessConfig fessConfig) {
         ComponentUtil.fessConfig = fessConfig;
         if (fessConfig == null) {
+            systemHelper = null;
             FessProp.propMap.clear();
             componentMap.clear();
         }

src/test/java/org/codelibs/fess/helper/SystemHelperTest.java

@@ -147,4 +147,24 @@ public class SystemHelperTest extends UnitFessTestCase {
         assertEquals(1, filteredEnvMap.size());
         assertEquals("123", filteredEnvMap.get("FESS_ENV_TEST"));
     }
+
+    public void test_isUserPermission() {
+        assertTrue(systemHelper.isUserPermission("1test"));
+
+        assertFalse(systemHelper.isUserPermission(null));
+        assertFalse(systemHelper.isUserPermission(""));
+        assertFalse(systemHelper.isUserPermission(" "));
+        assertFalse(systemHelper.isUserPermission("2test"));
+        assertFalse(systemHelper.isUserPermission("Rtest"));
+    }
+
+    public void test_getSearchRole() {
+        assertEquals("1test", systemHelper.getSearchRoleByUser("test"));
+        assertEquals("Rtest", systemHelper.getSearchRoleByRole("test"));
+        assertEquals("2test", systemHelper.getSearchRoleByGroup("test"));
+
+        assertEquals("1", systemHelper.getSearchRoleByUser(""));
+        assertEquals("R", systemHelper.getSearchRoleByRole(""));
+        assertEquals("2", systemHelper.getSearchRoleByGroup(""));
+    }
 }

src/test/java/org/codelibs/fess/ldap/LdapManagerTest.java

@@ -15,12 +15,24 @@
  */
 package org.codelibs.fess.ldap;
 
+import java.util.ArrayList;
+import java.util.Hashtable;
+import java.util.List;
+import java.util.concurrent.atomic.AtomicBoolean;
+
+import org.codelibs.fess.helper.SystemHelper;
 import org.codelibs.fess.mylasta.direction.FessConfig;
 import org.codelibs.fess.unit.UnitFessTestCase;
 import org.codelibs.fess.util.ComponentUtil;
 
 public class LdapManagerTest extends UnitFessTestCase {
 
+    @Override
+    public void setUp() throws Exception {
+        super.setUp();
+        ComponentUtil.register(new SystemHelper(), "systemHelper");
+    }
+
     @SuppressWarnings("serial")
     public void test_getSearchRoleName() {
         ComponentUtil.setFessConfig(new FessConfig.SimpleImpl() {
@@ -72,4 +84,46 @@ public class LdapManagerTest extends UnitFessTestCase {
         assertEquals("___", ldapManager.replaceWithUnderscores("///"));
         assertEquals("a_a", ldapManager.replaceWithUnderscores("a/a"));
     }
+
+    public void test_allowEmptyGroupAndRole() {
+        final AtomicBoolean allowEmptyPermission = new AtomicBoolean();
+        ComponentUtil.setFessConfig(new FessConfig.SimpleImpl() {
+            public boolean isLdapAllowEmptyPermission() {
+                return allowEmptyPermission.get();
+            }
+
+            public String getRoleSearchUserPrefix() {
+                return "1";
+            }
+        });
+        LdapManager ldapManager = new LdapManager();
+        ldapManager.fessConfig = ComponentUtil.getFessConfig();
+        final List<String> permissionList = new ArrayList<>();
+        LdapUser user = new LdapUser(new Hashtable<>(), "test") {
+            @Override
+            public String[] getPermissions() {
+                return permissionList.toArray(n -> new String[n]);
+            }
+        };
+
+        allowEmptyPermission.set(true);
+        assertTrue(ldapManager.allowEmptyGroupAndRole(user));
+        allowEmptyPermission.set(false);
+        assertFalse(ldapManager.allowEmptyGroupAndRole(user));
+
+        permissionList.add("2aaa");
+
+        allowEmptyPermission.set(true);
+        assertTrue(ldapManager.allowEmptyGroupAndRole(user));
+        allowEmptyPermission.set(false);
+        assertTrue(ldapManager.allowEmptyGroupAndRole(user));
+
+        permissionList.clear();
+        permissionList.add("Raaa");
+
+        allowEmptyPermission.set(true);
+        assertTrue(ldapManager.allowEmptyGroupAndRole(user));
+        allowEmptyPermission.set(false);
+        assertTrue(ldapManager.allowEmptyGroupAndRole(user));
+    }
 }