Merge pull request #57041 from nextcloud/feat/full-match-displayname

feat: Allow to block full matches on the display name

Author: juliusknorr

apps/settings/lib/Settings/Admin/Sharing.php

@@ -55,6 +55,7 @@ public function getForm() {
 			'restrictUserEnumerationToPhone' => $this->getHumanBooleanConfig('core', 'shareapi_restrict_user_enumeration_to_phone'),
 			'restrictUserEnumerationFullMatch' => $this->shareManager->allowEnumerationFullMatch(),
 			'restrictUserEnumerationFullMatchUserId' => $this->shareManager->matchUserId(),
+			'restrictUserEnumerationFullMatchDisplayname' => $this->shareManager->matchDisplayName(),
 			'restrictUserEnumerationFullMatchEmail' => $this->shareManager->matchEmail(),
 			'restrictUserEnumerationFullMatchIgnoreSecondDN' => $this->shareManager->ignoreSecondDisplayName(),
 			'enforceLinksPassword' => Util::isPublicLinkPasswordRequired(false),

apps/settings/src/components/AdminSettingsSharingForm.vue

@@ -230,6 +230,9 @@
 				<NcCheckboxRadioSwitch v-model="settings.restrictUserEnumerationFullMatchUserId">
 					{{ t('settings', 'Also allow autocompletion on full match of the user ID') }}
 				</NcCheckboxRadioSwitch>
+				<NcCheckboxRadioSwitch v-model="settings.restrictUserEnumerationFullMatchDisplayname">
+					{{ t('settings', 'Also allow autocompletion on full match of the display name') }}
+				</NcCheckboxRadioSwitch>
 				<NcCheckboxRadioSwitch v-model="settings.restrictUserEnumerationFullMatchEmail">
 					{{ t('settings', 'Also allow autocompletion on full match of the user email') }}
 				</NcCheckboxRadioSwitch>
@@ -291,6 +294,7 @@ interface IShareSettings {
 	restrictUserEnumerationToPhone: boolean
 	restrictUserEnumerationFullMatch: boolean
 	restrictUserEnumerationFullMatchUserId: boolean
+	restrictUserEnumerationFullMatchDisplayname: boolean
 	restrictUserEnumerationFullMatchEmail: boolean
 	restrictUserEnumerationFullMatchIgnoreSecondDN: boolean
 	enforceLinksPassword: boolean

apps/settings/tests/Settings/Admin/SharingTest.php

@@ -77,6 +77,7 @@ public function testGetFormWithoutExcludedGroups(): void {
 				['core', 'shareapi_restrict_user_enumeration_to_phone', 'no', 'no'],
 				['core', 'shareapi_restrict_user_enumeration_full_match', 'yes', 'yes'],
 				['core', 'shareapi_restrict_user_enumeration_full_match_user_id', 'yes', 'yes'],
+				['core', 'shareapi_restrict_user_enumeration_full_match_displayname', 'yes', 'yes'],
 				['core', 'shareapi_restrict_user_enumeration_full_match_email', 'yes', 'yes'],
 				['core', 'shareapi_restrict_user_enumeration_full_match_ignore_second_dn', 'no', 'no'],
 				['core', 'shareapi_enabled', 'yes', 'yes'],
@@ -120,6 +121,7 @@ public function testGetFormWithoutExcludedGroups(): void {
 				'restrictUserEnumerationToPhone' => false,
 				'restrictUserEnumerationFullMatch' => true,
 				'restrictUserEnumerationFullMatchUserId' => true,
+				'restrictUserEnumerationFullMatchDisplayname' => true,
 				'restrictUserEnumerationFullMatchEmail' => true,
 				'restrictUserEnumerationFullMatchIgnoreSecondDN' => false,
 				'enforceLinksPassword' => false,
@@ -172,6 +174,7 @@ public function testGetFormWithExcludedGroups(): void {
 				['core', 'shareapi_restrict_user_enumeration_to_phone', 'no', 'no'],
 				['core', 'shareapi_restrict_user_enumeration_full_match', 'yes', 'yes'],
 				['core', 'shareapi_restrict_user_enumeration_full_match_user_id', 'yes', 'yes'],
+				['core', 'shareapi_restrict_user_enumeration_full_match_displayname', 'yes', 'yes'],
 				['core', 'shareapi_restrict_user_enumeration_full_match_email', 'yes', 'yes'],
 				['core', 'shareapi_restrict_user_enumeration_full_match_ignore_second_dn', 'no', 'no'],
 				['core', 'shareapi_enabled', 'yes', 'yes'],
@@ -217,6 +220,7 @@ public function testGetFormWithExcludedGroups(): void {
 				'restrictUserEnumerationToPhone' => false,
 				'restrictUserEnumerationFullMatch' => true,
 				'restrictUserEnumerationFullMatchUserId' => true,
+				'restrictUserEnumerationFullMatchDisplayname' => true,
 				'restrictUserEnumerationFullMatchEmail' => true,
 				'restrictUserEnumerationFullMatchIgnoreSecondDN' => false,
 				'enforceLinksPassword' => false,

dist/settings-vue-settings-admin-sharing.js

@@ -31,6 +31,8 @@ class UserPlugin implements ISearchPlugin {
 
 	protected bool $shareeEnumerationFullMatchUserId;
 
+	protected bool $shareeEnumerationfullMatchDisplayname;
+
 	protected bool $shareeEnumerationFullMatchEmail;
 
 	protected bool $shareeEnumerationFullMatchIgnoreSecondDisplayName;
@@ -50,6 +52,7 @@ public function __construct(
 		$this->shareeEnumerationPhone = $this->shareeEnumeration && $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_to_phone', 'no') === 'yes';
 		$this->shareeEnumerationFullMatch = $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_full_match', 'yes') === 'yes';
 		$this->shareeEnumerationFullMatchUserId = $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_full_match_user_id', 'yes') === 'yes';
+		$this->shareeEnumerationfullMatchDisplayname = $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_full_match_displayname', 'yes') === 'yes';
 		$this->shareeEnumerationFullMatchEmail = $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_full_match_email', 'yes') === 'yes';
 		$this->shareeEnumerationFullMatchIgnoreSecondDisplayName = $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_full_match_ignore_second_dn', 'no') === 'yes';
 
@@ -112,7 +115,7 @@ public function search($search, $limit, $offset, ISearchResult $searchResult): b
 				}
 
 				// additionally we need to add full matches
-				if ($this->shareeEnumerationFullMatch) {
+				if ($this->shareeEnumerationFullMatch && $this->shareeEnumerationfullMatchDisplayname) {
 					$usersTmp = $this->userManager->searchDisplayName($search, $limit, $offset);
 					foreach ($usersTmp as $user) {
 						if ($user->isEnabled() && mb_strtolower($user->getDisplayName()) === mb_strtolower($search)) {
@@ -160,7 +163,7 @@ public function search($search, $limit, $offset, ISearchResult $searchResult): b
 				&& $lowerSearch !== ''
 				&& (
 					strtolower($uid) === $lowerSearch
-					|| strtolower($userDisplayName) === $lowerSearch
+					|| ($this->shareeEnumerationfullMatchDisplayname && strtolower($userDisplayName) === $lowerSearch)
 					|| ($this->shareeEnumerationFullMatchIgnoreSecondDisplayName && trim(strtolower(preg_replace('/ \(.*\)$/', '', $userDisplayName))) === $lowerSearch)
 					|| ($this->shareeEnumerationFullMatchEmail && strtolower($userEmail ?? '') === $lowerSearch)
 				)

dist/settings-vue-settings-admin-sharing.js.map

@@ -1742,6 +1742,10 @@ public function matchUserId(): bool {
 		return $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_full_match_user_id', 'yes') === 'yes';
 	}
 
+	public function matchDisplayName(): bool {
+		return $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_full_match_displayname', 'yes') === 'yes';
+	}
+
 	#[Override]
 	public function ignoreSecondDisplayName(): bool {
 		return $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_full_match_ignore_second_dn', 'no') === 'yes';

lib/private/Collaboration/Collaborators/UserPlugin.php

@@ -427,6 +427,14 @@ public function matchEmail(): bool;
 	 */
 	public function matchUserId(): bool;
 
+	/**
+	 * When `allowEnumerationFullMatch` is enabled and `matchDisplayName` is set,
+	 * then also return results for full display name matches.
+	 *
+	 * @since 33.0.0
+	 */
+	public function matchDisplayName(): bool;
+
 	/**
 	 * When `allowEnumerationFullMatch` is enabled and `ignoreSecondDisplayName` is set,
 	 * then the search should ignore matches on the second displayname and only use the first.