From af17b64cb0215569db47cc8656382d96e7305e26 Mon Sep 17 00:00:00 2001 From: Kevin Aleman Date: Fri, 24 Oct 2025 09:56:57 -0600 Subject: [PATCH] prevent ldap sync to add users to abac rooms --- apps/meteor/ee/server/lib/ldap/Manager.ts | 23 ++++++++++++++++++- .../model-typings/src/models/IRoomsModel.ts | 1 + packages/models/src/models/Rooms.ts | 10 ++++++++ 3 files changed, 33 insertions(+), 1 deletion(-) diff --git a/apps/meteor/ee/server/lib/ldap/Manager.ts b/apps/meteor/ee/server/lib/ldap/Manager.ts index 5baf73e6f93b5..b15dfc6d34335 100644 --- a/apps/meteor/ee/server/lib/ldap/Manager.ts +++ b/apps/meteor/ee/server/lib/ldap/Manager.ts @@ -358,6 +358,11 @@ export class LDAPEEManager extends LDAPManager { return; } + if (settings.get('ABAC_Enabled') && room?.abacAttributes?.length) { + logger.error({ msg: 'Cannot add user to channel. Channel is ABAC managed', userChannelName }); + continue; + } + if (room.teamMain) { logger.error(`Can't add user to channel ${userChannelName} because it is a team.`); } else { @@ -430,7 +435,23 @@ export class LDAPEEManager extends LDAPManager { }); const currentTeamIds = currentTeams?.map(({ teamId }) => teamId); const teamsToRemove = currentTeamIds?.filter((teamId) => notInTeamIds.includes(teamId)); - const teamsToAdd = inTeamIds.filter((teamId) => !currentTeamIds?.includes(teamId)); + let teamsToAdd = inTeamIds.filter((teamId) => !currentTeamIds?.includes(teamId)); + + if (settings.get('ABAC_Enabled')) { + const roomsWithAbacAttributes = await Rooms.findPrivateRoomsByIdsWithAbacAttributes( + allTeams.filter((t) => teamsToAdd.includes(t._id)).map((t) => t.roomId), + { projection: { teamId: 1 } }, + ) + .map((r) => r.teamId) + .toArray(); + + logger.debug({ msg: 'Some teams will be ignored from sync because they are abac managed', roomsWithAbacAttributes }); + + teamsToAdd = teamsToAdd.filter((teamId) => !roomsWithAbacAttributes.includes(teamId)); + if (!teamsToAdd.length) { + return; + } + } await Team.insertMemberOnTeams(user._id, teamsToAdd); if (teamsToRemove) { diff --git a/packages/model-typings/src/models/IRoomsModel.ts b/packages/model-typings/src/models/IRoomsModel.ts index c66baea4809ab..8ee5e753758fc 100644 --- a/packages/model-typings/src/models/IRoomsModel.ts +++ b/packages/model-typings/src/models/IRoomsModel.ts @@ -217,6 +217,7 @@ export interface IRoomsModel extends IBaseModel { findByIds(rids: string[], options?: FindOptions): FindCursor; findByType(type: IRoom['t'], options?: FindOptions): FindCursor; findByTypeInIds(type: IRoom['t'], ids: string[], options?: FindOptions): FindCursor; + findPrivateRoomsByIdsWithAbacAttributes(ids: string[], options?: FindOptions): FindCursor; findBySubscriptionUserId(userId: string, options?: FindOptions): Promise>; findBySubscriptionUserIdUpdatedAfter(userId: string, updatedAfter: Date, options?: FindOptions): Promise>; findByNameAndTypeNotDefault( diff --git a/packages/models/src/models/Rooms.ts b/packages/models/src/models/Rooms.ts index 9524a30074883..f1b88320254d2 100644 --- a/packages/models/src/models/Rooms.ts +++ b/packages/models/src/models/Rooms.ts @@ -1268,6 +1268,16 @@ export class RoomsRaw extends BaseRaw implements IRoomsModel { return this.find(query, options); } + findPrivateRoomsByIdsWithAbacAttributes(ids: Array, options: FindOptions = {}): FindCursor { + const query: Filter = { + _id: { $in: ids }, + t: 'p', + abacAttributes: { $exists: true, $ne: [] }, + }; + + return this.find(query, options); + } + async findBySubscriptionUserId(userId: IUser['_id'], options: FindOptions = {}): Promise> { const data = (await Subscriptions.findByUserId(userId, { projection: { rid: 1 } }).toArray()).map((item) => item.rid);