From d4f25b01b8d47cc354b0909f32153113e793494d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Calvi=C3=B1o=20S=C3=A1nchez?= <danxuliu@gmail.com>
Date: Tue, 24 Mar 2020 14:30:59 +0100
Subject: [PATCH 1/2] Unify default value for restricting user enumeration with
 settings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If the value was never enabled or disabled, the settings show "Restrict
username enumeration to groups" as disabled. However, in some components
it was enabled by default, which caused an inconsistency in the
behaviour with respect to the settings, for example in the contacts
menu.

Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
---
 apps/dav/lib/CardDAV/SystemAddressbook.php            | 2 +-
 lib/private/Contacts/ContactsMenu/ContactsStore.php   | 2 +-
 tests/lib/Contacts/ContactsMenu/ContactsStoreTest.php | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/apps/dav/lib/CardDAV/SystemAddressbook.php b/apps/dav/lib/CardDAV/SystemAddressbook.php
index 8246a8eebfa..b9d5ad5aebe 100644
--- a/apps/dav/lib/CardDAV/SystemAddressbook.php
+++ b/apps/dav/lib/CardDAV/SystemAddressbook.php
@@ -41,7 +41,7 @@ class SystemAddressbook extends AddressBook {
 
 	public function getChildren() {
 		$shareEnumeration = $this->config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes';
-		$restrictShareEnumeration = $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_to_group', 'yes') === 'yes';
+		$restrictShareEnumeration = $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_to_group', 'no') === 'yes';
 		if (!$shareEnumeration || ($shareEnumeration && $restrictShareEnumeration)) {
 			return [];
 		}
diff --git a/lib/private/Contacts/ContactsMenu/ContactsStore.php b/lib/private/Contacts/ContactsMenu/ContactsStore.php
index 9efa42b9a4d..5b967b4b5cb 100644
--- a/lib/private/Contacts/ContactsMenu/ContactsStore.php
+++ b/lib/private/Contacts/ContactsMenu/ContactsStore.php
@@ -107,7 +107,7 @@ class ContactsStore implements IContactsStore {
 									array $entries,
 									$filter) {
 		$disallowEnumeration = $this->config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') !== 'yes';
-		$restrictEnumeration = $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_to_group', 'yes') === 'yes';
+		$restrictEnumeration = $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_to_group', 'no') === 'yes';
 		$excludedGroups = $this->config->getAppValue('core', 'shareapi_exclude_groups', 'no') === 'yes';
 
 		// whether to filter out local users
diff --git a/tests/lib/Contacts/ContactsMenu/ContactsStoreTest.php b/tests/lib/Contacts/ContactsMenu/ContactsStoreTest.php
index 31b0261cb80..82619fb5679 100644
--- a/tests/lib/Contacts/ContactsMenu/ContactsStoreTest.php
+++ b/tests/lib/Contacts/ContactsMenu/ContactsStoreTest.php
@@ -178,7 +178,7 @@ class ContactsStoreTest extends TestCase {
 
 		$this->config->expects($this->at(1))
 			->method('getAppValue')
-			->with($this->equalTo('core'), $this->equalTo('shareapi_restrict_user_enumeration_to_group'), $this->equalTo('yes'))
+			->with($this->equalTo('core'), $this->equalTo('shareapi_restrict_user_enumeration_to_group'), $this->equalTo('no'))
 			->willReturn('no');
 
 		$this->config->expects($this->at(2))
@@ -234,7 +234,7 @@ class ContactsStoreTest extends TestCase {
 			->willReturn('yes');
 
 		$this->config->expects($this->at(1)) ->method('getAppValue')
-			->with($this->equalTo('core'), $this->equalTo('shareapi_restrict_user_enumeration_to_group'), $this->equalTo('yes'))
+			->with($this->equalTo('core'), $this->equalTo('shareapi_restrict_user_enumeration_to_group'), $this->equalTo('no'))
 			->willReturn('no');
 
 		$this->config->expects($this->at(2)) ->method('getAppValue')
@@ -320,7 +320,7 @@ class ContactsStoreTest extends TestCase {
 			->willReturn('yes');
 
 		$this->config->expects($this->at(1)) ->method('getAppValue')
-			->with($this->equalTo('core'), $this->equalTo('shareapi_restrict_user_enumeration_to_group'), $this->equalTo('yes'))
+			->with($this->equalTo('core'), $this->equalTo('shareapi_restrict_user_enumeration_to_group'), $this->equalTo('no'))
 			->willReturn('yes');
 
 		$this->config->expects($this->at(2)) ->method('getAppValue')

From 4ec370016f8679925ddb87c77bc58467511d21d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Calvi=C3=B1o=20S=C3=A1nchez?= <danxuliu@gmail.com>
Date: Tue, 24 Mar 2020 14:42:52 +0100
Subject: [PATCH 2/2] Add acceptance test for restricting user enumeration to
 groups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
---
 .../features/bootstrap/SettingsContext.php    | 44 +++++++++++++++++++
 tests/acceptance/features/header.feature      | 11 +++++
 2 files changed, 55 insertions(+)

diff --git a/tests/acceptance/features/bootstrap/SettingsContext.php b/tests/acceptance/features/bootstrap/SettingsContext.php
index 82b22c43338..5f9a724e771 100644
--- a/tests/acceptance/features/bootstrap/SettingsContext.php
+++ b/tests/acceptance/features/bootstrap/SettingsContext.php
@@ -46,6 +46,25 @@ class SettingsContext implements Context, ActorAwareInterface {
 				describedAs("Accept shares by default checkbox input in Sharing section in Personal Sharing Settings");
 	}
 
+	/**
+	 * @return Locator
+	 */
+	public static function restrictUsernameAutocompletionToGroupsCheckbox() {
+		// forThe()->checkbox("Restrict username...") can not be used here; that
+		// would return the checkbox itself, but the element that the user
+		// interacts with is the label.
+		return Locator::forThe()->xpath("//label[normalize-space() = 'Restrict username autocompletion to users within the same groups']")->
+				describedAs("Restrict username autocompletion to groups checkbox in Sharing section in Administration Sharing Settings");
+	}
+
+	/**
+	 * @return Locator
+	 */
+	public static function restrictUsernameAutocompletionToGroupsCheckboxInput() {
+		return Locator::forThe()->checkbox("Restrict username autocompletion to users within the same groups")->
+				describedAs("Restrict username autocompletion to groups checkbox input in Sharing section in Administration Sharing Settings");
+	}
+
 	/**
 	 * @return Locator
 	 */
@@ -112,6 +131,15 @@ class SettingsContext implements Context, ActorAwareInterface {
 		$this->actor->find(self::acceptSharesByDefaultCheckbox(), 2)->click();
 	}
 
+	/**
+	 * @When I enable restricting username autocompletion to groups
+	 */
+	public function iEnableRestrictingUsernameAutocompletionToGroups() {
+		$this->iSeeThatUsernameAutocompletionIsNotRestrictedToGroups();
+
+		$this->actor->find(self::restrictUsernameAutocompletionToGroupsCheckbox(), 2)->click();
+	}
+
 	/**
 	 * @When I create the tag :tag in the settings
 	 */
@@ -129,6 +157,22 @@ class SettingsContext implements Context, ActorAwareInterface {
 				$this->actor->find(self::acceptSharesByDefaultCheckboxInput(), 10)->isChecked());
 	}
 
+	/**
+	 * @Then I see that username autocompletion is restricted to groups
+	 */
+	public function iSeeThatUsernameAutocompletionIsRestrictedToGroups() {
+		PHPUnit_Framework_Assert::assertTrue(
+				$this->actor->find(self::restrictUsernameAutocompletionToGroupsCheckboxInput(), 10)->isChecked());
+	}
+
+	/**
+	 * @Then I see that username autocompletion is not restricted to groups
+	 */
+	public function iSeeThatUsernameAutocompletionIsNotRestrictedToGroups() {
+		PHPUnit_Framework_Assert::assertFalse(
+				$this->actor->find(self::restrictUsernameAutocompletionToGroupsCheckboxInput(), 10)->isChecked());
+	}
+
 	/**
 	 * @Then I see that shares are not accepted by default
 	 */
diff --git a/tests/acceptance/features/header.feature b/tests/acceptance/features/header.feature
index 04d5963668d..94b08e8f6d9 100644
--- a/tests/acceptance/features/header.feature
+++ b/tests/acceptance/features/header.feature
@@ -28,6 +28,17 @@ Feature: header
     And I see that the contact "user0" in the Contacts menu is shown
     And I see that the contact "admin" in the Contacts menu is not shown
 
+  Scenario: users from other groups are not seen in the contacts menu when autocompletion is restricted within the same group
+    Given I am logged in as the admin
+    And I visit the settings page
+    And I open the "Sharing" section of the "Administration" group
+    And I enable restricting username autocompletion to groups
+    And I see that username autocompletion is restricted to groups
+    When I open the Contacts menu
+    Then I see that the Contacts menu is shown
+    And I see that the contact "user0" in the Contacts menu is not shown
+    And I see that the contact "admin" in the Contacts menu is not shown
+
   Scenario: just added users are seen in the contacts menu
     Given I am logged in as the admin
     And I open the User settings