diff --git a/app/models/auth_source_ldap.rb b/app/models/auth_source_ldap.rb
index 1e2bf24396490e7edf85abdb8ddd5063d87cae42..3536b4f6cc4802c46a171326f54d76bcab7d22aa 100644
--- a/app/models/auth_source_ldap.rb
+++ b/app/models/auth_source_ldap.rb
@@ -21,6 +21,7 @@ class AuthSourceLdap < AuthSource
validates_length_of :account, :account_password, :base_dn, :maximum => 255, :allow_nil => true
validates_length_of :attr_login, :attr_firstname, :attr_lastname, :attr_mail, :maximum => 30, :allow_nil => true
validates_numericality_of :port, :only_integer => true
+ validate :custom_filter_should_be_valid_ldap_filter_syntax
before_validation :strip_ldap_attributes
@@ -136,6 +137,16 @@ class AuthSourceLdap < AuthSource
return nil
end
end
+
+ def custom_filter_should_be_valid_ldap_filter_syntax
+ return true unless custom_filter.present?
+
+ begin
+ return Net::LDAP::Filter.construct(custom_filter)
+ rescue Net::LDAP::LdapError # Filter syntax error
+ errors.add(:custom_filter, :invalid)
+ end
+ end
def self.get_attr(entry, attr_name)
if !attr_name.blank?
diff --git a/test/unit/auth_source_ldap_test.rb b/test/unit/auth_source_ldap_test.rb
index 9fcdace9ebceaf8978317c5f73a767dfd152371f..0effa103d1bff166c25c118af358b1f43e345523 100644
--- a/test/unit/auth_source_ldap_test.rb
+++ b/test/unit/auth_source_ldap_test.rb
@@ -31,6 +31,20 @@ class AuthSourceLdapTest < ActiveSupport::TestCase
assert_equal 'givenName', a.reload.attr_firstname
end
+ context "validations" do
+ should "validate that custom_filter is a valid LDAP filter" do
+ @auth = AuthSourceLdap.new(:name => 'Validation', :host => 'localhost', :port => 389, :attr_login => 'login')
+ @auth.custom_filter = "(& (homeDirectory=*) (sn=O*" # Missing ((
+ assert @auth.invalid?
+ assert_equal "is invalid", @auth.errors.on(:custom_filter)
+
+ @auth.custom_filter = "(& (homeDirectory=*) (sn=O*))"
+ assert @auth.valid?
+ assert_equal nil, @auth.errors.on(:custom_filter)
+
+ end
+ end
+
if ldap_configured?
context '#authenticate' do
setup do