[horde] Ldap v3.0.0alpha7, kronolith and no more existent Ldap group

Sun May 18 08:52:51 UTC 2025

Hello Jean,

Am 16.05.2025 um 19:49 schrieb Jean Charles Delépine:
>
> Quoting Jean Charles Delépine <delepine at u-picardie.fr>:
>
>> Quoting Jean Charles Delépine <delepine at u-picardie.fr>:
>>
>>> Context : one calendar shared to peoples in no more existent ldap 
>>> group.
>>>
>>> HORDE: Next TypeError: ldap_free_result(): Argument #1 ($result) 
>>> must be of type LDAP\Result, bool given in 
>>> /var/www/horde/vendor/horde/ldap/lib/Horde/Ldap/Search.php:123
>>
>> For now, I just wrapped the ldap_free_result call in an if to check 
>> the type of $this->_search.
>>
>> That said, the underlying issue is that $this->_search ends up being 
>> a boolean when searching for members of a non-existent LDAP group. So 
>> this fix avoids the error, but the real solution will be to handle 
>> that case earlier.
>
> Here it is. In vendor/horde/kronolith/lib/Kronolith.php and 
> vendor/horde/nag/lib/Form/Task.php.
>
> -                    $users = array_merge(
> -                        $users,
> -                        $horde_group->listUsers($group)
> -                    );
> +                    if ($horde_group->exists($group)) {
> +                        $users = array_merge(
> +                          $users,
> +                          $horde_group->listUsers($group)
> +                );
> +                    }
>
> Patch is attach. I will try to set a dev env in order to be able to 
> make a PR next time.
>
>            Jean Charles Delépine
>
Thank you for providing the patch. I will include it in the next alpha 
release.

However, this points to a larger issue with external backends like LDAP: 
Content may change independent of Horde's awareness. This includes user 
accounts, group membership and even group existence. In the admin 
interface, group members no longer available in the user backend show up 
as entries without text. The problem also exists when using the vhost 
feature to include different features and content depending on what URL 
is called.

This goes beyond fixing a specific bug. I need to think about the right 
strategy to tackle this as it also affects the permissions system and 
some other parts. The initial impetus is to restore consistency by 
removing relations to groups or users which cannot be found. But this is 
dangerous - a temporarily disabled backend might result in permanently 
unsharing resources. So we better keep those relations but make the code 
handle them properly.