The LDAP Data module will create content profile nodes without checking the user/role permissions first.

This is a problem if your site is set up to have specific content profiles for specific roles. This means that on login all LDAP authenticated users will have every content profile node type created causing drastic bloat of unwanted nodes to the DB.

The offending code (line 263: ldapdata.module)

// If needed, get the content profile nodes
    $content_profile_nodes = array();
    if ( ! empty($content_profile_fields) ) {
      $cp_types = content_profile_get_types('types');
      foreach ($cp_types as $type_obj) {
        $type = $type_obj->type;
        $profile = content_profile_load($type, $account->uid, '', TRUE);
        if (!$profile) {
          $profile = new stdClass();
          $profile->type = $type;
          $profile->title = (isset($account->name) ? $account->name : '');
          $profile->uid = $account->uid;
          node_save($profile); // Create node to get CCK fields
        }
        $content_profile_nodes[] = $profile;
      }
    }
CommentFileSizeAuthor
#2 ldapdata_permissions-20130916.patch822 bytesaCCa
#1 ldapdata_permissions-1901500.patch812 bytesjklmnop
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

jklmnop’s picture

jklmnop CreditAttribution: jklmnop commented
FileSize
ldapdata_permissions-1901500.patch812 bytes

Here is a patch for the 6.x-1.0-beta3 tag.

diff --git a/drupal/sites/all/modules/contrib/ldap_integration/ldapdata.module b/drupal/sites/all/modules/contrib/ldap_integration/ldapd
index 2c2d31f..defd878 100644
--- a/drupal/sites/all/modules/contrib/ldap_integration/ldapdata.module
+++ b/drupal/sites/all/modules/contrib/ldap_integration/ldapdata.module
@@ -267,7 +267,7 @@ function _ldapdata_user_load(&$account, $sync = FALSE, $newentry = NULL) {
       foreach ($cp_types as $type_obj) {
         $type = $type_obj->type;
         $profile = content_profile_load($type, $account->uid, '', TRUE);
-        if (!$profile) {
+        if (!$profile && user_access('create '. $type .' content')) {
           $profile = new stdClass();
           $profile->type = $type;
           $profile->title = (isset($account->name) ? $account->name : '');
aCCa’s picture

aCCa CreditAttribution: aCCa commented
FileSize
ldapdata_permissions-20130916.patch822 bytes

I think your patch doesn't work when you are syncing users with ldap_sync.
The logged in user in this case is (usually) admin with full permission and your control on the permission is bypassed.

This is my correction, that should work in any case:

-        if (!$profile) {
+        if (!$profile && user_access('create '. $type .' content', $account)) {

Also patch attached...