System: Access: Groups - in preperation for https://github.com/opnsense/core/issues/7904, add support for comma separated member lists.

If we convert groups to a model, we will switch the nested <member> tags into comma separated fields, e.g. <member>1</member> <member>12</member> will convert to: <member>1,12</member> using this commit we support both for areas where these are being read.
2026-03-13 08:09:41 +00:00 · 2024-11-06 21:24:30 +01:00 · 2024-11-06 21:24:30 +01:00 · 0788dde6d2
commit 0788dde6d2
parent 60fe414c1e
4 changed files with 31 additions and 15 deletions
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@ -486,7 +486,7 @@ function local_user_get_groups($user)
 {
    global $config;

-    $groups = array();
+    $groups = [];

    if (!isset($config['system']['group'])) {
        return $groups;
@ -494,8 +494,11 @@ function local_user_get_groups($user)

    foreach ($config['system']['group'] as $group) {
        if (isset($group['member'])) {
-            if (in_array($user['uid'], $group['member'])) {
-                $groups[] = $group['name'];
+            foreach ($group['member'] as $member) {
+                if (in_array($user['uid'], explode(',', $member))) {
+                    $groups[] = $group['name'];
+                    break;
+                }
            }
        }
    }
@ -587,7 +590,11 @@ function local_group_set($group)
    $group_members = '';

    if (!empty($group['member']) && count($group['member']) > 0) {
-        $group_members = implode(',', $group['member']);
+        $members = [];
+        foreach ($group['member'] as $member) {
+            $members = array_merge($members, explode(',', $member));
+        }
+        $group_members = implode(',', $members);
    }

    $ret = mwexecf('/usr/sbin/pw groupshow %s', $group_name, true);
--- a/src/etc/inc/plugins.inc.d/core.inc
+++ b/src/etc/inc/plugins.inc.d/core.inc
@ -499,7 +499,10 @@ function core_user_changed_groups($unused, $username)
                    $current_groups = explode(" ", $out[0]);
                }
                foreach ($config['system']['group'] as $group) {
-                    $in_group = !empty($group['member']) && in_array($user['uid'], $group['member']);
+                    $in_group = false;
+                    foreach (!empty($group['member']) ? $group['member'] : [] as $grp) {
+                        $in_group = $in_group || in_array($user['uid'], explode(',', $grp));
+                    }
                    $to_remove = in_array($group['name'], $current_groups) && !$in_group;
                    $to_add = !in_array($group['name'], $current_groups) && $in_group;
                    if ($to_remove || $to_add) {
--- a/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
@ -132,11 +132,16 @@ class ACL
            $allGroupPrivs[$groupkey] = [];
            foreach ($groupNode->children() as $itemKey => $node) {
                $node_data = (string)$node;
-                if ($itemKey == "member" && $node_data != "" && isset($userUidMap[$node_data])) {
-                    $username = $userUidMap[$node_data];
-                    if ($this->userDatabase[$username]["uid"] == $node_data) {
-                        $this->userDatabase[$username]["groups"][] = $groupkey;
-                        $this->userDatabase[$username]["gids"][] = (string)$groupNode->gid;
+                if ($itemKey == "member" && $node_data != "") {
+                    foreach (explode(',', $node_data) as $member) {
+                        if (!isset($userUidMap[$member])) {
+                            continue;
+                        }
+                        $username = $userUidMap[$member];
+                        if ($this->userDatabase[$username]["uid"] == $member) {
+                            $this->userDatabase[$username]["groups"][] = $groupkey;
+                            $this->userDatabase[$username]["gids"][] = (string)$groupNode->gid;
+                        }
                    }
                } elseif ($itemKey == "priv") {
                    foreach (array_filter(explode(',', $node_data)) as $privname) {
@ -310,7 +315,7 @@ class ACL
                    $group_privs = [];
                    $userInGrp = false;
                    foreach ($groupNode->children() as $itemKey => $node) {
-                        if ($node->getName() == "member" && (string)$node == $uid) {
+                        if ($node->getName() == "member" && in_array($uid, explode(',', $node))) {
                            $userInGrp = true;
                        } elseif ($node->getName() == "priv") {
                            $group_privs = array_merge($group_privs, array_filter(explode(',', $node)));
--- a/src/opnsense/scripts/auth/list_group_members.php
+++ b/src/opnsense/scripts/auth/list_group_members.php
@ -47,10 +47,11 @@ if (isset($cnf->system->group)) {
        }
        $result[$gid] = ['name' => $group_name, 'members' => []];
        if (isset($group->member)) {
-            foreach ($group->member as $member) {
-                $member_uid = (string)$member;
-                if (isset($uid_map[$member_uid])) {
-                    $result[$gid]['members'][] = $uid_map[$member_uid];
+            foreach ($group->member as $item) {
+                foreach (explode(',', (string)$item) as $member_uid) {
+                    if (isset($uid_map[$member_uid])) {
+                        $result[$gid]['members'][] = $uid_map[$member_uid];
+                    }
                }
            }
        }