mirror of
https://gitlab.easter-eggs.com/ee/ldapsaisie.git
synced 2024-11-22 09:59:06 +01:00
LSauth add filter_function parameter
This commit is contained in:
parent
05519c5432
commit
0c171789d3
5 changed files with 117 additions and 18 deletions
|
@ -25,6 +25,7 @@ serveur LDAP.</para>
|
||||||
'[object type 1]',
|
'[object type 1]',
|
||||||
'[object type 2]' => array(
|
'[object type 2]' => array(
|
||||||
'filter' => '[LDAP filter]',
|
'filter' => '[LDAP filter]',
|
||||||
|
'filter_function' => [callable],
|
||||||
'password_attribute' => '[attribute name]',
|
'password_attribute' => '[attribute name]',
|
||||||
'web_access' => [booléen],
|
'web_access' => [booléen],
|
||||||
'api_access' => [booléen],
|
'api_access' => [booléen],
|
||||||
|
@ -170,6 +171,21 @@ serveur LDAP.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>filter_function</term>
|
||||||
|
<listitem>
|
||||||
|
<simpara><emphasis>Callable</emphasis> (au sens PHP) utilisé pour filtrer les utilisateurs
|
||||||
|
trouvés dans l'annuaire à partir des autres paramètres : cette fonction, si elle est définie,
|
||||||
|
sera appelée pour chaque utilisateur trouvé, avec pour unique paramètre, une référence à l'objet
|
||||||
|
LDAP correspondant (<literal>LSldapObject</literal>). Cette méthode devra alors retourner
|
||||||
|
<literal>true</literal> ou <literal>false</literal> pour respectivement autoriser ou interdire
|
||||||
|
l'accès à l'application à l'utilisateur.</simpara>
|
||||||
|
<note><simpara>Si un utilisateur est exclus par cette méthode et qu'aucun autre utilisateur
|
||||||
|
correspondant n'a été trouvé dans l'annuaire, une page d'erreur sera affichée et indiquera que
|
||||||
|
l'accès à l'application est refusée.</simpara></note>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>password_attribute</term>
|
<term>password_attribute</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
|
|
|
@ -132,6 +132,7 @@ class LSauth extends LSlog_staticLoggerClass {
|
||||||
|
|
||||||
$objTypes[$objType] = array(
|
$objTypes[$objType] = array(
|
||||||
'filter' => self :: getConfig("LSobjects.$objType.filter", null, 'string'),
|
'filter' => self :: getConfig("LSobjects.$objType.filter", null, 'string'),
|
||||||
|
'filter_function' => self :: getConfig("LSobjects.$objType.filter_function", null),
|
||||||
'password_attribute' => self :: getConfig("LSobjects.$objType.password_attribute", 'userPassword', 'string'),
|
'password_attribute' => self :: getConfig("LSobjects.$objType.password_attribute", 'userPassword', 'string'),
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
@ -169,11 +170,19 @@ class LSauth extends LSlog_staticLoggerClass {
|
||||||
*/
|
*/
|
||||||
public static function username2LSobjects($username) {
|
public static function username2LSobjects($username) {
|
||||||
$user_objects = array();
|
$user_objects = array();
|
||||||
|
$excluded_objects = false;
|
||||||
foreach (self :: getAuthObjectTypes() as $objType => $objParams) {
|
foreach (self :: getAuthObjectTypes() as $objType => $objParams) {
|
||||||
if (!LSsession :: loadLSobject($objType)) {
|
if (!LSsession :: loadLSobject($objType)) {
|
||||||
LSerror :: addErrorCode('LSauth_03', $objType);
|
LSerror :: addErrorCode('LSauth_03', $objType);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
if (isset($objParams['filter_function']) && !is_callable($objParams['filter_function'])) {
|
||||||
|
LSerror :: addErrorCode(
|
||||||
|
'LSauth_09',
|
||||||
|
['objtype' => $objType, 'function' => format_callable($objParams['filter_function'])]
|
||||||
|
);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
$authobject = new $objType();
|
$authobject = new $objType();
|
||||||
$result = $authobject -> searchObject(
|
$result = $authobject -> searchObject(
|
||||||
$username,
|
$username,
|
||||||
|
@ -181,12 +190,28 @@ class LSauth extends LSlog_staticLoggerClass {
|
||||||
$objParams['filter'],
|
$objParams['filter'],
|
||||||
array('withoutCache' => true, 'onlyAccessible' => false)
|
array('withoutCache' => true, 'onlyAccessible' => false)
|
||||||
);
|
);
|
||||||
for($i=0; $i<count($result); $i++)
|
for($i=0; $i<count($result); $i++) {
|
||||||
|
if (
|
||||||
|
isset($objParams['filter_function'])
|
||||||
|
&& !call_user_func_array($objParams['filter_function'], [$result[$i]])
|
||||||
|
) {
|
||||||
|
self :: log_debug(
|
||||||
|
sprintf(
|
||||||
|
'username2LSobjects(%s): user %s filtered out by filter function %s',
|
||||||
|
$username, $result[$i]->getDn(), format_callable($objParams['filter_function'])
|
||||||
|
)
|
||||||
|
);
|
||||||
|
$excluded_objects = true;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
$user_objects[$result[$i] -> getDn()] = $result[$i];
|
$user_objects[$result[$i] -> getDn()] = $result[$i];
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
$nbresult = count($user_objects);
|
$nbresult = count($user_objects);
|
||||||
if ($nbresult == 0) {
|
if ($nbresult == 0) {
|
||||||
|
if ($excluded_objects)
|
||||||
|
self :: accessDenied();
|
||||||
// incorrect login
|
// incorrect login
|
||||||
self :: log_debug('Invalid username');
|
self :: log_debug('Invalid username');
|
||||||
LSerror :: addErrorCode('LSauth_01');
|
LSerror :: addErrorCode('LSauth_01');
|
||||||
|
@ -306,6 +331,29 @@ class LSauth extends LSlog_staticLoggerClass {
|
||||||
return self :: $params['displayLoginForm'];
|
return self :: $params['displayLoginForm'];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Handle access denied error
|
||||||
|
*
|
||||||
|
* @return never
|
||||||
|
**/
|
||||||
|
public static function accessDenied() {
|
||||||
|
http_response_code(401);
|
||||||
|
if (LSsession :: get('api_mode') || LSsession :: getAjaxDisplay()) {
|
||||||
|
header('Content-Type: application/json');
|
||||||
|
$errors = array(_("You are not authorized to access this application."));
|
||||||
|
echo json_encode(
|
||||||
|
['errors' => [_("You are not authorized to access this application.")], 'success' => false],
|
||||||
|
(isset($_REQUEST['pretty'])?JSON_PRETTY_PRINT:0)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
else if (class_exists('LStemplate')) {
|
||||||
|
LStemplate :: assign('pagetitle', _("Access denied."));
|
||||||
|
LStemplate :: assign('error', _("You are not authorized to access this application."));
|
||||||
|
LStemplate :: display("error.tpl");
|
||||||
|
}
|
||||||
|
exit();
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -335,3 +383,6 @@ ___("LSauth : Failed to get authentication informations from provider.")
|
||||||
LSerror :: defineError('LSauth_08',
|
LSerror :: defineError('LSauth_08',
|
||||||
___("LSauth : Method %{method} configured doesn't support API mode.")
|
___("LSauth : Method %{method} configured doesn't support API mode.")
|
||||||
);
|
);
|
||||||
|
LSerror :: defineError('LSauth_09',
|
||||||
|
___("LSauth : The filter function speficied for %{objtype} is not callable (%{function}).")
|
||||||
|
);
|
||||||
|
|
Binary file not shown.
|
@ -8,7 +8,7 @@ msgstr ""
|
||||||
"Project-Id-Version: LdapSaisie\n"
|
"Project-Id-Version: LdapSaisie\n"
|
||||||
"Report-Msgid-Bugs-To: \n"
|
"Report-Msgid-Bugs-To: \n"
|
||||||
"POT-Creation-Date: \n"
|
"POT-Creation-Date: \n"
|
||||||
"PO-Revision-Date: 2023-07-19 12:07+0200\n"
|
"PO-Revision-Date: 2023-08-18 15:44+0200\n"
|
||||||
"Last-Translator: Benjamin Renard <brenard@easter-eggs.com>\n"
|
"Last-Translator: Benjamin Renard <brenard@easter-eggs.com>\n"
|
||||||
"Language-Team: LdapSaisie <ldapsaisie-users@lists.labs.libre-entreprise."
|
"Language-Team: LdapSaisie <ldapsaisie-users@lists.labs.libre-entreprise."
|
||||||
"org>\n"
|
"org>\n"
|
||||||
|
@ -2708,43 +2708,60 @@ msgstr ""
|
||||||
"LSattr_ldap_password : La fonction d'encodage %{function} n'est pas "
|
"LSattr_ldap_password : La fonction d'encodage %{function} n'est pas "
|
||||||
"disponible. Le mot de passe sera stocké en clair."
|
"disponible. Le mot de passe sera stocké en clair."
|
||||||
|
|
||||||
#: includes/class/class.LSauth.php:315
|
#: includes/class/class.LSauth.php:343 includes/class/class.LSauth.php:345
|
||||||
|
#: includes/class/class.LSauth.php:351
|
||||||
|
msgid "You are not authorized to access this application."
|
||||||
|
msgstr "Vous n'êtes pas autorisé à accéder à cette application."
|
||||||
|
|
||||||
|
#: includes/class/class.LSauth.php:350
|
||||||
|
msgid "Access denied."
|
||||||
|
msgstr "Accès interdit."
|
||||||
|
|
||||||
|
#: includes/class/class.LSauth.php:363
|
||||||
msgid "LSauth : Login or password incorrect."
|
msgid "LSauth : Login or password incorrect."
|
||||||
msgstr "LSauth : Identifiant ou mot de passe incorrects."
|
msgstr "LSauth : Identifiant ou mot de passe incorrects."
|
||||||
|
|
||||||
#: includes/class/class.LSauth.php:318
|
#: includes/class/class.LSauth.php:366
|
||||||
msgid "LSauth : Impossible to identify you : Duplication of identities."
|
msgid "LSauth : Impossible to identify you : Duplication of identities."
|
||||||
msgstr "LSauth : Impossible de vous identifier : Duplication d'identité."
|
msgstr "LSauth : Impossible de vous identifier : Duplication d'identité."
|
||||||
|
|
||||||
#: includes/class/class.LSauth.php:321
|
#: includes/class/class.LSauth.php:369
|
||||||
msgid "LSauth : Could not load type of identifiable objects %{type}."
|
msgid "LSauth : Could not load type of identifiable objects %{type}."
|
||||||
msgstr "LSauth : Impossible de charger le type d'objets identifiables %{type}."
|
msgstr "LSauth : Impossible de charger le type d'objets identifiables %{type}."
|
||||||
|
|
||||||
#: includes/class/class.LSauth.php:324
|
#: includes/class/class.LSauth.php:372
|
||||||
msgid "LSauth : Can't load authentication method %{method}."
|
msgid "LSauth : Can't load authentication method %{method}."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
"LSauth : Impossible de charger la méthode d'authentification %{method}."
|
"LSauth : Impossible de charger la méthode d'authentification %{method}."
|
||||||
|
|
||||||
#: includes/class/class.LSauth.php:327
|
#: includes/class/class.LSauth.php:375
|
||||||
msgid "LSauth : Failed to build the authentication provider %{method}."
|
msgid "LSauth : Failed to build the authentication provider %{method}."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
"LSauth : Impossible de construire le gestionnaire d'authentification "
|
"LSauth : Impossible de construire le gestionnaire d'authentification "
|
||||||
"%{method}."
|
"%{method}."
|
||||||
|
|
||||||
#: includes/class/class.LSauth.php:330
|
#: includes/class/class.LSauth.php:378
|
||||||
msgid "LSauth : Not correctly initialized."
|
msgid "LSauth : Not correctly initialized."
|
||||||
msgstr "LSauth : Mauvaise initialisation."
|
msgstr "LSauth : Mauvaise initialisation."
|
||||||
|
|
||||||
#: includes/class/class.LSauth.php:333
|
#: includes/class/class.LSauth.php:381
|
||||||
msgid "LSauth : Failed to get authentication informations from provider."
|
msgid "LSauth : Failed to get authentication informations from provider."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
"LSauth : Impossible de récupérer les informations authentification auprès du "
|
"LSauth : Impossible de récupérer les informations authentification auprès du "
|
||||||
"gestionnaire."
|
"gestionnaire."
|
||||||
|
|
||||||
#: includes/class/class.LSauth.php:336
|
#: includes/class/class.LSauth.php:384
|
||||||
msgid "LSauth : Method %{method} configured doesn't support API mode."
|
msgid "LSauth : Method %{method} configured doesn't support API mode."
|
||||||
msgstr "LSauth : La méthode %{method} configurée ne supporte pas le mode API."
|
msgstr "LSauth : La méthode %{method} configurée ne supporte pas le mode API."
|
||||||
|
|
||||||
|
#: includes/class/class.LSauth.php:387
|
||||||
|
msgid ""
|
||||||
|
"LSauth : The filter function speficied for %{objtype} is not callable "
|
||||||
|
"(%{function})."
|
||||||
|
msgstr ""
|
||||||
|
"LSauth : La fonction de filtrage pour les %{objtype} n'est pas exécutable "
|
||||||
|
"(%{function})."
|
||||||
|
|
||||||
#: includes/class/class.LSformElement_supannEtuInscription.php:41
|
#: includes/class/class.LSformElement_supannEtuInscription.php:41
|
||||||
msgid "Organism"
|
msgid "Organism"
|
||||||
msgstr "Etablissement"
|
msgstr "Etablissement"
|
||||||
|
|
|
@ -2299,38 +2299,53 @@ msgid ""
|
||||||
"password will be stored in clear text."
|
"password will be stored in clear text."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: includes/class/class.LSauth.php:315
|
#: includes/class/class.LSauth.php:343 includes/class/class.LSauth.php:345
|
||||||
|
#: includes/class/class.LSauth.php:351
|
||||||
|
msgid "You are not authorized to access this application."
|
||||||
|
msgstr ""
|
||||||
|
|
||||||
|
#: includes/class/class.LSauth.php:350
|
||||||
|
msgid "Access denied."
|
||||||
|
msgstr ""
|
||||||
|
|
||||||
|
#: includes/class/class.LSauth.php:363
|
||||||
msgid "LSauth : Login or password incorrect."
|
msgid "LSauth : Login or password incorrect."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: includes/class/class.LSauth.php:318
|
#: includes/class/class.LSauth.php:366
|
||||||
msgid "LSauth : Impossible to identify you : Duplication of identities."
|
msgid "LSauth : Impossible to identify you : Duplication of identities."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: includes/class/class.LSauth.php:321
|
#: includes/class/class.LSauth.php:369
|
||||||
msgid "LSauth : Could not load type of identifiable objects %{type}."
|
msgid "LSauth : Could not load type of identifiable objects %{type}."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: includes/class/class.LSauth.php:324
|
#: includes/class/class.LSauth.php:372
|
||||||
msgid "LSauth : Can't load authentication method %{method}."
|
msgid "LSauth : Can't load authentication method %{method}."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: includes/class/class.LSauth.php:327
|
#: includes/class/class.LSauth.php:375
|
||||||
msgid "LSauth : Failed to build the authentication provider %{method}."
|
msgid "LSauth : Failed to build the authentication provider %{method}."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: includes/class/class.LSauth.php:330
|
#: includes/class/class.LSauth.php:378
|
||||||
msgid "LSauth : Not correctly initialized."
|
msgid "LSauth : Not correctly initialized."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: includes/class/class.LSauth.php:333
|
#: includes/class/class.LSauth.php:381
|
||||||
msgid "LSauth : Failed to get authentication informations from provider."
|
msgid "LSauth : Failed to get authentication informations from provider."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: includes/class/class.LSauth.php:336
|
#: includes/class/class.LSauth.php:384
|
||||||
msgid "LSauth : Method %{method} configured doesn't support API mode."
|
msgid "LSauth : Method %{method} configured doesn't support API mode."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
|
#: includes/class/class.LSauth.php:387
|
||||||
|
msgid ""
|
||||||
|
"LSauth : The filter function speficied for %{objtype} is not callable "
|
||||||
|
"(%{function})."
|
||||||
|
msgstr ""
|
||||||
|
|
||||||
#: includes/class/class.LSformElement_supannEtuInscription.php:41
|
#: includes/class/class.LSformElement_supannEtuInscription.php:41
|
||||||
msgid "Organism"
|
msgid "Organism"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
Loading…
Reference in a new issue