mirror of
https://gitlab.easter-eggs.com/ee/ldapsaisie.git
synced 2024-11-22 09:59:06 +01:00
LSauth add filter_function parameter
This commit is contained in:
parent
05519c5432
commit
0c171789d3
5 changed files with 117 additions and 18 deletions
|
@ -25,6 +25,7 @@ serveur LDAP.</para>
|
|||
'[object type 1]',
|
||||
'[object type 2]' => array(
|
||||
'filter' => '[LDAP filter]',
|
||||
'filter_function' => [callable],
|
||||
'password_attribute' => '[attribute name]',
|
||||
'web_access' => [booléen],
|
||||
'api_access' => [booléen],
|
||||
|
@ -170,6 +171,21 @@ serveur LDAP.</para>
|
|||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>filter_function</term>
|
||||
<listitem>
|
||||
<simpara><emphasis>Callable</emphasis> (au sens PHP) utilisé pour filtrer les utilisateurs
|
||||
trouvés dans l'annuaire à partir des autres paramètres : cette fonction, si elle est définie,
|
||||
sera appelée pour chaque utilisateur trouvé, avec pour unique paramètre, une référence à l'objet
|
||||
LDAP correspondant (<literal>LSldapObject</literal>). Cette méthode devra alors retourner
|
||||
<literal>true</literal> ou <literal>false</literal> pour respectivement autoriser ou interdire
|
||||
l'accès à l'application à l'utilisateur.</simpara>
|
||||
<note><simpara>Si un utilisateur est exclus par cette méthode et qu'aucun autre utilisateur
|
||||
correspondant n'a été trouvé dans l'annuaire, une page d'erreur sera affichée et indiquera que
|
||||
l'accès à l'application est refusée.</simpara></note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>password_attribute</term>
|
||||
<listitem>
|
||||
|
|
|
@ -132,6 +132,7 @@ class LSauth extends LSlog_staticLoggerClass {
|
|||
|
||||
$objTypes[$objType] = array(
|
||||
'filter' => self :: getConfig("LSobjects.$objType.filter", null, 'string'),
|
||||
'filter_function' => self :: getConfig("LSobjects.$objType.filter_function", null),
|
||||
'password_attribute' => self :: getConfig("LSobjects.$objType.password_attribute", 'userPassword', 'string'),
|
||||
);
|
||||
}
|
||||
|
@ -169,11 +170,19 @@ class LSauth extends LSlog_staticLoggerClass {
|
|||
*/
|
||||
public static function username2LSobjects($username) {
|
||||
$user_objects = array();
|
||||
$excluded_objects = false;
|
||||
foreach (self :: getAuthObjectTypes() as $objType => $objParams) {
|
||||
if (!LSsession :: loadLSobject($objType)) {
|
||||
LSerror :: addErrorCode('LSauth_03', $objType);
|
||||
return false;
|
||||
}
|
||||
if (isset($objParams['filter_function']) && !is_callable($objParams['filter_function'])) {
|
||||
LSerror :: addErrorCode(
|
||||
'LSauth_09',
|
||||
['objtype' => $objType, 'function' => format_callable($objParams['filter_function'])]
|
||||
);
|
||||
return false;
|
||||
}
|
||||
$authobject = new $objType();
|
||||
$result = $authobject -> searchObject(
|
||||
$username,
|
||||
|
@ -181,12 +190,28 @@ class LSauth extends LSlog_staticLoggerClass {
|
|||
$objParams['filter'],
|
||||
array('withoutCache' => true, 'onlyAccessible' => false)
|
||||
);
|
||||
for($i=0; $i<count($result); $i++)
|
||||
for($i=0; $i<count($result); $i++) {
|
||||
if (
|
||||
isset($objParams['filter_function'])
|
||||
&& !call_user_func_array($objParams['filter_function'], [$result[$i]])
|
||||
) {
|
||||
self :: log_debug(
|
||||
sprintf(
|
||||
'username2LSobjects(%s): user %s filtered out by filter function %s',
|
||||
$username, $result[$i]->getDn(), format_callable($objParams['filter_function'])
|
||||
)
|
||||
);
|
||||
$excluded_objects = true;
|
||||
continue;
|
||||
}
|
||||
$user_objects[$result[$i] -> getDn()] = $result[$i];
|
||||
}
|
||||
}
|
||||
|
||||
$nbresult = count($user_objects);
|
||||
if ($nbresult == 0) {
|
||||
if ($excluded_objects)
|
||||
self :: accessDenied();
|
||||
// incorrect login
|
||||
self :: log_debug('Invalid username');
|
||||
LSerror :: addErrorCode('LSauth_01');
|
||||
|
@ -306,6 +331,29 @@ class LSauth extends LSlog_staticLoggerClass {
|
|||
return self :: $params['displayLoginForm'];
|
||||
}
|
||||
|
||||
/**
|
||||
* Handle access denied error
|
||||
*
|
||||
* @return never
|
||||
**/
|
||||
public static function accessDenied() {
|
||||
http_response_code(401);
|
||||
if (LSsession :: get('api_mode') || LSsession :: getAjaxDisplay()) {
|
||||
header('Content-Type: application/json');
|
||||
$errors = array(_("You are not authorized to access this application."));
|
||||
echo json_encode(
|
||||
['errors' => [_("You are not authorized to access this application.")], 'success' => false],
|
||||
(isset($_REQUEST['pretty'])?JSON_PRETTY_PRINT:0)
|
||||
);
|
||||
}
|
||||
else if (class_exists('LStemplate')) {
|
||||
LStemplate :: assign('pagetitle', _("Access denied."));
|
||||
LStemplate :: assign('error', _("You are not authorized to access this application."));
|
||||
LStemplate :: display("error.tpl");
|
||||
}
|
||||
exit();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -335,3 +383,6 @@ ___("LSauth : Failed to get authentication informations from provider.")
|
|||
LSerror :: defineError('LSauth_08',
|
||||
___("LSauth : Method %{method} configured doesn't support API mode.")
|
||||
);
|
||||
LSerror :: defineError('LSauth_09',
|
||||
___("LSauth : The filter function speficied for %{objtype} is not callable (%{function}).")
|
||||
);
|
||||
|
|
Binary file not shown.
|
@ -8,7 +8,7 @@ msgstr ""
|
|||
"Project-Id-Version: LdapSaisie\n"
|
||||
"Report-Msgid-Bugs-To: \n"
|
||||
"POT-Creation-Date: \n"
|
||||
"PO-Revision-Date: 2023-07-19 12:07+0200\n"
|
||||
"PO-Revision-Date: 2023-08-18 15:44+0200\n"
|
||||
"Last-Translator: Benjamin Renard <brenard@easter-eggs.com>\n"
|
||||
"Language-Team: LdapSaisie <ldapsaisie-users@lists.labs.libre-entreprise."
|
||||
"org>\n"
|
||||
|
@ -2708,43 +2708,60 @@ msgstr ""
|
|||
"LSattr_ldap_password : La fonction d'encodage %{function} n'est pas "
|
||||
"disponible. Le mot de passe sera stocké en clair."
|
||||
|
||||
#: includes/class/class.LSauth.php:315
|
||||
#: includes/class/class.LSauth.php:343 includes/class/class.LSauth.php:345
|
||||
#: includes/class/class.LSauth.php:351
|
||||
msgid "You are not authorized to access this application."
|
||||
msgstr "Vous n'êtes pas autorisé à accéder à cette application."
|
||||
|
||||
#: includes/class/class.LSauth.php:350
|
||||
msgid "Access denied."
|
||||
msgstr "Accès interdit."
|
||||
|
||||
#: includes/class/class.LSauth.php:363
|
||||
msgid "LSauth : Login or password incorrect."
|
||||
msgstr "LSauth : Identifiant ou mot de passe incorrects."
|
||||
|
||||
#: includes/class/class.LSauth.php:318
|
||||
#: includes/class/class.LSauth.php:366
|
||||
msgid "LSauth : Impossible to identify you : Duplication of identities."
|
||||
msgstr "LSauth : Impossible de vous identifier : Duplication d'identité."
|
||||
|
||||
#: includes/class/class.LSauth.php:321
|
||||
#: includes/class/class.LSauth.php:369
|
||||
msgid "LSauth : Could not load type of identifiable objects %{type}."
|
||||
msgstr "LSauth : Impossible de charger le type d'objets identifiables %{type}."
|
||||
|
||||
#: includes/class/class.LSauth.php:324
|
||||
#: includes/class/class.LSauth.php:372
|
||||
msgid "LSauth : Can't load authentication method %{method}."
|
||||
msgstr ""
|
||||
"LSauth : Impossible de charger la méthode d'authentification %{method}."
|
||||
|
||||
#: includes/class/class.LSauth.php:327
|
||||
#: includes/class/class.LSauth.php:375
|
||||
msgid "LSauth : Failed to build the authentication provider %{method}."
|
||||
msgstr ""
|
||||
"LSauth : Impossible de construire le gestionnaire d'authentification "
|
||||
"%{method}."
|
||||
|
||||
#: includes/class/class.LSauth.php:330
|
||||
#: includes/class/class.LSauth.php:378
|
||||
msgid "LSauth : Not correctly initialized."
|
||||
msgstr "LSauth : Mauvaise initialisation."
|
||||
|
||||
#: includes/class/class.LSauth.php:333
|
||||
#: includes/class/class.LSauth.php:381
|
||||
msgid "LSauth : Failed to get authentication informations from provider."
|
||||
msgstr ""
|
||||
"LSauth : Impossible de récupérer les informations authentification auprès du "
|
||||
"gestionnaire."
|
||||
|
||||
#: includes/class/class.LSauth.php:336
|
||||
#: includes/class/class.LSauth.php:384
|
||||
msgid "LSauth : Method %{method} configured doesn't support API mode."
|
||||
msgstr "LSauth : La méthode %{method} configurée ne supporte pas le mode API."
|
||||
|
||||
#: includes/class/class.LSauth.php:387
|
||||
msgid ""
|
||||
"LSauth : The filter function speficied for %{objtype} is not callable "
|
||||
"(%{function})."
|
||||
msgstr ""
|
||||
"LSauth : La fonction de filtrage pour les %{objtype} n'est pas exécutable "
|
||||
"(%{function})."
|
||||
|
||||
#: includes/class/class.LSformElement_supannEtuInscription.php:41
|
||||
msgid "Organism"
|
||||
msgstr "Etablissement"
|
||||
|
|
|
@ -2299,38 +2299,53 @@ msgid ""
|
|||
"password will be stored in clear text."
|
||||
msgstr ""
|
||||
|
||||
#: includes/class/class.LSauth.php:315
|
||||
#: includes/class/class.LSauth.php:343 includes/class/class.LSauth.php:345
|
||||
#: includes/class/class.LSauth.php:351
|
||||
msgid "You are not authorized to access this application."
|
||||
msgstr ""
|
||||
|
||||
#: includes/class/class.LSauth.php:350
|
||||
msgid "Access denied."
|
||||
msgstr ""
|
||||
|
||||
#: includes/class/class.LSauth.php:363
|
||||
msgid "LSauth : Login or password incorrect."
|
||||
msgstr ""
|
||||
|
||||
#: includes/class/class.LSauth.php:318
|
||||
#: includes/class/class.LSauth.php:366
|
||||
msgid "LSauth : Impossible to identify you : Duplication of identities."
|
||||
msgstr ""
|
||||
|
||||
#: includes/class/class.LSauth.php:321
|
||||
#: includes/class/class.LSauth.php:369
|
||||
msgid "LSauth : Could not load type of identifiable objects %{type}."
|
||||
msgstr ""
|
||||
|
||||
#: includes/class/class.LSauth.php:324
|
||||
#: includes/class/class.LSauth.php:372
|
||||
msgid "LSauth : Can't load authentication method %{method}."
|
||||
msgstr ""
|
||||
|
||||
#: includes/class/class.LSauth.php:327
|
||||
#: includes/class/class.LSauth.php:375
|
||||
msgid "LSauth : Failed to build the authentication provider %{method}."
|
||||
msgstr ""
|
||||
|
||||
#: includes/class/class.LSauth.php:330
|
||||
#: includes/class/class.LSauth.php:378
|
||||
msgid "LSauth : Not correctly initialized."
|
||||
msgstr ""
|
||||
|
||||
#: includes/class/class.LSauth.php:333
|
||||
#: includes/class/class.LSauth.php:381
|
||||
msgid "LSauth : Failed to get authentication informations from provider."
|
||||
msgstr ""
|
||||
|
||||
#: includes/class/class.LSauth.php:336
|
||||
#: includes/class/class.LSauth.php:384
|
||||
msgid "LSauth : Method %{method} configured doesn't support API mode."
|
||||
msgstr ""
|
||||
|
||||
#: includes/class/class.LSauth.php:387
|
||||
msgid ""
|
||||
"LSauth : The filter function speficied for %{objtype} is not callable "
|
||||
"(%{function})."
|
||||
msgstr ""
|
||||
|
||||
#: includes/class/class.LSformElement_supannEtuInscription.php:41
|
||||
msgid "Organism"
|
||||
msgstr ""
|
||||
|
|
Loading…
Reference in a new issue