Skip to content
GitLab
Select Git revision
  • dev default
  • 6378-orcid-test-method-is-wrong-and-break-orcid-saving
  • core-php8
  • master
  • 6342-update-the-locales-for-1-5
  • 6344-template-issue-when-creating-a-template-with-empty-password-error-message-should-not-be-seen
  • 6365-core-locking-mechanism-is-not-changing-the-mail-ressource-it-does-lock-the-mail-account
  • 6365-core-when-lock-mechanism-is-trigger-the-user-should-not-be-editable-if-not-unlock
  • fusiondirectory-1.5
  • fusiondirectory-1.4
  • fusiondirectory-1.3.1
  • fusiondirectory-1.3
  • fusiondirectory-1.2.3
  • fusiondirectory-1.2.2
  • fusiondirectory-1.2.1
  • fusiondirectory-1.2
  • fusiondirectory-1.1.1
  • fusiondirectory-1.1
  • fusiondirectory-1.0.20
  • fusiondirectory-1.0.19
  • fusiondirectory-1.0.18
  • fusiondirectory-1.0.17
  • fusiondirectory-1.0.16
  • fusiondirectory-1.0.15
  • fusiondirectory-1.0.14
  • fusiondirectory-1.0.13
  • fusiondirectory-1.0.12
  • fusiondirectory-1.0.11
Find file BlameHistoryPermalink
class_userinfo.inc 37.53 KiB
1 
<?php
2 
/*
3 
  This code is part of FusionDirectory (http://www.fusiondirectory.org/)
4
5 
  Copyright (C) 2003-2010  Cajus Pollmeier
6 
  Copyright (C) 2011-2019  FusionDirectory
7
8 
  This program is free software; you can redistribute it and/or modify
9 
  it under the terms of the GNU General Public License as published by
10 
  the Free Software Foundation; either version 2 of the License, or
11 
  (at your option) any later version.
12
13 
  This program is distributed in the hope that it will be useful,
14 
  but WITHOUT ANY WARRANTY; without even the implied warranty of
15 
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16 
  GNU General Public License for more details.
17
18 
  You should have received a copy of the GNU General Public License
19 
  along with this program; if not, write to the Free Software
20 
  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
21 
*/
22
23 
/*!
24 
 * \file class_userinfo.inc
25 
 * Source code for the class userinfo
26 
 */
27
28 
/* Define shadow states */
29 
define('POSIX_ACCOUNT_EXPIRED',           1);
30 
define('POSIX_WARN_ABOUT_EXPIRATION',     2);
31 
define('POSIX_FORCE_PASSWORD_CHANGE',     4);
32 
define('POSIX_DISALLOW_PASSWORD_CHANGE',  8);
33
34 
/*!
35 
 * \brief Class userinfo
36 
 * This class contains all informations and functions
37 
 * about user
38 
 */
39
40 
class userinfo
41 
{
42 
  var $dn;
43 
  var $cn;
44 
  var $uid;
45 
  var $sn           = '';
46 
  var $givenName    = '';
47 
  var $gidNumber    = -1;
48 
  var $language     = "";
49 
  var $subtreeACL   = [];
50 
  var $ACL          = [];
51 
  var $groups       = [];
52 
  var $roles        = [];
53 
  var $result_cache = [];
54 
  var $ignoreACL    = FALSE;
55
56 
  var $ACLperPath             = [];
57 
  var $ACLperPath_usesFilter  = [];
58
59 
  /*! \brief LDAP size limit handler */
60 
  protected $sizeLimitHandler;
61
62 
  /*! \brief Current management base */
63 
  protected $currentBase;
64
65 
  /*! \brief Password change should be forced */
66 
  protected $forcePasswordChange = FALSE;
67
68 
  /* get acl's an put them into the userinfo object
69 
     attr subtreeACL (userdn:components, userdn:component1#sub1#sub2,component2,...) */
70 
  function __construct ($userdn)
7172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140
{ global $config; $this->dn = $userdn; $this->ignoreACL = ($config->get_cfg_value('ignoreAcl') == $this->dn); $this->loadLDAPInfo(); /* Initialize ACL_CACHE */ $this->reset_acl_cache(); $this->sizeLimitHandler = new ldapSizeLimit(); } /*! \brief Loads user information from LDAP */ function loadLDAPInfo () { global $config; $ldap = $config->get_ldap_link(); $ldap->cat($this->dn, ['cn', 'sn', 'givenName', 'uid', 'gidNumber', 'preferredLanguage']); $attrs = $ldap->fetch(); $this->uid = $attrs['uid'][0]; if (isset($attrs['cn'][0])) { $this->cn = $attrs['cn'][0]; } elseif (isset($attrs['givenName'][0]) && isset($attrs['sn'][0])) { $this->cn = $attrs['givenName'][0].' '.$attrs['sn'][0]; } else { $this->cn = $attrs['uid'][0]; } if (isset($attrs['gidNumber'][0])) { $this->gidNumber = $attrs['gidNumber'][0]; } if (isset($attrs['sn'][0])) { $this->sn = $attrs['sn'][0]; } if (isset($attrs['givenName'][0])) { $this->givenName = $attrs['givenName'][0]; } /* Assign user language */ if (isset($attrs['preferredLanguage'][0])) { $this->language = $attrs['preferredLanguage'][0]; } } /*! * \brief Reset acl cache */ public function reset_acl_cache () { /* Initialize ACL_CACHE */ session::set('ACL_CACHE', []); } /*! * \brief Load an acl */ function loadACL () { global $config; $this->ACL = []; $this->groups = []; $this->roles = []; $this->result_cache = []; $this->reset_acl_cache(); $ldap = $config->get_ldap_link(); $ldap->cd($config->current['BASE']); /* Get member groups... */
141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210
$ldap->search('(&(objectClass=groupOfNames)(member='.ldap_escape_f($this->dn).'))', ['dn']); while ($attrs = $ldap->fetch()) { $this->groups[$attrs['dn']] = $attrs['dn']; } /* Get member POSIX groups... */ $ldap->search('(&(objectClass=posixGroup)(memberUid='.ldap_escape_f($this->uid).'))', ['dn']); while ($attrs = $ldap->fetch()) { $this->groups[$attrs['dn']] = $attrs['dn']; } /* Get member roles... */ $ldap->search('(&(objectClass=organizationalRole)(roleOccupant='.ldap_escape_f($this->dn).'))', ['dn']); while ($attrs = $ldap->fetch()) { $this->roles[$attrs['dn']] = $attrs['dn']; } /* Crawl through ACLs and move relevant to the tree */ $ldap->search("(objectClass=gosaACL)", ['dn', 'gosaAclEntry']); $aclp = []; $aclc = []; while ($attrs = $ldap->fetch()) { /* Insert links in ACL array */ $aclp[$attrs['dn']] = substr_count($attrs['dn'], ','); $aclc[$attrs['dn']] = []; $ol = []; for ($i = 0; $i < $attrs['gosaAclEntry']['count']; $i++) { $ol = array_merge($ol, acl::explodeAcl($attrs['gosaAclEntry'][$i])); } $aclc[$attrs['dn']] = $ol; } /* Resolve roles here */ foreach ($aclc as $dn => $data) { foreach ($data as $prio => $aclc_value) { unset($aclc[$dn][$prio]); $ldap->cat($aclc_value['acl'], ["gosaAclTemplate"]); $attrs = $ldap->fetch(); if (isset($attrs['gosaAclTemplate'])) { $roleAcls = acl::explodeRole($attrs['gosaAclTemplate']); foreach ($roleAcls as $roleAcl) { $aclc[$dn][] = [ 'acl' => $roleAcl, 'type' => $aclc_value['type'], 'members' => $aclc_value['members'], 'filter' => $aclc_value['filter'] ]; } } } } /* ACL's read, sort for tree depth */ asort($aclp); /* Sort in tree order */ foreach ($aclp as $dn => $acl) { /* Check if we need to keep this ACL */ foreach ($aclc[$dn] as $idx => $type) { $interresting = FALSE; /* No members? This ACL rule is deactivated ... */ if (!count($type['members'])) { $interresting = FALSE; } else { /* Inspect members... */ foreach (array_keys($type['members']) as $grp) {
211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280
/* Some group inside the members that is relevant for us? */ if (in_array_ics(preg_replace('/^G:/', '', $grp), $this->groups)) { $interresting = TRUE; } /* Some role inside the members that is relevant for us? */ if (in_array_ics(preg_replace('/^R:/', '', $grp), $this->roles)) { $interresting = TRUE; } /* User inside the members? */ if (mb_strtoupper(preg_replace('/^U:/', '', $grp)) == mb_strtoupper($this->dn)) { $interresting = TRUE; } /* Wildcard? */ if (preg_match('/^G:\*/', $grp)) { $interresting = TRUE; } } } if ($interresting) { if (!isset($this->ACL[$dn])) { $this->ACL[$dn] = []; } $this->ACL[$dn][$idx] = $type; } } } /* Create an array which represent all relevant permissions settings per dn. The array will look like this: . ['ou=base'] ['ou=base'] = array(ACLs); . . ['ou=dep1,ou=base']['ou=dep1,ou=base'] = array(ACLs); . ['ou=base'] = array(ACLs); For object located in 'ou=dep1,ou=base' we have to both ACLs, for objects in 'ou=base' we only have to apply on ACL. */ $without_self_acl = $all_acl = []; foreach ($this->ACL as $dn => $acl) { $sdn = $dn; do { if (isset($this->ACL[$dn])) { $all_acl[$sdn][$dn] = $this->ACL[$dn]; $without_self_acl[$sdn][$dn] = $this->ACL[$dn]; foreach ($without_self_acl[$sdn][$dn] as $acl_id => $acl_set) { /* Remember which ACL set has speicial user filter */ if (isset($acl_set['filter']{1})) { $this->ACLperPath_usesFilter[$sdn] = TRUE; } /* Remove all acl entries which are especially for the current user (self acl) */ foreach ($acl_set['acl'] as $object => $object_acls) { if (isset($object_acls[0]) && (strpos($object_acls[0], "s") !== FALSE)) { unset($without_self_acl[$sdn][$dn][$acl_id]['acl'][$object]); } } } } $dn = preg_replace("/^[^,]*+,/", "", $dn); } while (strpos($dn, ',') !== FALSE); }
281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350
$this->ACLperPath = $without_self_acl; /* Append Self entry */ $dn = $this->dn; while (strpos($dn, ",") && !isset($all_acl[$dn])) { $dn = preg_replace("/^[^,]*+,/", "", $dn); } if (isset($all_acl[$dn])) { $this->ACLperPath[$this->dn] = $all_acl[$dn]; } } /*! * \brief Returns an array containing all target objects we've permissions on * * \return Return the next id or NULL if failed */ function get_acl_target_objects () { return array_keys($this->ACLperPath); } /*! * \brief Get permissions by category * * \param string $dn Dn from which we want to know permissions. * * \param string $category Category for which we want the acl eg: server * * \return all the permissions for the dn and category */ function get_category_permissions ($dn, $category) { return @$this->get_permissions($dn, $category.'/0', ''); } /*! * \brief Check if the given object (dn) is copyable * * \param string $dn The object dn * * \param string $object The acl category (e.g. user) * * \return boolean TRUE if the given object is copyable else FALSE */ function is_copyable ($dn, $object): bool { return (strpos($this->get_complete_category_acls($dn, $object), 'r') !== FALSE); } /*! * \brief Check if the given object (dn) is cutable * * \param string $dn The object dn * * \param string $object The acl category (e.g. user) * * \param string $class The acl class (e.g. user) * * \return boolean TRUE if the given object is cutable else FALSE */ function is_cutable ($dn, $object, $class): bool { $remove = (strpos($this->get_permissions($dn, $object.'/'.$class), 'd') !== FALSE); $read = (strpos($this->get_complete_category_acls($dn, $object), 'r') !== FALSE); return ($remove && $read); }
351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420
/*! * \brief Checks if we are allowed to paste an object to the given destination ($dn) * * \param string $dn The destination dn * * \param string $object The acl category (e.g. user) * * \return Boolean TRUE if we are allowed to paste an object. */ function is_pasteable ($dn, $object): bool { return (strpos($this->get_complete_category_acls($dn, $object), 'w') !== FALSE); } /*! * \brief Checks if we are allowed to restore a snapshot for the given dn. * * \param string $dn The destination dn * * \param string $categories The acl category (e.g. user) * * \param boolean $deleted Is it a deleted or existing object * * \return boolean TRUE if we are allowed to restore a snapshot. */ function allow_snapshot_restore ($dn, $categories, $deleted): bool { $permissions = $this->get_snapshot_permissions($dn, $categories); return in_array(($deleted ? 'restore_deleted' : 'restore_over'), $permissions); } /*! * \brief Checks if we are allowed to create a snapshot of the given dn. * * \param string $dn The source dn * * \param string $categories The acl category (e.g. user) * * \return boolean TRUE if we are allowed to create a snapshot. */ function allow_snapshot_create ($dn, $categories): bool { $permissions = $this->get_snapshot_permissions($dn, $categories); return in_array('c', $permissions); } /*! * \brief Checks if we are allowed to delete a snapshot of the given dn. * * \param string $dn The source dn * * \param string $categories The acl category (e.g. user) * * \return boolean TRUE if we are allowed to delete a snapshot. */ function allow_snapshot_delete ($dn, $categories): bool { $permissions = $this->get_snapshot_permissions($dn, $categories); return in_array('d', $permissions); } function get_snapshot_permissions ($dn, $categories) { if (!is_array($categories)) { $categories = [$categories]; }
421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490
/* Possible permissions for snapshots */ $objectPermissions = ['r', 'c', 'd']; $attributePermissions = ['restore_over', 'restore_deleted']; foreach ($categories as $category) { $acl = $this->get_permissions($dn, $category.'/SnapshotHandler'); foreach ($objectPermissions as $i => $perm) { if (strpos($acl, $perm) === FALSE) { unset($objectPermissions[$i]); } } foreach ($attributePermissions as $i => $attribute) { $acl = $this->get_permissions($dn, $category.'/SnapshotHandler', $attribute); if (strpos($acl, 'w') === FALSE) { unset($attributePermissions[$i]); } } } return array_merge($objectPermissions, $attributePermissions); } /*! * \brief Get the permissions for a specified dn * * \param string $dn The object dn * * \param string $object The acl category (e.g. user) * * \param string $attribute * * \param bool $skip_write Remove the write acl for this dn * */ function get_permissions ($dn, $object, $attribute = "", $skip_write = FALSE) { global $config; /* If we are forced to skip ACLs checks for the current user then return all permissions. */ if ($this->ignore_acl_for_current_user()) { if ($skip_write) { return 'r'; } return 'rwcdm'; } $attribute = static::sanitizeAttributeName($attribute); /* Push cache answer? */ $ACL_CACHE = &session::get_ref('ACL_CACHE'); if (isset($ACL_CACHE["$dn+$object+$attribute"])) { $ret = $ACL_CACHE["$dn+$object+$attribute"]; if ($skip_write) { $ret = str_replace(['w','c','d','m'], '', $ret); } return $ret; } /* Detect the set of ACLs we have to check for this object */ $adn = $dn; while (!isset($this->ACLperPath[$adn]) && (strpos($adn, ',') !== FALSE)) { $adn = preg_replace("/^[^,]*+,/", "", $adn); } if (isset($this->ACLperPath[$adn])) { $ACL = $this->ACLperPath[$adn]; } else { $ACL_CACHE["$dn+$object+$attribute"] = ''; return ''; }
491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560
/* If we do not need to respect any user-filter settings we can skip the per object ACL checks. */ $orig_dn = $dn; if (!isset($this->ACLperPath_usesFilter[$adn])) { $dn = $adn; if (isset($ACL_CACHE["$dn+$object+$attribute"])) { $ret = $ACL_CACHE["$dn+$object+$attribute"]; if (!isset($ACL_CACHE["$orig_dn+$object+$attribute"])) { $ACL_CACHE["$orig_dn+$object+$attribute"] = $ret; } if ($skip_write) { $ret = str_replace(['w','c','d','m'], '', $ret); } return $ret; } } /* Get ldap object, for later filter checks */ $ldap = $config->get_ldap_link(); $acl = ['r' => '', 'w' => '', 'c' => '', 'd' => '', 'm' => '', 'a' => '']; /* Build dn array */ $path = explode(',', $dn); $path = array_reverse($path); $departmentInfo = $config->getDepartmentInfo(); /* Walk along the path to evaluate the acl */ $cpath = ''; foreach ($path as $element) { /* Clean potential ACLs for each level */ if (isset($departmentInfo[$cpath])) { $acl = $this->cleanACL($acl); } if ($cpath == "") { $cpath = $element; } else { $cpath = $element.','.$cpath; } if (isset($ACL[$cpath])) { /* Inspect this ACL, place the result into ACL */ foreach ($ACL[$cpath] as $subacl) { /* Reset? Just clean the ACL and turn over to the next one... */ if ($subacl['type'] == 'reset') { $acl = $this->cleanACL($acl, TRUE); continue; } /* With user filter */ if (isset($subacl['filter']) && !empty($subacl['filter'])) { $id = $dn."-".$subacl['filter']; if (!isset($ACL_CACHE['FILTER'][$id])) { $ACL_CACHE['FILTER'][$id] = $ldap->object_match_filter($dn, $subacl['filter']); } if (!$ACL_CACHE['FILTER'][$id]) { continue; } } /* Self ACLs? */ if (($dn != $this->dn) && isset($subacl['acl'][$object][0]) && (strpos($subacl['acl'][$object][0], "s") !== FALSE)) { continue; }
561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630
/* If attribute is "", we want to know, if we've *any* permissions here... Merge global class ACLs [0] with attributes specific ACLs [attribute]. */ if (($attribute == '') && isset($subacl['acl'][$object])) { foreach ($subacl['acl'][$object] as $attr => $dummy) { $acl = $this->mergeACL($acl, $subacl['type'], $subacl['acl'][$object][$attr]); } continue; } /* Per attribute ACL? */ if (isset($subacl['acl'][$object][$attribute])) { $acl = $this->mergeACL($acl, $subacl['type'], $subacl['acl'][$object][$attribute]); continue; } /* Per object ACL? */ if (isset($subacl['acl'][$object][0])) { $acl = $this->mergeACL($acl, $subacl['type'], $subacl['acl'][$object][0]); continue; } /* Global ACL? */ if (isset($subacl['acl']['all'][0])) { $acl = $this->mergeACL($acl, $subacl['type'], $subacl['acl']['all'][0]); continue; } /* Category ACLs (e.g. $object = "user/0") */ if (strstr($object, '/0')) { $ocs = preg_replace("/\/0$/", "", $object); if (isset($config->data['CATEGORIES'][$ocs])) { /* if $attribute is "", then check every single attribute for this object. if it is 0, then just check the object category ACL. */ if ($attribute == "") { foreach ($config->data['CATEGORIES'][$ocs]['classes'] as $oc) { if (isset($subacl['acl'][$ocs.'/'.$oc])) { // Skip ACLs which are defined for ourselfs only - if not checking against ($ui->dn) if (isset($subacl['acl'][$ocs.'/'.$oc][0]) && ($dn != $this->dn) && (strpos($subacl['acl'][$ocs.'/'.$oc][0], "s") !== FALSE)) { continue; } foreach ($subacl['acl'][$ocs.'/'.$oc] as $attr => $dummy) { $acl = $this->mergeACL($acl, $subacl['type'], $subacl['acl'][$ocs.'/'.$oc][$attr]); } continue; } } } else { if (isset($subacl['acl'][$ocs.'/'.$oc][0])) { if (($dn != $this->dn) && (strpos($subacl['acl'][$ocs.'/'.$oc][0], "s") !== FALSE)) { continue; } $acl = $this->mergeACL($acl, $subacl['type'], $subacl['acl'][$ocs.'/'.$oc][0]); } } } continue; } } } } /* If the requested ACL is for a container object, then alter
631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700
ACLs by applying cleanACL a last time. */ if (isset($departmentInfo[$dn])) { $acl = $this->cleanACL($acl); } /* Assemble string */ $ret = ""; foreach ($acl as $key => $value) { if ($value !== "") { $ret .= $key; } } $ACL_CACHE["$dn+$object+$attribute"] = $ret; $ACL_CACHE["$orig_dn+$object+$attribute"] = $ret; /* Remove write if needed */ if ($skip_write) { $ret = str_replace(['w','c','d','m'], '', $ret); } return $ret; } /*! * \brief Extract all departments that are accessible * * Extract all departments that are accessible (direct or 'on the way' to an * accessible department) * * \param string $module The module * * \param bool $skip_self_acls FALSE * * \return array Return all accessible departments */ function get_module_departments ($module, $skip_self_acls = FALSE) { global $config; /* If we are forced to skip ACLs checks for the current user then return all departments as valid. */ if ($this->ignore_acl_for_current_user()) { return array_values($config->getDepartmentList()); } /* Use cached results if possilbe */ $ACL_CACHE = &session::get_ref('ACL_CACHE'); if (!is_array($module)) { $module = [$module]; } $departmentInfo = $config->getDepartmentInfo(); $res = []; foreach ($module as $mod) { if (isset($ACL_CACHE['MODULE_DEPARTMENTS'][$mod])) { $res = array_merge($res, $ACL_CACHE['MODULE_DEPARTMENTS'][$mod]); continue; } $deps = []; /* Search for per object ACLs */ foreach ($this->ACL as $dn => $infos) { foreach ($infos as $info) { $found = FALSE; foreach ($info['acl'] as $cat => $data) { /* Skip self acls? */
701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770
if ($skip_self_acls && isset($data['0']) && (strpos($data['0'], "s") !== FALSE)) { continue; } if (preg_match("/^".preg_quote($mod, '/')."/", $cat)) { $found = TRUE; break; } } if ($found && !isset($departmentInfo[$dn])) { while (!isset($departmentInfo[$dn]) && strpos($dn, ',')) { $dn = preg_replace("/^[^,]+,/", "", $dn); } if (isset($departmentInfo[$dn])) { $deps[$dn] = $dn; } } } } /* For all departments */ $departments = $config->getDepartmentList(); foreach ($departments as $dn) { if (isset($deps[$dn])) { continue; } $acl = ''; if (strpos($mod, '/')) { $acl .= $this->get_permissions($dn, $mod); } else { $acl .= $this->get_category_permissions($dn, $mod); } if (!empty($acl)) { $deps[$dn] = $dn; } } $ACL_CACHE['MODULE_DEPARTMENTS'][$mod] = $deps; $res = array_merge($res, $deps); } return array_values($res); } /*! * \brief Merge acls * * \param $acl The ACL * * \param $type The type * * \param $newACL The new ACL */ function mergeACL ($acl, $type, $newACL) { $at = ["subtree" => "s", "one" => "1"]; if ((strpos($newACL, 'w') !== FALSE) && (strpos($newACL, 'r') === FALSE)) { $newACL .= "r"; } /* Ignore invalid characters */ $newACL = preg_replace('/[^rwcdm]/', '', $newACL); foreach (str_split($newACL) as $char) { /* Skip "self" ACLs without combination of rwcdm, they have no effect. -self flag without read/write/create/... */ if (empty($char)) { continue;
771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840
} /* Skip subtree entries */ if ($acl[$char] == 's') { continue; } if ($type == "base" && $acl[$char] != 1) { $acl[$char] = 0; } else { $acl[$char] = $at[$type]; } } return $acl; } /*! * \brief Clean acls * * \param $acl ACL to be cleaned * * \param boolean $reset FALSE */ function cleanACL ($acl, $reset = FALSE) { foreach ($acl as $key => $value) { /* Continue, if value is empty or subtree */ if (($value == "") || ($value == "s")) { continue; } /* Reset removes everything but 'p' */ if ($reset && $value != 'p') { $acl[$key] = ""; continue; } /* Decrease tree level */ if (is_int($value)) { if ($value) { $acl[$key]--; } else { $acl[$key] = ""; } } } return $acl; } /*! * \brief Return combined acls for a given category * * Return combined acls for a given category. * All acls will be combined like boolean AND * As example ('rwcdm' + 'rcd' + 'wrm'= 'r') * * Results will be cached in $this->result_cache. * $this->result_cache will be resetted if load_acls is called. * * \param string $dn The DN * * \param string $category The category * * \return string return acl combined with boolean AND */ function get_complete_category_acls ($dn, $category) { global $config;
841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910
if (!is_string($category)) { trigger_error('category must be string'); return ''; } else { if (isset($this->result_cache['get_complete_category_acls'][$dn][$category])) { return $this->result_cache['get_complete_category_acls'][$dn][$category]; } $acl = 'rwcdm'; if (isset($config->data['CATEGORIES'][$category])) { foreach ($config->data['CATEGORIES'][$category]['classes'] as $oc) { if ($oc == '0') { /* Skip objectClass '0' (e.g. user/0) */ continue; } $tmp = $this->get_permissions($dn, $category.'/'.$oc); $types = $acl; for ($i = 0, $l = strlen($types); $i < $l; $i++) { if (strpos($tmp, $types[$i]) === FALSE) { $acl = str_replace($types[$i], '', $acl); } } } } else { $acl = ''; } $this->result_cache['get_complete_category_acls'][$dn][$category] = $acl; return $acl; } } /*! * \brief Ignore acl for the current user * * \return Returns TRUE if the current user is configured in IGNORE_ACL=".." * in your fusiondirectory.conf FALSE otherwise */ function ignore_acl_for_current_user () { return $this->ignoreACL; } /*! * \brief Checks the posixAccount status by comparing the shadow attributes. * * \return const * POSIX_ACCOUNT_EXPIRED - If the account is expired. * POSIX_WARN_ABOUT_EXPIRATION - If the account is going to expire. * POSIX_FORCE_PASSWORD_CHANGE - The password has to be changed. * POSIX_DISALLOW_PASSWORD_CHANGE - The password cannot be changed right now. * * * * shadowLastChange * | * |---- shadowMin ---> | <-- shadowMax -- * | | | * |------- shadowWarning -> | * |-- shadowInactive --> DEACTIVATED * | * EXPIRED * */ function expired_status () { global $config; if ($this->forcePasswordChange) { return POSIX_FORCE_PASSWORD_CHANGE;
911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980
} // Skip this for the admin account, we do not want to lock him out. if ($this->is_user_admin()) { return 0; } $ldap = $config->get_ldap_link(); if (class_available('ppolicyAccount')) { try { list($policy, $attrs) = user::fetchPpolicy($this->dn); if ( isset($policy['pwdExpireWarning'][0]) && isset($policy['pwdMaxAge'][0]) && isset($attrs['pwdChangedTime'][0]) ) { $now = new DateTime('now', timezone::utc()); $pwdExpireWarningSeconds = intval($policy['pwdExpireWarning'][0]); $maxAge = $policy['pwdMaxAge'][0]; /* Build expiration date from pwdChangedTime and max age */ $expDate = LdapGeneralizedTime::fromString($attrs['pwdChangedTime'][0]); $expDate->setTimezone(timezone::utc()); $expDate->add(new DateInterval('PT'.$maxAge.'S')); if ($expDate->getTimeStamp() < ($now->getTimeStamp() + $pwdExpireWarningSeconds)) { return POSIX_WARN_ABOUT_EXPIRATION; } } } catch (NonExistingLdapNodeException $e) { /* ppolicy not found in the LDAP */ } } if ($config->get_cfg_value('handleExpiredAccounts') != 'TRUE') { return 0; } $ldap->cd($config->current['BASE']); $ldap->cat($this->dn); $attrs = $ldap->fetch(); $current = floor(date("U") / 60 / 60 / 24); // Fetch required attributes foreach (['shadowExpire','shadowLastChange','shadowMax','shadowMin', 'shadowInactive','shadowWarning','sambaKickoffTime'] as $attr) { $$attr = (isset($attrs[$attr][0]) ? $attrs[$attr][0] : NULL); } // Check if the account has reached its kick off limitations. // ---------------------------------------------------------- // Once the accout reaches the kick off limit it has expired. if (($sambaKickoffTime !== NULL) && (time() >= $sambaKickoffTime)) { return POSIX_ACCOUNT_EXPIRED; } // Check if the account has expired. // --------------------------------- // An account is locked/expired once its expiration date was reached (shadowExpire). // If the optional attribute (shadowInactive) is set, we've to postpone // the account expiration by the amount of days specified in (shadowInactive). // ShadowInactive specifies an amount of days we've to reprieve the user. // It some kind of x days' grace. if (($shadowExpire != NULL) && ($shadowExpire <= $current) && (($shadowInactive == NULL) || ($current > $shadowExpire + $shadowInactive))) { return POSIX_ACCOUNT_EXPIRED; } // The users password is going to expire. // -------------------------------------- // We've to warn the user in the case of an expiring account.
981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050
// An account is going to expire when it reaches its expiration date (shadowExpire). // The user has to be warned, if the days left till expiration, match the // configured warning period (shadowWarning) // --> shadowWarning: Warn x days before account expiration. // Check if the account is still active and not already expired. // Check if we've to warn the user by comparing the remaining // number of days till expiration with the configured amount of days in shadowWarning. if (($shadowExpire != NULL) && ($shadowWarning != NULL) && ($shadowExpire >= $current) && ($shadowExpire <= $current + $shadowWarning)) { return POSIX_WARN_ABOUT_EXPIRATION; } // -- I guess this is the correct detection, isn't it? if (($shadowLastChange != NULL) && ($shadowWarning != NULL) && ($shadowMax != NULL)) { $daysRemaining = ($shadowLastChange + $shadowMax) - $current; if ($daysRemaining > 0 && $daysRemaining <= $shadowWarning) { return POSIX_WARN_ABOUT_EXPIRATION; } } // Check if we've to force the user to change his password. // -------------------------------------------------------- // A password change is enforced when the password is older than // the configured amount of days (shadowMax). // The age of the current password (shadowLastChange) plus the maximum // amount amount of days (shadowMax) has to be smaller than the // current timestamp. // Check if we've an outdated password. if (($shadowLastChange != NULL) && ($shadowMax != NULL) && ($current >= $shadowLastChange + $shadowMax)) { return POSIX_FORCE_PASSWORD_CHANGE; } // Check if we've to freeze the users password. // -------------------------------------------- // Once a user has changed his password, he cannot change it again // for a given amount of days (shadowMin). // We should not allow to change the password within FusionDirectory too. // Check if we've an outdated password. if (($shadowLastChange != NULL) && ($shadowMin != NULL) && ($shadowLastChange + $shadowMin >= $current)) { return POSIX_DISALLOW_PASSWORD_CHANGE; } return 0; } /* \brief Check if a user is a 'user admin' */ function is_user_admin () { global $config; if (empty($this->ACLperPath)) { $this->loadACL(); } return ($this->get_permissions($config->current['BASE'], 'user/user') == 'rwcdm'); } /* \brief Test if a plugin is blacklisted for this user (does not show up in the menu) */ function isBlacklisted ($plugin) { global $config; $blacklist = $config->get_cfg_value('PluginsMenuBlacklist', []); foreach ($blacklist as $item) { list ($group, $p) = explode('|', $item, 2); if (($plugin == $p) && (in_array($group, $this->groups) || in_array($group, $this->roles))) { return TRUE; } }
1051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120
return FALSE; } /* \brief Search which ACL category should be used for this attribute and this object type, if any * * \return The ACL category, or FALSE if not found, or TRUE if acl check should be bypassed */ function getAttributeCategory ($type, $attribute) { global $config; if (in_array_ics($attribute, ['objectClass', 'dn'])) { return TRUE; } $attribute = static::sanitizeAttributeName($attribute); if (is_array($type)) { /* Used for recursion through subtabs */ $prefix = ''; $tabs = $type; } else { /* Usual workflow */ $infos = objects::infos($type); $prefix = $infos['aclCategory'].'/'; $tabs = $config->data['TABS'][$infos['tabGroup']]; } foreach ($tabs as $tab) { $acls = pluglist::pluginInfos($tab['CLASS'])['plProvidedAcls']; if (isset($acls[$attribute])) { return $prefix.$tab['CLASS']; } if (isset($tab['SUBTABS'])) { $acl = $this->getAttributeCategory($config->data['TABS'][$tab['SUBTABS']], $attribute); if ($acl !== FALSE) { return $prefix.$acl; } } } return FALSE; } function getSizeLimitHandler () { return $this->sizeLimitHandler; } /* \brief Returns the base this user is stored in */ function getBase () { return get_base_from_people($this->dn); } /* \brief Returns the current base the user went to in management classes */ function getCurrentBase () { if (!empty($this->currentBase)) { return $this->currentBase; } else { return $this->getBase(); } } /* \brief Sets the current base the user went to in management classes */ function setCurrentBase ($base) {
1121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190
$this->currentBase = $base; } /* \brief Get ACL name or HTML id from attribute name */ public static function sanitizeAttributeName ($name) { return preg_replace('/[\/\-,.#:;]/', '_', $name); } /*! * \brief Get user from LDAP directory * * Search the user by login or other fields authorized by the configuration * * \param string $username The username or email to check * * \return userinfo instance on SUCCESS, FALSE if not found, string error on error */ public static function getLdapUser (string $username) { global $config; /* look through the entire ldap */ $ldap = $config->get_ldap_link(); if (!$ldap->success()) { msg_dialog::display(_('LDAP error'), msgPool::ldaperror($ldap->get_error(FALSE), '', LDAP_AUTH), FATAL_ERROR_DIALOG); exit(); } $allowed_attributes = ['uid','mail']; $verify_attr = []; $tmp = explode(',', $config->get_cfg_value('loginAttribute')); foreach ($tmp as $attr) { if (in_array($attr, $allowed_attributes)) { $verify_attr[] = $attr; } } if (count($verify_attr) == 0) { $verify_attr = ['uid']; } $tmp = $verify_attr; $tmp[] = 'uid'; $filter = ''; foreach ($verify_attr as $attr) { $filter .= '('.$attr.'='.$username.')'; } $filter = '(&(|'.$filter.')(objectClass=inetOrgPerson))'; $ldap->cd($config->current['BASE']); $ldap->search($filter, $tmp); /* get results, only a count of 1 is valid */ if ($ldap->count() == 0) { /* user not found */ return FALSE; } elseif ($ldap->count() != 1) { /* found more than one matching id */ return _('Login (uid) is not unique inside the LDAP tree. Please contact your administrator.'); } /* LDAP schema is not case sensitive. Perform additional check. */ $attrs = $ldap->fetch(); $success = FALSE; foreach ($verify_attr as $attr) { if (isset($attrs[$attr][0]) && $attrs[$attr][0] == $username) { $success = TRUE; }
119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253
} $ldap->disconnect(); if (!$success) { return FALSE; } return new userinfo($attrs['dn']); } /*! * \brief Verify user login against LDAP directory * * Checks if the specified username is in the LDAP and verifies if the * password is correct by binding to the LDAP with the given credentials. * * \param string $username The username to check * * \param string $password The password to check * * \return TRUE on SUCCESS, NULL or FALSE on error */ public static function loginUser (string $username, string $password): userinfo { global $config; $ui = static::getLdapUser($username); if ($ui === FALSE) { throw new LoginFailureException(ldap::invalidCredentialsError()); } elseif (is_string($ui)) { msg_dialog::display(_('Internal error'), $ui, FATAL_ERROR_DIALOG); exit(); } /* password check, bind as user with supplied password */ $ldapObj = new LDAP($ui->dn, $password, $config->current['SERVER'], isset($config->current['LDAPFOLLOWREFERRALS']) && ($config->current['LDAPFOLLOWREFERRALS'] == 'TRUE'), isset($config->current['LDAPTLS']) && ($config->current['LDAPTLS'] == 'TRUE') ); $ldap = new ldapMultiplexer($ldapObj); if (!$ldap->success()) { if ($ldap->get_error(FALSE) == 'changeAfterReset') { $ui->forcePasswordChange = TRUE; } else { throw new LoginFailureException($ldap->get_error(FALSE)); } } if (class_available('ppolicyAccount') && !function_exists('ldap_bind_ext')) { $ldap->cd($config->current['BASE']); $ldap->search('(objectClass=*)', [], 'one'); if (!$ldap->success()) { $ui->forcePasswordChange = TRUE; } } /* Username is set, load subtreeACL's now */ $ui->loadACL(); return $ui; } }