From dfbd724cf365573a985213212e67926f24752d15 Mon Sep 17 00:00:00 2001
From: Thibault Dockx <thibault.dockx@fusiondirectory.org>
Date: Mon, 27 Jan 2025 21:50:44 +0000
Subject: [PATCH] :sparkles: (Core) - General locking is bypassed from supann
General lock is bypassed by supann.
---
include/class_Lock.inc | 2 +-
.../password-methods/class_passwordMethod.inc | 20 ++++++++++++-------
.../management/users/class_userManagement.inc | 4 ++--
3 files changed, 16 insertions(+), 10 deletions(-)
diff --git a/include/class_Lock.inc b/include/class_Lock.inc
index 4e3c06f1d..0fc78ee3f 100644
--- a/include/class_Lock.inc
+++ b/include/class_Lock.inc
@@ -37,7 +37,7 @@ class Lock
/*!
* \brief Add a lock for object(s)
*
- * Adds a lock by the specified user for one ore multiple objects.
+ * Adds a lock by the specified user for one or multiple objects.
* If a lock for that object already exists from another user, an error is triggered.
*
* \param array $object The object or array of objects to lock
diff --git a/include/password-methods/class_passwordMethod.inc b/include/password-methods/class_passwordMethod.inc
index 30a1b74d7..c48483c76 100644
--- a/include/password-methods/class_passwordMethod.inc
+++ b/include/password-methods/class_passwordMethod.inc
@@ -123,9 +123,9 @@ abstract class passwordMethod
*
* \param string $dn
*/
- function lock_account ($dn = '')
+ function lock_account ($dn = '', bool $lockEverything = TRUE)
{
- return $this->generic_modify_account($dn, 'LOCK');
+ return $this->generic_modify_account($dn, 'LOCK', $lockEverything);
}
/*!
@@ -141,7 +141,7 @@ abstract class passwordMethod
* \brief Unlocks an account which was locked by 'lock_account()'.
* For details about the locking mechanism see 'lock_account()'.
*/
- private function generic_modify_account ($dn, string $mode)
+ private function generic_modify_account ($dn, string $mode, bool $lockEverything = TRUE)
{
global $config;
if (!$this->lockable) {
@@ -163,15 +163,21 @@ abstract class passwordMethod
} elseif ($mode == 'UNLOCK') {
return TRUE;
}
-
/* Fill modification array */
$modify = [];
- foreach ($userObject->by_object as $tab) {
- if ($tab instanceof UserTabLockingAction) {
- $tab->fillLockingLDAPAttrs($mode, $modify);
+
+ // Only trigger if general lock is set
+ if ($lockEverything) {
+ foreach ($userObject->by_object as $tab) {
+ if ($tab instanceof UserTabLockingAction) {
+ // Execute below function if available in each plugin tab to lock what is required to be locked. (webservice etc).
+ $tab->fillLockingLDAPAttrs($mode, $modify);
+ }
}
}
+
+
// Call pre hooks
$errors = $userMainTab->callHook('PRE'.$mode, [], $ret);
if (!empty($errors)) {
diff --git a/plugins/management/users/class_userManagement.inc b/plugins/management/users/class_userManagement.inc
index 454e7a03b..575cbc9c9 100644
--- a/plugins/management/users/class_userManagement.inc
+++ b/plugins/management/users/class_userManagement.inc
@@ -107,7 +107,7 @@ class userManagement extends management
* \param string $pwd userPassword value
* \param string $dn dn of the LDAP node
*/
- static function lockUser (string $action, string $pwd, string $dn)
+ static function lockUser (string $action, string $pwd, string $dn, bool $lockEverything = TRUE)
{
$method = passwordMethod::get_method($pwd, $dn);
if ($method instanceof passwordMethod) {
@@ -129,7 +129,7 @@ class userManagement extends management
$success = TRUE;
if (($action == 'lock') && !$method->is_locked($dn)) {
- $success = $method->lock_account($dn);
+ $success = $method->lock_account($dn, $lockEverything);
// Requiring logging mechanism for audit.
if ($success) {
logging::log('security', 'account', $dn, [], 'DN : ' . $dn . ' is locked.');
--
GitLab