Commit e6a2fba0 authored by Côme Chilliet's avatar Côme Chilliet
Browse files

Fixes #4560 Added an option to restrict roles members to group members

parent 8c72e0d0
......@@ -166,6 +166,12 @@ attributetype ( 1.3.6.1.4.1.38414.8.12.18 NAME 'fdCnPattern'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE)
attributetype ( 1.3.6.1.4.1.38414.8.12.19 NAME 'fdRestrictRoleMembers'
DESC 'FusionDirectory - Restrict role members to users from the same LDAP branch'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
# Password
attributetype ( 1.3.6.1.4.1.38414.8.13.1 NAME 'fdPasswordDefaultHash'
......@@ -568,7 +574,7 @@ objectclass ( 1.3.6.1.4.1.38414.8.2.1 NAME 'fusionDirectoryConf'
fdStrictNamingRules $ fdMinId $ fdUidNumberBase $
fdGidNumberBase $ fdUserRDN $ fdGroupRDN $ fdIdAllocationMethod $
fdGidNumberPoolMin $ fdUidNumberPoolMin $ fdGidNumberPoolMax $ fdUidNumberPoolMax $
fdAclRoleRDN $ fdCnPattern $
fdAclRoleRDN $ fdCnPattern $ fdRestrictRoleMembers $
fdPasswordDefaultHash $ fdPasswordMinLength $ fdPasswordMinDiffer $
fdPasswordHook $ fdHandleExpiredAccounts $ fdSaslRealm $ fdSaslExop $
fdForcePasswordDefaultHash $
......
......@@ -22,30 +22,51 @@
class filterLDAPBlacklist {
static function query($parent,$base, $scope, $filter, $attributes, $category, $objectStorage= "")
static function query($parent, $base, $scope, $filter, $attributes, $category, $objectStorage = "")
{
$result = filterLDAP::query($parent,$base, $scope, $filter, $attributes, $category, $objectStorage);
return(filterLDAPBlacklist::filterByBlacklist($result));
$result = filterLDAP::query($parent, $base, $scope, $filter, $attributes, $category, $objectStorage);
return filterLDAPBlacklist::filterByBlacklist($result);
}
static function filterByBlacklist($entries)
{
if(session::is_set('filterBlacklist')){
if (session::is_set('filterWhitelist')) {
$wlist = session::get('filterWhitelist');
if (!empty($wlist)) {
foreach ($entries as $id => $entry) {
$dn1 = $entry['dn'];
$dn2 = $wlist['dn'];
if (in_array($entry['dn'], $wlist['dn'])) {
continue;
}
foreach ($wlist['branches'] as $branch) {
if (preg_match('/'.preg_quote($branch, '/').'$/', $entry['dn'])) {
continue 2;
}
}
unset($entries[$id]);
}
}
}
if (session::is_set('filterBlacklist')) {
$blist = session::get('filterBlacklist');
foreach($blist as $attr_name => $attr_values){
foreach($attr_values as $match){
foreach($entries as $id => $entry){
if(isset($entry[$attr_name])){
foreach ($blist as $attr_name => $attr_values) {
foreach ($attr_values as $match) {
foreach ($entries as $id => $entry) {
if (isset($entry[$attr_name])) {
$test = $entry[$attr_name];
if(!is_array($test)) $test = array($test);
if(in_array($match, $test)) unset($entries[$id]);
if (!is_array($test)) {
$test = array($test);
}
if (in_array($match, $test)) {
unset($entries[$id]);
}
}
}
}
}
}
return(array_values($entries));
return array_values($entries);
}
}
?>
......@@ -66,6 +66,7 @@ class GenericSelectDialog extends GenericDialog
function dialog_execute ()
{
session::set('filterBlacklist', $this->attribute->getFilterBlackList());
session::set('filterWhitelist', $this->attribute->getFilterWhiteList());
return parent::dialog_execute();
}
......@@ -189,6 +190,11 @@ class DialogAttribute extends SetAttribute
trigger_error("abstract method");
}
function getFilterWhiteList ()
{
return array();
}
function loadPostValue ()
{
parent::loadPostValue();
......
......@@ -18,6 +18,29 @@
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*/
class RoleMembersAttribute extends UsersAttribute
{
protected $whitelistDns = NULL;
function getFilterWhiteList()
{
global $config;
if ($config->get_cfg_value('RestrictRoleMembers') == 'TRUE') {
if ($this->whitelistDns === NULL) {
/* Computes a list of members of all groups within our branch */
$groups = objects::ls('ogroup', array('member' => '*'), $this->plugin->base);
$this->whitelistDns = call_user_func_array('array_merge_recursive', $groups)['member'];
}
return array(
'branches' => array($this->plugin->base),
'dn' => $this->whitelistDns,
);
} else {
return array();
}
}
}
class roleGeneric extends simplePlugin
{
var $mainTab = TRUE;
......@@ -74,7 +97,7 @@ class roleGeneric extends simplePlugin
_('Fax number'), _('Fax number'),
'facsimileTelephoneNumber'
),
new UsersAttribute(
new RoleMembersAttribute (
_('Users'), _('Add users for the role'),
'roleOccupant', FALSE
)
......
......@@ -363,6 +363,10 @@ class configInLdap extends simplePlugin
'fdGidNumberPoolMax', FALSE,
0, FALSE, 40000
),
new BooleanAttribute (
_('Restrict role members'), _('When enabled only users from the same branch or members of groups from the same branch can be added to a role.'),
'fdRestrictRoleMembers'
),
)
),
'debug' => array(
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment