mirror of
https://github.com/FH-Complete/FHC-Core.git
synced 2026-07-19 07:52:16 +00:00
- Added new config file permission.php
- It contains the following entries: - List of permissions that are allowed to perform loginAs - List of permissions that cannot be gained with loginAs - List of users whose identity cannot be obtained with loginAs - Removed config entries authentication_loginas_perms and authentication_loginas_blacklist from config file auth.php - Added constants to PermissionLib: LOGINAS_ALLOWED, LOGINAS_BLACKLIST and LOGINAS_USERS_BLACKLIST - PermissionLib loads the config file permission.php - Added public method isEntitledLoginAS to PermissionLib - Added private methods _inLAUsersBlacklist, _hasLANotAllowedPermissions and _hasLAPermissions to PermissionLib - Added public method loginAS to AuthLib - Fixed logout method in AuthLib - Fixed loginLDAP method in AuthLib
This commit is contained in:
@@ -16,9 +16,3 @@ $config['authentication_login_pages'] = array(
|
||||
AUTH_LDAP => '/system/Login/usernamePassword',
|
||||
AUTH_SSO => '/system/Login/sso'
|
||||
);
|
||||
|
||||
// List of permissions that are allowed to perform loginAs
|
||||
$config['authentication_loginas_perms'] = array('admin', 'infocenter');
|
||||
|
||||
// List of permissions that cannot be gained with loginAs
|
||||
$config['authentication_loginas_blacklist'] = array('admin');
|
||||
|
||||
@@ -0,0 +1,12 @@
|
||||
<?php
|
||||
|
||||
if (!defined('BASEPATH')) exit('No direct script access allowed');
|
||||
|
||||
// List of permissions that are allowed to perform loginAs
|
||||
$config['permission_loginas_allowed'] = array('admin');
|
||||
|
||||
// List of permissions that cannot be gained with loginAs
|
||||
$config['permission_loginas_blacklist'] = array('admin');
|
||||
|
||||
// List of users whose identity cannot be obtained with loginAs
|
||||
$config['permission_loginas_users_blacklist'] = array('_DummyLektor', '_DummyStudent');
|
||||
@@ -51,6 +51,36 @@ class AuthLib
|
||||
return getSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ);
|
||||
}
|
||||
|
||||
/**
|
||||
* The logged user is able to get the identity of another user if it is allowed
|
||||
*/
|
||||
public function loginAS($uid)
|
||||
{
|
||||
$loginAS = error('Not authenticated', AUTH_NOT_AUTHENTICATED); // not authenticated by default
|
||||
|
||||
// - A user must be already logged
|
||||
// - The uid must be NOT an empty string
|
||||
// - The current user should NOT be already logged as the given uid
|
||||
if ($this->_isLogged() && !isEmptyString($uid) && $this->getAuthObj()->username != $uid)
|
||||
{
|
||||
$this->_ci->load->library('PermissionLib'); // Loads permissions library
|
||||
|
||||
// Checks if the logged user is allowed to obtain the new identity
|
||||
if ($this->_ci->permissionlib->isEntitledLoginAS($uid))
|
||||
{
|
||||
// Create the authentication object with new identity data
|
||||
$loginAS = $this->_createAuthObjByPerson(array('uid' => $uid));
|
||||
if (isSuccess($loginAS))
|
||||
{
|
||||
// Store the new authentication object in authentication session
|
||||
setSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ, getData($loginAS));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return $loginAS;
|
||||
}
|
||||
|
||||
/**
|
||||
* Logs out the current logged user
|
||||
* If the user is using the LoginAs functionality then it is logged out from the acquired user
|
||||
@@ -58,28 +88,24 @@ class AuthLib
|
||||
*/
|
||||
public function logout()
|
||||
{
|
||||
$authObj = getSessionElement(AuthLib::SESSION_NAME, AuthLib::SESSION_AUTH_OBJ);
|
||||
$authObjOrigin =getSessionElement(AuthLib::SESSION_NAME, AuthLib::SESSION_AUTH_OBJ_ORIGIN);
|
||||
$authObj = getSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ);
|
||||
$authObjOrigin = getSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ_ORIGIN);
|
||||
|
||||
// NOT logged in
|
||||
if ($authObj == null || $authObjOrigin == null) return;
|
||||
|
||||
// LoginAs functionality NOT in use
|
||||
if ($authObj->{AuthLib::AO_PERSON_ID} == $authObjOrigin->{AuthLib::AO_PERSON_ID})
|
||||
if ($authObj->{self::AO_PERSON_ID} == $authObjOrigin->{self::AO_PERSON_ID})
|
||||
{
|
||||
// Clean the entire session -> fully logged out
|
||||
cleanSession(AuthLib::SESSION_NAME);
|
||||
cleanSession(self::SESSION_NAME);
|
||||
}
|
||||
else // loginAs functionality in use
|
||||
{
|
||||
// Copy the origin authentication object as the authentication object in session
|
||||
// The LoginAs account is logged out
|
||||
// The user is again connected with its real account
|
||||
setSessionElement(
|
||||
AuthLib::SESSION_NAME,
|
||||
AuthLib::SESSION_AUTH_OBJ,
|
||||
getSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ_ORIGIN)
|
||||
);
|
||||
setSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ, $authObjOrigin);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -89,7 +115,7 @@ class AuthLib
|
||||
public function loginLDAP($username, $password)
|
||||
{
|
||||
// If already logged do NOT check another time, returns the authentication object
|
||||
if ($this->_isLogged()) return $this->getAuthObj();
|
||||
if ($this->_isLogged()) return success($this->getAuthObj(), AUTH_SUCCESS);
|
||||
|
||||
// Otherwise checks the given credentials
|
||||
$loginUP = $this->_checkLDAPAuthentication($username, $password);
|
||||
|
||||
@@ -41,6 +41,11 @@ class PermissionLib
|
||||
const READ_HTTP_METHOD = 'GET';
|
||||
const WRITE_HTTP_METHOD = 'POST';
|
||||
|
||||
// Configuration entries
|
||||
const LOGINAS_ALLOWED = 'permission_loginas_allowed';
|
||||
const LOGINAS_BLACKLIST = 'permission_loginas_blacklist';
|
||||
const LOGINAS_USERS_BLACKLIST = 'permission_loginas_users_blacklist';
|
||||
|
||||
private $_ci; // CI instance
|
||||
private static $bb; // benutzerberechtigung
|
||||
|
||||
@@ -53,6 +58,8 @@ class PermissionLib
|
||||
// Loads CI instance
|
||||
$this->_ci =& get_instance();
|
||||
|
||||
$this->_ci->config->load('permission'); // Loads permission configuration
|
||||
|
||||
// If it's NOT called from command line
|
||||
if (!is_cli())
|
||||
{
|
||||
@@ -62,6 +69,9 @@ class PermissionLib
|
||||
}
|
||||
}
|
||||
|
||||
//------------------------------------------------------------------------------------------------------------------
|
||||
// Public methods
|
||||
|
||||
/**
|
||||
* Checks user's (API caller) rights
|
||||
*/
|
||||
@@ -224,4 +234,77 @@ class PermissionLib
|
||||
|
||||
return $isAllowed;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if it is possible for the logged user to gain the identity of the required user specified by the given uid
|
||||
*/
|
||||
public function isEntitledLoginAS($uid)
|
||||
{
|
||||
return !$this->_inLAUsersBlacklist($uid) && !$this->_hasLANotAllowedPermissions($uid) && $this->_hasLAPermissions();
|
||||
}
|
||||
|
||||
//------------------------------------------------------------------------------------------------------------------
|
||||
// Private methods
|
||||
|
||||
/**
|
||||
* Checks if the given uid is in the users blacklist
|
||||
*/
|
||||
private function _inLAUsersBlacklist($uid)
|
||||
{
|
||||
// List of users whose identity cannot be obtained with loginAs
|
||||
$loginASUsersBl = $this->_ci->config->item(self::LOGINAS_USERS_BLACKLIST);
|
||||
|
||||
// Given uid in user blacklist?
|
||||
if (in_array($uid, $loginASUsersBl))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if the user whose identity is to be obtained does not have a NOT allowed permission
|
||||
*/
|
||||
private function _hasLANotAllowedPermissions($uid)
|
||||
{
|
||||
// List of permissions that cannot be gained with loginAs
|
||||
$loginASBl = $this->_ci->config->item(self::LOGINAS_BLACKLIST);
|
||||
|
||||
$bb = new benutzerberechtigung();
|
||||
$bb->getBerechtigungen($uid); // gets all the permissions for the target user
|
||||
|
||||
// Loops through NOT allowed permissions
|
||||
foreach ($loginASBl as $notAllowedPermission)
|
||||
{
|
||||
// Target user has a NOT allowed permission?
|
||||
if ($bb->isBerechtigt($notAllowedPermission))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if the current logged user has the permission to perform a login as
|
||||
*/
|
||||
private function _hasLAPermissions()
|
||||
{
|
||||
// List of permissions that are allowed to perform loginAs
|
||||
$loginASAllowed = $this->_ci->config->item(self::LOGINAS_ALLOWED);
|
||||
|
||||
// Loops through allowed permissions
|
||||
foreach ($loginASAllowed as $allowedPermission)
|
||||
{
|
||||
// The logged user has a loginAS permission?
|
||||
if (self::$bb->isBerechtigt($allowedPermission))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user