- Added new config file permission.php

- It contains the following entries:
	- List of permissions that are allowed to perform loginAs
	- List of permissions that cannot be gained with loginAs
	- List of users whose identity cannot be obtained with loginAs
- Removed config entries authentication_loginas_perms and authentication_loginas_blacklist from config file auth.php
- Added constants to PermissionLib: LOGINAS_ALLOWED, LOGINAS_BLACKLIST and LOGINAS_USERS_BLACKLIST
- PermissionLib loads the config file permission.php
- Added public method isEntitledLoginAS to PermissionLib
- Added private methods _inLAUsersBlacklist, _hasLANotAllowedPermissions and _hasLAPermissions to PermissionLib
- Added public method loginAS to AuthLib
- Fixed logout method in AuthLib
- Fixed loginLDAP method in AuthLib
This commit is contained in:
Paolo
2019-03-13 18:07:15 +01:00
parent 53a0b60ba8
commit 04b1ec327a
4 changed files with 131 additions and 16 deletions
-6
View File
@@ -16,9 +16,3 @@ $config['authentication_login_pages'] = array(
AUTH_LDAP => '/system/Login/usernamePassword',
AUTH_SSO => '/system/Login/sso'
);
// List of permissions that are allowed to perform loginAs
$config['authentication_loginas_perms'] = array('admin', 'infocenter');
// List of permissions that cannot be gained with loginAs
$config['authentication_loginas_blacklist'] = array('admin');
+12
View File
@@ -0,0 +1,12 @@
<?php
if (!defined('BASEPATH')) exit('No direct script access allowed');
// List of permissions that are allowed to perform loginAs
$config['permission_loginas_allowed'] = array('admin');
// List of permissions that cannot be gained with loginAs
$config['permission_loginas_blacklist'] = array('admin');
// List of users whose identity cannot be obtained with loginAs
$config['permission_loginas_users_blacklist'] = array('_DummyLektor', '_DummyStudent');
+36 -10
View File
@@ -51,6 +51,36 @@ class AuthLib
return getSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ);
}
/**
* The logged user is able to get the identity of another user if it is allowed
*/
public function loginAS($uid)
{
$loginAS = error('Not authenticated', AUTH_NOT_AUTHENTICATED); // not authenticated by default
// - A user must be already logged
// - The uid must be NOT an empty string
// - The current user should NOT be already logged as the given uid
if ($this->_isLogged() && !isEmptyString($uid) && $this->getAuthObj()->username != $uid)
{
$this->_ci->load->library('PermissionLib'); // Loads permissions library
// Checks if the logged user is allowed to obtain the new identity
if ($this->_ci->permissionlib->isEntitledLoginAS($uid))
{
// Create the authentication object with new identity data
$loginAS = $this->_createAuthObjByPerson(array('uid' => $uid));
if (isSuccess($loginAS))
{
// Store the new authentication object in authentication session
setSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ, getData($loginAS));
}
}
}
return $loginAS;
}
/**
* Logs out the current logged user
* If the user is using the LoginAs functionality then it is logged out from the acquired user
@@ -58,28 +88,24 @@ class AuthLib
*/
public function logout()
{
$authObj = getSessionElement(AuthLib::SESSION_NAME, AuthLib::SESSION_AUTH_OBJ);
$authObjOrigin =getSessionElement(AuthLib::SESSION_NAME, AuthLib::SESSION_AUTH_OBJ_ORIGIN);
$authObj = getSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ);
$authObjOrigin = getSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ_ORIGIN);
// NOT logged in
if ($authObj == null || $authObjOrigin == null) return;
// LoginAs functionality NOT in use
if ($authObj->{AuthLib::AO_PERSON_ID} == $authObjOrigin->{AuthLib::AO_PERSON_ID})
if ($authObj->{self::AO_PERSON_ID} == $authObjOrigin->{self::AO_PERSON_ID})
{
// Clean the entire session -> fully logged out
cleanSession(AuthLib::SESSION_NAME);
cleanSession(self::SESSION_NAME);
}
else // loginAs functionality in use
{
// Copy the origin authentication object as the authentication object in session
// The LoginAs account is logged out
// The user is again connected with its real account
setSessionElement(
AuthLib::SESSION_NAME,
AuthLib::SESSION_AUTH_OBJ,
getSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ_ORIGIN)
);
setSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ, $authObjOrigin);
}
}
@@ -89,7 +115,7 @@ class AuthLib
public function loginLDAP($username, $password)
{
// If already logged do NOT check another time, returns the authentication object
if ($this->_isLogged()) return $this->getAuthObj();
if ($this->_isLogged()) return success($this->getAuthObj(), AUTH_SUCCESS);
// Otherwise checks the given credentials
$loginUP = $this->_checkLDAPAuthentication($username, $password);
+83
View File
@@ -41,6 +41,11 @@ class PermissionLib
const READ_HTTP_METHOD = 'GET';
const WRITE_HTTP_METHOD = 'POST';
// Configuration entries
const LOGINAS_ALLOWED = 'permission_loginas_allowed';
const LOGINAS_BLACKLIST = 'permission_loginas_blacklist';
const LOGINAS_USERS_BLACKLIST = 'permission_loginas_users_blacklist';
private $_ci; // CI instance
private static $bb; // benutzerberechtigung
@@ -53,6 +58,8 @@ class PermissionLib
// Loads CI instance
$this->_ci =& get_instance();
$this->_ci->config->load('permission'); // Loads permission configuration
// If it's NOT called from command line
if (!is_cli())
{
@@ -62,6 +69,9 @@ class PermissionLib
}
}
//------------------------------------------------------------------------------------------------------------------
// Public methods
/**
* Checks user's (API caller) rights
*/
@@ -224,4 +234,77 @@ class PermissionLib
return $isAllowed;
}
/**
* Checks if it is possible for the logged user to gain the identity of the required user specified by the given uid
*/
public function isEntitledLoginAS($uid)
{
return !$this->_inLAUsersBlacklist($uid) && !$this->_hasLANotAllowedPermissions($uid) && $this->_hasLAPermissions();
}
//------------------------------------------------------------------------------------------------------------------
// Private methods
/**
* Checks if the given uid is in the users blacklist
*/
private function _inLAUsersBlacklist($uid)
{
// List of users whose identity cannot be obtained with loginAs
$loginASUsersBl = $this->_ci->config->item(self::LOGINAS_USERS_BLACKLIST);
// Given uid in user blacklist?
if (in_array($uid, $loginASUsersBl))
{
return true;
}
return false;
}
/**
* Checks if the user whose identity is to be obtained does not have a NOT allowed permission
*/
private function _hasLANotAllowedPermissions($uid)
{
// List of permissions that cannot be gained with loginAs
$loginASBl = $this->_ci->config->item(self::LOGINAS_BLACKLIST);
$bb = new benutzerberechtigung();
$bb->getBerechtigungen($uid); // gets all the permissions for the target user
// Loops through NOT allowed permissions
foreach ($loginASBl as $notAllowedPermission)
{
// Target user has a NOT allowed permission?
if ($bb->isBerechtigt($notAllowedPermission))
{
return true;
}
}
return false;
}
/**
* Checks if the current logged user has the permission to perform a login as
*/
private function _hasLAPermissions()
{
// List of permissions that are allowed to perform loginAs
$loginASAllowed = $this->_ci->config->item(self::LOGINAS_ALLOWED);
// Loops through allowed permissions
foreach ($loginASAllowed as $allowedPermission)
{
// The logged user has a loginAS permission?
if (self::$bb->isBerechtigt($allowedPermission))
{
return true;
}
}
return false;
}
}