diff --git a/application/config/auth.php b/application/config/auth.php index 150a3d5ed..a704cef5d 100644 --- a/application/config/auth.php +++ b/application/config/auth.php @@ -16,9 +16,3 @@ $config['authentication_login_pages'] = array( AUTH_LDAP => '/system/Login/usernamePassword', AUTH_SSO => '/system/Login/sso' ); - -// List of permissions that are allowed to perform loginAs -$config['authentication_loginas_perms'] = array('admin', 'infocenter'); - -// List of permissions that cannot be gained with loginAs -$config['authentication_loginas_blacklist'] = array('admin'); diff --git a/application/config/permission.php b/application/config/permission.php new file mode 100644 index 000000000..9bf5af88c --- /dev/null +++ b/application/config/permission.php @@ -0,0 +1,12 @@ +_isLogged() && !isEmptyString($uid) && $this->getAuthObj()->username != $uid) + { + $this->_ci->load->library('PermissionLib'); // Loads permissions library + + // Checks if the logged user is allowed to obtain the new identity + if ($this->_ci->permissionlib->isEntitledLoginAS($uid)) + { + // Create the authentication object with new identity data + $loginAS = $this->_createAuthObjByPerson(array('uid' => $uid)); + if (isSuccess($loginAS)) + { + // Store the new authentication object in authentication session + setSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ, getData($loginAS)); + } + } + } + + return $loginAS; + } + /** * Logs out the current logged user * If the user is using the LoginAs functionality then it is logged out from the acquired user @@ -58,28 +88,24 @@ class AuthLib */ public function logout() { - $authObj = getSessionElement(AuthLib::SESSION_NAME, AuthLib::SESSION_AUTH_OBJ); - $authObjOrigin =getSessionElement(AuthLib::SESSION_NAME, AuthLib::SESSION_AUTH_OBJ_ORIGIN); + $authObj = getSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ); + $authObjOrigin = getSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ_ORIGIN); // NOT logged in if ($authObj == null || $authObjOrigin == null) return; // LoginAs functionality NOT in use - if ($authObj->{AuthLib::AO_PERSON_ID} == $authObjOrigin->{AuthLib::AO_PERSON_ID}) + if ($authObj->{self::AO_PERSON_ID} == $authObjOrigin->{self::AO_PERSON_ID}) { // Clean the entire session -> fully logged out - cleanSession(AuthLib::SESSION_NAME); + cleanSession(self::SESSION_NAME); } else // loginAs functionality in use { // Copy the origin authentication object as the authentication object in session // The LoginAs account is logged out // The user is again connected with its real account - setSessionElement( - AuthLib::SESSION_NAME, - AuthLib::SESSION_AUTH_OBJ, - getSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ_ORIGIN) - ); + setSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ, $authObjOrigin); } } @@ -89,7 +115,7 @@ class AuthLib public function loginLDAP($username, $password) { // If already logged do NOT check another time, returns the authentication object - if ($this->_isLogged()) return $this->getAuthObj(); + if ($this->_isLogged()) return success($this->getAuthObj(), AUTH_SUCCESS); // Otherwise checks the given credentials $loginUP = $this->_checkLDAPAuthentication($username, $password); diff --git a/application/libraries/PermissionLib.php b/application/libraries/PermissionLib.php index 172be27ff..791bef87a 100644 --- a/application/libraries/PermissionLib.php +++ b/application/libraries/PermissionLib.php @@ -41,6 +41,11 @@ class PermissionLib const READ_HTTP_METHOD = 'GET'; const WRITE_HTTP_METHOD = 'POST'; + // Configuration entries + const LOGINAS_ALLOWED = 'permission_loginas_allowed'; + const LOGINAS_BLACKLIST = 'permission_loginas_blacklist'; + const LOGINAS_USERS_BLACKLIST = 'permission_loginas_users_blacklist'; + private $_ci; // CI instance private static $bb; // benutzerberechtigung @@ -53,6 +58,8 @@ class PermissionLib // Loads CI instance $this->_ci =& get_instance(); + $this->_ci->config->load('permission'); // Loads permission configuration + // If it's NOT called from command line if (!is_cli()) { @@ -62,6 +69,9 @@ class PermissionLib } } + //------------------------------------------------------------------------------------------------------------------ + // Public methods + /** * Checks user's (API caller) rights */ @@ -224,4 +234,77 @@ class PermissionLib return $isAllowed; } + + /** + * Checks if it is possible for the logged user to gain the identity of the required user specified by the given uid + */ + public function isEntitledLoginAS($uid) + { + return !$this->_inLAUsersBlacklist($uid) && !$this->_hasLANotAllowedPermissions($uid) && $this->_hasLAPermissions(); + } + + //------------------------------------------------------------------------------------------------------------------ + // Private methods + + /** + * Checks if the given uid is in the users blacklist + */ + private function _inLAUsersBlacklist($uid) + { + // List of users whose identity cannot be obtained with loginAs + $loginASUsersBl = $this->_ci->config->item(self::LOGINAS_USERS_BLACKLIST); + + // Given uid in user blacklist? + if (in_array($uid, $loginASUsersBl)) + { + return true; + } + + return false; + } + + /** + * Checks if the user whose identity is to be obtained does not have a NOT allowed permission + */ + private function _hasLANotAllowedPermissions($uid) + { + // List of permissions that cannot be gained with loginAs + $loginASBl = $this->_ci->config->item(self::LOGINAS_BLACKLIST); + + $bb = new benutzerberechtigung(); + $bb->getBerechtigungen($uid); // gets all the permissions for the target user + + // Loops through NOT allowed permissions + foreach ($loginASBl as $notAllowedPermission) + { + // Target user has a NOT allowed permission? + if ($bb->isBerechtigt($notAllowedPermission)) + { + return true; + } + } + + return false; + } + + /** + * Checks if the current logged user has the permission to perform a login as + */ + private function _hasLAPermissions() + { + // List of permissions that are allowed to perform loginAs + $loginASAllowed = $this->_ci->config->item(self::LOGINAS_ALLOWED); + + // Loops through allowed permissions + foreach ($loginASAllowed as $allowedPermission) + { + // The logged user has a loginAS permission? + if (self::$bb->isBerechtigt($allowedPermission)) + { + return true; + } + } + + return false; + } }