private function syncWithDirectory($ps_username) { $va_default_roles = $this->getConfigValue("ldap_users_default_roles", array()); $va_default_groups = $this->getConfigValue("ldap_users_default_groups", array()); $t_user = new ca_users(); // don't try to sync roles for non-existing users (the first auth call is before the user is actually created) if (!$t_user->load($ps_username)) { return; } if ($this->getConfigValue('ldap_sync_user_roles')) { $va_expected_roles = array_merge($va_default_roles, $this->getRolesToAddFromDirectory($ps_username)); foreach ($va_expected_roles as $vs_role) { if (!$t_user->hasUserRole($vs_role)) { $t_user->addRoles($vs_role); } } foreach ($t_user->getUserRoles() as $vn_id => $va_role_info) { if (!in_array($va_role_info['code'], $va_expected_roles)) { $t_user->removeRoles($vn_id); } } } if ($this->getConfigValue('ldap_sync_user_groups')) { $va_expected_groups = array_merge($va_default_groups, $this->getGroupsToAddFromDirectory($ps_username)); foreach ($va_expected_groups as $vs_group) { if (!$t_user->inGroup($vs_group)) { $t_user->addToGroups($vs_group); } } foreach ($t_user->getUserGroups() as $vn_id => $va_group_info) { if (!in_array($va_group_info['code'], $va_expected_groups)) { $t_user->removeFromGroups($vn_id); } } } }
public static function authenticate($ps_username, $ps_password = '', $pa_options = null) { $po_auth_config = Configuration::load(Configuration::load()->get('authentication_config')); if (!function_exists("ldap_connect")) { throw new OpenLDAPException(_t("PHP's LDAP module is required for LDAP authentication!")); } if (!$ps_username) { return false; } // ldap config $vs_ldaphost = $po_auth_config->get("ldap_host"); $vs_ldapport = $po_auth_config->get("ldap_port"); $vs_base_dn = $po_auth_config->get("ldap_base_dn"); $vs_user_ou = $po_auth_config->get("ldap_user_ou"); $vs_bind_rdn = self::postProcessLDAPConfigValue("ldap_bind_rdn_format", $ps_username, $vs_user_ou, $vs_base_dn); $va_default_roles = $po_auth_config->get("ldap_users_default_roles"); if (!is_array($va_default_roles)) { $va_default_roles = array(); } $va_default_groups = $po_auth_config->get("ldap_users_default_groups"); if (!is_array($va_default_groups)) { $va_default_groups = array(); } $vo_ldap = ldap_connect($vs_ldaphost, $vs_ldapport); ldap_set_option($vo_ldap, LDAP_OPT_PROTOCOL_VERSION, 3); if (!$vo_ldap) { return false; } $vs_bind_rdn_filter = self::postProcessLDAPConfigValue("ldap_bind_rdn_filter", $ps_username, $vs_user_ou, $vs_base_dn); if (strlen($vs_bind_rdn_filter) > 0) { $vo_dn_search_results = ldap_search($vo_ldap, $vs_base_dn, $vs_bind_rdn_filter); $va_dn_search_results = ldap_get_entries($vo_ldap, $vo_dn_search_results); if (isset($va_dn_search_results[0]['dn'])) { $vs_bind_rdn = $va_dn_search_results[0]['dn']; } } // log in $vo_bind = @ldap_bind($vo_ldap, $vs_bind_rdn, $ps_password); if (!$vo_bind) { // wrong credentials if (ldap_get_option($vo_ldap, 0x32, $extended_error)) { caLogEvent("ERR", "LDAP ERROR (" . ldap_errno($vo_ldap) . ") {$extended_error} [{$vs_bind_rdn}]", "OpenLDAP::Authenticate"); } ldap_unbind($vo_ldap); return false; } // check group membership if (!self::isMemberinAtLeastOneGroup($ps_username, $vo_ldap)) { ldap_unbind($vo_ldap); return false; } // user role and group membership syncing with directory $t_user = new ca_users(); if ($t_user->load($ps_username)) { // don't try to sync roles for non-existing users (the first auth call is before the user is actually created) if ($po_auth_config->get('ldap_sync_user_roles')) { $va_expected_roles = array_merge($va_default_roles, self::getRolesToAddFromDirectory($ps_username, $vo_ldap)); foreach ($va_expected_roles as $vs_role) { if (!$t_user->hasUserRole($vs_role)) { $t_user->addRoles($vs_role); } } foreach ($t_user->getUserRoles() as $vn_id => $va_role_info) { if (!in_array($va_role_info['code'], $va_expected_roles)) { $t_user->removeRoles($vn_id); } } } if ($po_auth_config->get('ldap_sync_user_groups')) { $va_expected_groups = array_merge($va_default_groups, self::getGroupsToAddFromDirectory($ps_username, $vo_ldap)); foreach ($va_expected_groups as $vs_group) { if (!$t_user->inGroup($vs_group)) { $t_user->addToGroups($vs_group); } } foreach ($t_user->getUserGroups() as $vn_id => $va_group_info) { if (!in_array($va_group_info['code'], $va_expected_groups)) { $t_user->removeFromGroups($vn_id); } } } } ldap_unbind($vo_ldap); return true; }
/** * Returns list of screens for a given UI. * * @param int $pn_type_id Optional type to restrict screens to * @param array $pa_options Options include: * showAll = Include screens that do not have placements. Default is false. * user_id = User_id to apply access control for * * @return array List of screens for this user interface */ public function getScreens($pn_type_id = null, $pa_options = null) { if (!$this->getPrimaryKey()) { return false; } if (!($t_instance = $this->_DATAMODEL->getInstanceByTableNum($this->get('editor_type')))) { return null; } if ($t_instance instanceof BaseRelationshipModel) { $va_types = $t_instance->getRelationshipTypes(); } else { $va_types = $t_instance->getTypeList(); } $va_sql_params = array((int) $this->getPrimaryKey()); $o_db = $this->getDb(); $va_type_list = caMakeTypeIDList($this->get('editor_type'), array($pn_type_id), array('dontIncludeSubtypesInTypeRestriction' => true)); if (!sizeof($va_type_list)) { $va_type_list = array($pn_type_id); } $vs_type_sql = (int) $pn_type_id ? "AND (ceustr.type_id IS NULL OR ceustr.type_id IN (" . join(",", $va_type_list) . "))" : ''; $vs_access_sql = ''; $t_user = new ca_users(); if (($vn_user_id = caGetOption('user_id', $pa_options, null)) && $t_user->load($vn_user_id)) { $vs_access_sql = " AND ((ceus.screen_id IN \n\t\t\t\t\t(\n\t\t\t\t\t\tSELECT screen_id \n\t\t\t\t\t\tFROM ca_editor_ui_screens_x_users\n\t\t\t\t\t\tWHERE\n\t\t\t\t\t\t\tuser_id = ?\n\t\t\t\t\t)\n\t\t\t\t)"; $va_sql_params[] = $vn_user_id; $va_groups = $t_user->getUserGroups(); if (is_array($va_groups) && sizeof($va_groups)) { $vs_access_sql .= " OR (ceus.screen_id IN \n\t\t\t\t\t(\n\t\t\t\t\t\tSELECT screen_id \n\t\t\t\t\t\tFROM ca_editor_ui_screens_x_user_groups\n\t\t\t\t\t\tWHERE\n\t\t\t\t\t\t\tgroup_id IN (?)\n\t\t\t\t\t)\n\t\t\t\t)"; $va_sql_params[] = array_keys($va_groups); } $va_roles = $t_user->getUserRoles(); if (is_array($va_roles) && sizeof($va_roles)) { $vs_access_sql .= " OR (ceus.screen_id IN \n\t\t\t\t\t(\n\t\t\t\t\t\tSELECT screen_id \n\t\t\t\t\t\tFROM ca_editor_ui_screens_x_roles\n\t\t\t\t\t\tWHERE\n\t\t\t\t\t\t\trole_id IN (?)\n\t\t\t\t\t)\n\t\t\t\t)"; $va_sql_params[] = array_keys($va_roles); } $vs_access_sql .= "\n\t\t\t\tOR (\n\t\t\t\t\tceus.screen_id NOT IN (\n\t\t\t\t\t\tSELECT screen_id FROM ca_editor_ui_screens_x_users\n\t\t\t\t\t)\n\t\t\t\t\tAND\n\t\t\t\t\tceus.screen_id NOT IN (\n\t\t\t\t\t\tSELECT screen_id FROM ca_editor_ui_screens_x_user_groups\n\t\t\t\t\t)\n\t\t\t\t\tAND\n\t\t\t\t\tceus.screen_id NOT IN (\n\t\t\t\t\t\tSELECT screen_id FROM ca_editor_ui_screens_x_roles\n\t\t\t\t\t)\n\t\t\t\t)\n\t\t\t)"; } $qr_res = $o_db->query("\n\t\t\tSELECT ceus.*, ceusl.*, ceustr.type_id restriction_type_id\n\t\t\tFROM ca_editor_ui_screens ceus\n\t\t\tINNER JOIN ca_editor_ui_screen_labels AS ceusl ON ceus.screen_id = ceusl.screen_id\n\t\t\tLEFT JOIN ca_editor_ui_screen_type_restrictions AS ceustr ON ceus.screen_id = ceustr.screen_id\n\t\t\tWHERE\n\t\t\t\t(ceus.ui_id = ?) {$vs_type_sql}\n\t\t\t\t{$vs_access_sql}\n\t\t\tORDER BY \n\t\t\t\tceus.rank, ceus.screen_id\n\t\t", $va_sql_params); $va_screens = array(); while ($qr_res->nextRow()) { if (!$va_screens[$vn_screen_id = $qr_res->get('screen_id')][$vn_screen_locale_id = $qr_res->get('locale_id')]) { $va_screens[$vn_screen_id][$vn_screen_locale_id] = $qr_res->getRow(); if ((bool) $va_screens[$vn_screen_id][$vn_screen_locale_id]['is_default']) { $va_screens[$vn_screen_id][$vn_screen_locale_id]['isDefault'] = "◉"; } $va_screens[$vn_screen_id][$vn_screen_locale_id]['numPlacements'] = sizeof($this->getScreenBundlePlacements($vn_screen_id)); } if ($qr_res->get('restriction_type_id')) { $vs_key_to_add = $t_instance instanceof BaseRelationshipModel ? 'type_code' : 'name_plural'; $va_screens[$vn_screen_id][$vn_screen_locale_id]['typeRestrictions'][$qr_res->get('restriction_type_id')] = $va_types[$qr_res->get('restriction_type_id')][$vs_key_to_add]; } } $va_screens_with_bundles = null; if ((!isset($pa_options['showAll']) || !$pa_options['showAll']) && sizeof($va_screens)) { // Get placements for all screens, so we can filter screens without placements $qr_res = $o_db->query("\n\t\t\t\tSELECT screen_id, placement_id, bundle_name\n\t\t\t\tFROM ca_editor_ui_bundle_placements\n\t\t\t\tWHERE\n\t\t\t\t\tscreen_id IN (?)\n\t\t\t", array(array_keys($va_screens))); $vs_table = $t_instance->tableName(); $va_screens_with_bundles = array(); while ($qr_res->nextRow()) { $vn_screen_id = $qr_res->get('screen_id'); if (isset($va_screens_with_bundles[$vn_screen_id])) { continue; } if (caGetBundleAccessLevel($vs_table, $qr_res->get('bundle_name')) != __CA_BUNDLE_ACCESS_NONE__) { $va_screens_with_bundles[$vn_screen_id] = true; } } } foreach ($va_screens as $vn_screen_id => $va_screen_labels_by_locale) { if (is_array($va_screens_with_bundles) && !isset($va_screens_with_bundles[$vn_screen_id])) { unset($va_screens[$vn_screen_id]); continue; } foreach ($va_screen_labels_by_locale as $vn_locale_id => $va_restriction_info) { if (!is_array($va_screens[$vn_screen_id][$vn_locale_id]['typeRestrictions'])) { continue; } $va_screens[$vn_screen_id][$vn_locale_id]['typeRestrictionsForDisplay'] = join(', ', $va_screens[$vn_screen_id][$vn_locale_id]['typeRestrictions']); } } return caExtractValuesByUserLocale($va_screens); }