From ff89c4d424fab61a4bce0d7ecb9896d1c6bd6a91 Mon Sep 17 00:00:00 2001 From: Denis Flaven Date: Thu, 28 Jul 2011 17:39:49 +0000 Subject: [PATCH] CAS authentication improvements: - Check if the user is part of a group (memberOf) - Fixed the use of the 'redirect_service' when logging-out SVN:trunk[1384] --- application/loginwebpage.class.inc.php | 22 +++++++++++++++------- core/config.class.inc.php | 4 ++-- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/application/loginwebpage.class.inc.php b/application/loginwebpage.class.inc.php index 635782c7b..35f4ba386 100644 --- a/application/loginwebpage.class.inc.php +++ b/application/loginwebpage.class.inc.php @@ -256,31 +256,39 @@ EOF $bFound = false; if (!empty($sCASMemberships)) { - if (phpCAS::hasAttributes('memberOf')) + if (phpCAS::hasAttribute('memberOf')) { // A list of groups is specified, the user must a be member of (at least) one of them to pass $aCASMemberships = array(); - $aTmp = explode(',', $sCASMemberships); + $aTmp = explode(';', $sCASMemberships); + setlocale(LC_ALL, "en_US.utf8"); // !!! WARNING: this is needed to have the iconv //TRANSLIT working fine below !!! foreach($aTmp as $sGroupName) { - $aCASMemberships[] = trim($sGroupName); // Just in case remove spaces... + $aCASMemberships[] = trim(iconv('UTF-8', 'ASCII//TRANSLIT', $sGroupName)); // Just in case remove accents and spaces... } - $aMemberOf = phpCAS::getAttributes('memberOf'); + $aMemberOf = phpCAS::getAttribute('memberOf'); if (!is_array($aMemberOf)) $aMemberOf = array($aMemberOf); // Just one entry, turn it into an array - - foreach($aCASMemberships as $sGroupName) + $aFilteredGroupNames = array(); + foreach($aMemberOf as $sGroupName) { - if (in_array($sGroupName, $aMemberOf)) + $sGroupName = trim(iconv('UTF-8', 'ASCII//TRANSLIT', $sGroupName)); // Remove accents and spaces as well + $aFilteredGroupNames[] = $sGroupName; + if (in_array($sGroupName, $aCASMemberships)) { $bFound = true; break; } } + if(!$bFound) + { + phpCAS :: log("User ".phpCAS::getUser().", none of his/her groups (".implode('; ', $aFilteredGroupNames).") match any of the required groups: ".implode('; ', $aCASMemberships)); + } } else { // Too bad, the user is not part of any of the group => not allowed + phpCAS :: log("No 'memberOf' attribute found for user ".phpCAS::getUser().". Are you using the SAML protocol (S1) ?"); } } else diff --git a/core/config.class.inc.php b/core/config.class.inc.php index f3cf6eed6..9657bebef 100644 --- a/core/config.class.inc.php +++ b/core/config.class.inc.php @@ -322,7 +322,7 @@ class Config ), 'cas_version' => array( 'type' => 'string', - 'description' => 'The CAS protocol version to use', + 'description' => 'The CAS protocol version to use: "1.0" (CAS v1), "2.0" (CAS v2) or "S1" (SAML V1) )', // examples... not used (nor 'description') 'default' => '2.0', 'value' => '', @@ -376,7 +376,7 @@ class Config ), 'cas_memberof' => array( 'type' => 'string', - 'description' => 'A comma separated list of group names that the user must be member of (works only with SAML)', + 'description' => 'A semicolon separated list of group names that the user must be member of (works only with SAML - e.g. cas_version=> "S1")', // examples... not used (nor 'description') 'default' => '', 'value' => '',