You are here

Home » API reference » Lightweight Directory Access Protocol (LDAP) 7 » LdapAuthenticationConf.class.php » LdapAuthenticationConf

public function LdapAuthenticationConf::allowUser in Lightweight Directory Access Protocol (LDAP) 7

Same name and namespace in other branches
  1. 8.2 ldap_authentication/LdapAuthenticationConf.class.php \LdapAuthenticationConf::allowUser()
  2. 7.2 ldap_authentication/LdapAuthenticationConf.class.php \LdapAuthenticationConf::allowUser()

decide if a username is excluded or not

return boolean

File

ldap_authentication/LdapAuthenticationConf.class.php, line 139
This class represents an ldap_authentication module's configuration It is extended by LdapAuthenticationConfAdmin for configuration and other admin functions

Class

LdapAuthenticationConf
@file This class represents an ldap_authentication module's configuration It is extended by LdapAuthenticationConfAdmin for configuration and other admin functions

Code

public function allowUser($name, $ldap_user_entry, $account_exists = NULL) {

  /**
   * do one of the exclude attribute pairs match
   */
  $exclude = FALSE;

  // if user does not already exists and deferring to user settings AND user settings only allow
  $user_register = variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL);
  if (!$account_exists && $this->acctCreation == LDAP_AUTHENTICATION_ACCT_CREATION_USER_SETTINGS_FOR_LDAP && $user_register == USER_REGISTER_ADMINISTRATORS_ONLY) {
    return FALSE;
  }
  foreach ($this->excludeIfTextInDn as $test) {
    if (stripos($ldap_user_entry['dn'], $test) !== FALSE) {
      return FALSE;

      //  if a match, return FALSE;
    }
  }

  /**
   * evaluate php if it exists
   */
  if ($this->allowTestPhp) {
    if (module_exists('php')) {
      global $_name, $_ldap_user_entry;
      $_name = $name;
      $_ldap_user_entry = $ldap_user_entry;
      $code = '<?php ' . "global \$_name; \n  global \$_ldap_user_entry; \n" . $this->allowTestPhp . ' ?>';
      $code_result = php_eval($code);
      $_name = NULL;
      $_ldap_user_entry = NULL;
      if ((bool) $code_result == FALSE) {
        return FALSE;
      }
    }
    else {
      drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
      $tokens = array(
        '!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication'),
      );
      watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users based on php execution with php_eval function, but php module is not enabled. Please enable php module or remove php code at !ldap_authentication_config .', $tokens);
      return FALSE;
    }
  }

  /**
   * do one of the allow attribute pairs match
   */
  if (count($this->allowOnlyIfTextInDn)) {
    $fail = TRUE;
    foreach ($this->allowOnlyIfTextInDn as $test) {
      if (stripos($ldap_user_entry['dn'], $test) !== FALSE) {
        $fail = FALSE;
      }
    }
    if ($fail) {
      return FALSE;
    }
  }

  /**
   * is excludeIfNoAuthorizations option enabled and user not granted any groups
   */
  if ($this->excludeIfNoAuthorizations) {
    if (!module_exists('ldap_authorization')) {
      drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
      $tokens = array(
        '!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication'),
      );
      watchdog('warning', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but LDAP Authorization module is not enabled.  Please enable and configure LDAP Authorization or disable this option at !ldap_authentication_config .', $tokens);
      return FALSE;
    }
    $user = new stdClass();
    $user->name = $name;
    $user->ldap_authenticated = TRUE;

    // fake user property added for query
    $consumers = ldap_authorization_get_consumers();
    $has_enabled_consumers = FALSE;
    foreach ($consumers as $consumer_type => $consumer_config) {
      $consumer_obj = ldap_authorization_get_consumer_object($consumer_type);
      if ($consumer_obj->consumerConf->status) {
        $has_enabled_consumers = TRUE;
        list($authorizations, $notifications) = ldap_authorizations_user_authorizations($user, 'query', $consumer_type, 'test_if_authorizations_granted');
        if (count(array_filter(array_values($authorizations))) > 0) {
          return TRUE;
        }
      }
    }
    if (!$has_enabled_consumers) {
      drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
      $tokens = array(
        '!ldap_consumer_config' => l(t('LDAP Authorization Configuration'), 'admin/config/people/ldap/authorization'),
      );
      watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but 0 LDAP Authorization consumers are configured:  !ldap_consumer_config .', $tokens);
      return FALSE;
    }
    return FALSE;
  }

  // allow other modules to hook in and refuse if they like
  $hook_result = TRUE;
  drupal_alter('ldap_authentication_allowuser_results', $ldap_user_entry, $name, $hook_result);
  if (!$hook_result) {
    watchdog('ldap_authentication', "Authentication Allow User Result=refused for %name", array(
      '%name' => $name,
    ), WATCHDOG_NOTICE);
    return FALSE;
  }

  /**
   * default to allowed
   */
  return TRUE;
}