You are here

Home » API reference » Lightweight Directory Access Protocol (LDAP) 7.2 » LdapAuthenticationConf.class.php » LdapAuthenticationConf

public function LdapAuthenticationConf::allowUser in Lightweight Directory Access Protocol (LDAP) 7.2

Same name and namespace in other branches
  1. 8.2 ldap_authentication/LdapAuthenticationConf.class.php \LdapAuthenticationConf::allowUser()
  2. 7 ldap_authentication/LdapAuthenticationConf.class.php \LdapAuthenticationConf::allowUser()

Decide if a username is excluded or not.

@todo. this function should simply invoke hook_ldap_authentication_allowuser_results_alter and most of this function should go in ldap_authentication_allowuser_results_alter

Parameters

string $name: as proposed drupal username.

array $ldap_user: where top level keys are 'dn','attr','mail'.

Return value

boolean FALSE means NOT allow; TRUE means allow

File

ldap_authentication/LdapAuthenticationConf.class.php, line 349

Class

LdapAuthenticationConf

Code

public function allowUser($name, $ldap_user) {

  /**
   * do one of the exclude attribute pairs match
   */
  $ldap_user_conf = ldap_user_conf();

  // If user does not already exists and deferring to user settings AND user settings only allow.
  $user_register = variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL);
  foreach ($this->excludeIfTextInDn as $test) {
    if (stripos($ldap_user['dn'], $test) !== FALSE) {

      // Match.
      return FALSE;
    }
  }

  /**
   * evaluate php if it exists
   */
  if ($this->allowTestPhp) {
    if (module_exists('php')) {
      global $_name, $_ldap_user_entry;
      $_name = $name;
      $_ldap_user_entry = $ldap_user;
      $code = '<?php ' . "global \$_name; \n  global \$_ldap_user_entry; \n" . $this->allowTestPhp . ' ?>';
      $code_result = php_eval($code);
      $_name = NULL;
      $_ldap_user_entry = NULL;
      if ((bool) $code_result == FALSE) {
        return FALSE;
      }
    }
    else {
      drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
      $tokens = [
        '!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication'),
      ];
      watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users based on php execution with php_eval function, but php module is not enabled. Please enable php module or remove php code at !ldap_authentication_config .', $tokens);
      return FALSE;
    }
  }

  /**
   * do one of the allow attribute pairs match
   */
  if (count($this->allowOnlyIfTextInDn)) {
    $fail = TRUE;
    foreach ($this->allowOnlyIfTextInDn as $test) {
      if (stripos($ldap_user['dn'], $test) !== FALSE) {
        $fail = FALSE;
      }
    }
    if ($fail) {
      return FALSE;
    }
  }

  /**
   * is excludeIfNoAuthorizations option enabled and user not granted any groups
   */
  if ($this->excludeIfNoAuthorizations) {
    if (!module_exists('ldap_authorization')) {
      drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
      $tokens = [
        '!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication'),
      ];
      watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but LDAP Authorization module is not enabled.  Please enable and configure LDAP Authorization or disable this option at !ldap_authentication_config .', $tokens);
      return FALSE;
    }
    $user = new stdClass();
    $user->name = $name;

    // Fake user property added for query.
    $user->ldap_authenticated = TRUE;
    $consumers = ldap_authorization_get_consumers();
    $has_enabled_consumers = FALSE;
    $has_ldap_authorizations = FALSE;
    foreach ($consumers as $consumer_type => $consumer_config) {
      $consumer_obj = ldap_authorization_get_consumer_object($consumer_type);
      if ($consumer_obj->consumerConf->status) {
        $has_enabled_consumers = TRUE;
        list($authorizations, $notifications) = ldap_authorizations_user_authorizations($user, 'query', $consumer_type, 'test_if_authorizations_granted');
        if (isset($authorizations[$consumer_type]) && count($authorizations[$consumer_type]) > 0) {
          $has_ldap_authorizations = TRUE;
        }
      }
    }
    if (!$has_enabled_consumers) {
      drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
      $tokens = [
        '!ldap_consumer_config' => l(t('LDAP Authorization Configuration'), 'admin/config/people/ldap/authorization'),
      ];
      watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but 0 LDAP Authorization consumers are configured:  !ldap_consumer_config .', $tokens);
      return FALSE;
    }
    elseif (!$has_ldap_authorizations) {
      return FALSE;
    }
  }

  // Allow other modules to hook in and refuse if they like.
  $hook_result = TRUE;
  drupal_alter('ldap_authentication_allowuser_results', $ldap_user, $name, $hook_result);
  if ($hook_result === FALSE) {
    watchdog('ldap_authentication', "Authentication Allow User Result=refused for %name", [
      '%name' => $name,
    ], WATCHDOG_NOTICE);
    return FALSE;
  }

  /**
   * default to allowed
   */
  return TRUE;
}