You are here

Home » API reference » Lightweight Directory Access Protocol (LDAP) 8.2 » LdapAuthenticationConf.class.php » LdapAuthenticationConf

public function LdapAuthenticationConf::allowUser in Lightweight Directory Access Protocol (LDAP) 8.2

Same name and namespace in other branches
  1. 7.2 ldap_authentication/LdapAuthenticationConf.class.php \LdapAuthenticationConf::allowUser()
  2. 7 ldap_authentication/LdapAuthenticationConf.class.php \LdapAuthenticationConf::allowUser()

decide if a username is excluded or not

@todo. this function should simply invoke hook_ldap_authentication_allowuser_results_alter and most of this function should go in ldap_authentication_allowuser_results_alter

Parameters

string $name as proposed drupal username:

array $ldap_user where top level keys are 'dn','attr','mail':

Return value

boolean FALSE means NOT allow; TRUE means allow

File

ldap_authentication/LdapAuthenticationConf.class.php, line 252

Class

LdapAuthenticationConf

Code

public function allowUser($name, $ldap_user) {

  /**
   * do one of the exclude attribute pairs match
   */
  $ldap_user_conf = ldap_user_conf();

  // if user does not already exists and deferring to user settings AND user settings only allow
  $user_register = config('user.settings')
    ->get('register');
  foreach ($this->excludeIfTextInDn as $test) {
    if (stripos($ldap_user['dn'], $test) !== FALSE) {
      return FALSE;

      //  if a match, return FALSE;
    }
  }

  /**
   * evaluate php if it exists
   */
  if ($this->allowTestPhp) {
    if (module_exists('php')) {
      global $_name, $_ldap_user_entry;
      $_name = $name;
      $_ldap_user_entry = $ldap_user;
      $code = '<?php ' . "global \$_name; \n  global \$_ldap_user_entry; \n" . $this->allowTestPhp . ' ?>';
      $code_result = php_eval($code);
      $_name = NULL;
      $_ldap_user_entry = NULL;
      if ((bool) $code_result == FALSE) {
        return FALSE;
      }
    }
    else {
      drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
      $tokens = array(
        '!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication'),
      );
      watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users based on php execution with php_eval function, but php module is not enabled. Please enable php module or remove php code at !ldap_authentication_config .', $tokens);
      return FALSE;
    }
  }

  /**
   * do one of the allow attribute pairs match
   */
  if (count($this->allowOnlyIfTextInDn)) {
    $fail = TRUE;
    foreach ($this->allowOnlyIfTextInDn as $test) {
      if (stripos($ldap_user['dn'], $test) !== FALSE) {
        $fail = FALSE;
      }
    }
    if ($fail) {
      return FALSE;
    }
  }

  /**
   * is excludeIfNoAuthorizations option enabled and user not granted any groups
   */
  if ($this->excludeIfNoAuthorizations) {
    if (!module_exists('ldap_authorization')) {
      drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
      $tokens = array(
        '!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication'),
      );
      watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but LDAP Authorization module is not enabled.  Please enable and configure LDAP Authorization or disable this option at !ldap_authentication_config .', $tokens);
      return FALSE;
    }
    $user = new stdClass();
    $user->name = $name;
    $user->ldap_authenticated = TRUE;

    // fake user property added for query
    $consumers = ldap_authorization_get_consumers();
    $has_enabled_consumers = FALSE;
    $has_ldap_authorizations = FALSE;
    foreach ($consumers as $consumer_type => $consumer_config) {
      $consumer_obj = ldap_authorization_get_consumer_object($consumer_type);
      if ($consumer_obj->consumerConf->status) {
        $has_enabled_consumers = TRUE;
        list($authorizations, $notifications) = ldap_authorizations_user_authorizations($user, 'query', $consumer_type, 'test_if_authorizations_granted');
        if (isset($authorizations[$consumer_type]) && count($authorizations[$consumer_type]) > 0) {
          $has_ldap_authorizations = TRUE;
        }
      }
    }
    if (!$has_enabled_consumers) {
      drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
      $tokens = array(
        '!ldap_consumer_config' => l(t('LDAP Authorization Configuration'), 'admin/config/people/ldap/authorization'),
      );
      watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but 0 LDAP Authorization consumers are configured:  !ldap_consumer_config .', $tokens);
      return FALSE;
    }
    elseif (!$has_ldap_authorizations) {
      return FALSE;
    }
  }

  // allow other modules to hook in and refuse if they like
  $hook_result = TRUE;
  drupal_alter('ldap_authentication_allowuser_results', $ldap_user, $name, $hook_result);
  if ($hook_result === FALSE) {
    watchdog('ldap_authentication', "Authentication Allow User Result=refused for %name", array(
      '%name' => $name,
    ), WATCHDOG_NOTICE);
    return FALSE;
  }

  /**
   * default to allowed
   */
  return TRUE;
}