You are here

Home » API reference » LDAP integration 6 » ldapgroups.module

function ldapgroups_ldap_user_deny_alter in LDAP integration 6

Implementation of hook_ldap_user_deny_alter.

User denied if server access limited by group(s) and user is not in one.

1 call to ldapgroups_ldap_user_deny_alter()
ldapgroups_user_test_output in ./ldapgroups.admin.inc
Generate the test results for the user and ldap settings.

File

./ldapgroups.module, line 155
ldapgroups integrates ldap groups with drupal roles.

Code

function ldapgroups_ldap_user_deny_alter(&$denied, $ldap, $name, $dn, $account) {
  module_load_include('inc', 'ldapgroups', 'ldapgroups');
  $sid = $ldap
    ->getOption('sid');
  $groups_allowed = _ldapgroups_ldap_info($sid, 'ldapgroups_groups');
  if (!ldapgroups_is_configured($sid) || empty($groups_allowed)) {
    return;

    // Nothing to do here.
  }
  $user_groups = ldapgroups_groups_load($ldap, $dn, $name);
  if ($user_groups === FALSE) {

    // Problem getting groups!
    $denied = TRUE;
    ldapauth_debug_msg(t("groups_deny: User, @name, denied because ldapgroups module is configured but the user's groups load failed", array(
      '@name' => $name,
    )));
    return;
  }
  $access_rules = ldapgroups_access_rules($ldap
    ->getOption('sid'));
  $allowed = FALSE;
  foreach ($access_rules as $rule) {
    $type = $rule[0];
    $rule_group = drupal_strtoupper($rule[1]);

    // See if the rule group matches the user.
    $matched = FALSE;
    switch ($rule_group) {
      case LDAPGROUPS_GROUP_ALL:
        $matched = TRUE;
        break;
      case LDAPGROUPS_GROUP_EXISTING:
        if ($account->ldap_authentified) {
          $matched = TRUE;
        }
        break;
      default:
        foreach ($user_groups as $group) {
          if (drupal_strtoupper($group) == $rule_group) {
            $matched = TRUE;
            break;
          }
        }
    }

    // Rule matched, apply action.
    if ($matched) {

      // Handle the match results according to rule type.
      switch ($type) {
        case LDAPGROUPS_RULE_TYPE_ALLOW:
          $allowed = TRUE;
          break;
        case LDAPGROUPS_RULE_TYPE_ALLOW_X:
          return;

        // Found Allowed exit rule - hook says do nothing
        case LDAPGROUPS_RULE_TYPE_DENY:
          $allowed = FALSE;
          break;
        case LDAPGROUPS_RULE_TYPE_DENY_X:
          ldapauth_debug_msg(t("groups_deny: User, @name, denied by DENY_X group access rule.", array(
            '@name' => $name,
          )));
          $denied = TRUE;

          // Found DENIED exit rule, deny and exit.
          return;
          break;
        default:
          drupal_set_message(t("Invalid rule type, @type, found in ldapgroups access rules for server, @server!", array(
            '@type' => $type,
            '@server' => $ldap
              ->getOption('name'),
          )));
      }
    }
  }
  if (!$allowed) {
    ldapauth_debug_msg(t("groups_deny: User, @name, denied by group access rules.", array(
      '@name' => $name,
    )));
    $denied = TRUE;
  }
}