From 34bf2f3116fb4ef7067c0982c2a57e90b75de29e Mon Sep 17 00:00:00 2001 From: hyung-hwan Date: Thu, 1 Dec 2016 14:11:39 +0000 Subject: [PATCH] added a new access level 'authenticated-insider' for code_read_access and file_read_access added ldap_insider_attribute_name and ldap_insider_attribute_value to determine who are insiders using ldap --- codepot/etc/codepot.ini.in | 16 +++-- codepot/src/codepot/controllers/code.php | 9 ++- codepot/src/codepot/controllers/file.php | 9 ++- codepot/src/codepot/models/dbloginmodel.php | 1 + codepot/src/codepot/models/ldaploginmodel.php | 64 ++++++++++++++++++- codepot/src/codepot/models/loginmodel.php | 10 ++- codepot/src/config.php.in | 2 + 7 files changed, 98 insertions(+), 13 deletions(-) diff --git a/codepot/etc/codepot.ini.in b/codepot/etc/codepot.ini.in index 5b2930bf..1f3cd5b4 100644 --- a/codepot/etc/codepot.ini.in +++ b/codepot/etc/codepot.ini.in @@ -76,6 +76,8 @@ ldap_admin_password = "admin-password" ldap_userid_search_filter = "(uid=${userid})" ldap_userid_search_base = "ou=users,dc=codepot,dc=org" ldap_mail_attribute_name = "" +ldap_insider_attribute_name = "" +ldap_insider_attribute_value = "" ;------------------------------------------------------------------------------ ; default langage to use. set it to 'auto' to detect it automatically. @@ -98,17 +100,19 @@ signin_compulsory = "no" ;------------------------------------------------------------------------------ ; Code read access is limited to the specified user type. The types -; include anonymous, authenticated, member. This applies to a public project -; only. Write access to any projects and read access to a non-public project -; require membership regardless of this item. +; include anonymous, authenticated, authenticated-insider, member. +; This applies to a public project only. Write access to any projects +; and read access to a non-public project require membership regardless +; of this item. ;------------------------------------------------------------------------------ code_read_access = "anonymous" ;------------------------------------------------------------------------------ ; File read access is limited to the specified user type. The types -; include anonymous, authenticated, member. This applies to a public project -; only. Write access to any projects and read access to a non-public project -; require membership regardless of this item. +; include anonymous, authenticated, authenticated-insider, member. +; This applies to a public project only. Write access to any projects +; and read access to a non-public project require membership regardless +; of this item. ;------------------------------------------------------------------------------ file_read_access = "anonymous" diff --git a/codepot/src/codepot/controllers/code.php b/codepot/src/codepot/controllers/code.php index 8a7a16a6..eaf5bb10 100644 --- a/codepot/src/codepot/controllers/code.php +++ b/codepot/src/codepot/controllers/code.php @@ -28,9 +28,10 @@ class Code extends Controller private function _can_read ($pm, $projectid, $login) { - if ($login['sysadmin?']) return TRUE; - $userid = $login['id']; + + if ($userid != '' && $login['sysadmin?']) return TRUE; + if ($pm->projectIsPublic($projectid)) { if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'anonymous') == 0) return TRUE; @@ -38,6 +39,10 @@ class Code extends Controller { if ($userid != '') return TRUE; } + else if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'authenticated-insider') == 0) + { + if ($userid != '' && $login['insider?']) return TRUE; + } else if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'member') == 0) { if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE; diff --git a/codepot/src/codepot/controllers/file.php b/codepot/src/codepot/controllers/file.php index 70422e84..1a89d5e4 100644 --- a/codepot/src/codepot/controllers/file.php +++ b/codepot/src/codepot/controllers/file.php @@ -21,9 +21,10 @@ class File extends Controller private function _can_read ($pm, $projectid, $login) { - if ($login['sysadmin?']) return TRUE; - $userid = $login['id']; + + if ($userid != '' && $login['sysadmin?']) return TRUE; + if ($pm->projectIsPublic($projectid)) { if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'anonymous') == 0) return TRUE; @@ -31,6 +32,10 @@ class File extends Controller { if ($userid != '') return TRUE; } + else if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'authenticated-insider') == 0) + { + if ($userid != '' && $login['insider?']) return TRUE; + } else if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'member') == 0) { if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE; diff --git a/codepot/src/codepot/models/dbloginmodel.php b/codepot/src/codepot/models/dbloginmodel.php index 8fd50934..d39361c1 100644 --- a/codepot/src/codepot/models/dbloginmodel.php +++ b/codepot/src/codepot/models/dbloginmodel.php @@ -76,6 +76,7 @@ class DbLoginModel extends LoginModel return FALSE; } + // TODO: implement $insider like LdapLoginModel return parent::authenticate ($userid, $user->passwd, $user->email); } diff --git a/codepot/src/codepot/models/ldaploginmodel.php b/codepot/src/codepot/models/ldaploginmodel.php index 2eb8a812..39ec7c96 100644 --- a/codepot/src/codepot/models/ldaploginmodel.php +++ b/codepot/src/codepot/models/ldaploginmodel.php @@ -102,11 +102,73 @@ class LdapLoginModel extends LoginModel } } + $insider = FALSE; + if (CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME != '' && CODEPOT_LDAP_INSIDER_ATTRIBUTE_VALUE != '') + { + $filter = '(' . CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME . '=*)'; + $r = @ldap_search ($ldap, $f_userid, $filter, array(CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME)); + if ($r !== FALSE) + { + + /* SAMPLE LDAP RESULT + array(2) { + ["count"]=> int(1) + [0]=> + array(4) { + ["mssfu30posixmemberof"]=> + array(4) { + ["count"]=> + int(3) + [0]=> + string(36) "CN=group01,OU=Groups,DC=abiyo,DC=net" + [1]=> + string(36) "CN=group02,OU=Groups,DC=abiyo,DC=net" + [2]=> + string(45) "CN=group03,OU=Groups,DC=abiyo,DC=net" + } + [0]=> + string(20) "mssfu30posixmemberof" + ["count"]=> + int(1) + ["dn"]=> + string(37) "CN=user01,CN=Users,DC=abiyo,DC=net" + } + } + */ + $e = @ldap_get_entries($ldap, $r); + if ($e !== FALSE && array_key_exists('count', $e) && ($ec = $e['count']) > 0) + { + for ($i = 0; $i < $ec; $i++) + { + if (array_key_exists($i, $e) && + array_key_exists(CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME, $e[$i])) + { + $va = $e[$i][CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME]; + + if (array_key_exists('count', $va) && ($vac = $va['count']) > 0) + { + for ($j = 0; $j < $vac; $j++) + { + if (strcasecmp($va[$j], CODEPOT_LDAP_INSIDER_ATTRIBUTE_VALUE) == 0) + { + $insider = TRUE; + break; + } + } + } + } + if ($insider) break; + } + } + } + } //@ldap_unbind ($ldap); @ldap_close ($ldap); +if ($insider) error_log ("$userid is insider"); +else error_log ("$userid is NOT insider"); - return parent::authenticate ($userid, $password, $email); + return parent::authenticate ($userid, $password, $email, $insider); } function queryUserInfo ($userid) diff --git a/codepot/src/codepot/models/loginmodel.php b/codepot/src/codepot/models/loginmodel.php index 71f1519b..f8c2cee5 100644 --- a/codepot/src/codepot/models/loginmodel.php +++ b/codepot/src/codepot/models/loginmodel.php @@ -25,6 +25,7 @@ class LoginModel extends Model $userid = ''; $email = ''; $issysadmin = FALSE; + $isinsider = FALSE; $settings = NULL; } else @@ -38,6 +39,9 @@ class LoginModel extends Model $issysadmin = $this->session->userdata('sysadmin?'); if ($issysadmin === NULL) $issysadmin = FALSE; + $isinsider = $this->session->userdata('insider?'); + if ($isinsider === NULL) $isinsider = FALSE; + $settings = $this->session->userdata('user_settings'); if ($settings !== NULL) { @@ -57,11 +61,12 @@ class LoginModel extends Model 'id' => $userid, 'email' => $email, 'sysadmin?' => $issysadmin, + 'insider?' => $isinsider, 'settings' => $settings ); } - function authenticate ($userid, $password, $email = '') + function authenticate ($userid, $password, $email = '', $insider = NULL) { //$server = $_SERVER['SERVER_NAME'].':'.$_SERVER['SERVER_PORT']; $server = $_SERVER['HTTP_HOST']; @@ -82,7 +87,8 @@ class LoginModel extends Model 'userid' => $userid, 'server' => $server, 'email' => $email, - 'sysadmin?' => $sysadmin + 'sysadmin?' => $sysadmin, + 'insider?' => $insider ) ); diff --git a/codepot/src/config.php.in b/codepot/src/config.php.in index 254f3a85..966ce4b8 100644 --- a/codepot/src/config.php.in +++ b/codepot/src/config.php.in @@ -80,6 +80,8 @@ function load_ini ($file) array ('ldap_userid_search_filter', 'string', '(uid=${userid})'), array ('ldap_userid_search_base', 'string', ''), array ('ldap_mail_attribute_name', 'string', ''), + array ('ldap_insider_attribute_name', 'string', ''), + array ('ldap_insider_attribute_value', 'string', ''), array ('svnrepo_dir', 'string', CODEPOT_DEPOT_DIR.'/svnrepo'), array ('file_dir', 'string', CODEPOT_DEPOT_DIR.'/files'),