hyung-hwan/codepot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

added a new access level 'authenticated-insider' for code_read_access and file_read_access

Browse Source 
added ldap_insider_attribute_name and ldap_insider_attribute_value to determine who are insiders using ldap
This commit is contained in:
hyung-hwan 2016-12-01 14:11:39 +00:00
parent 272f67d1d5
commit 34bf2f3116
7 changed files with 98 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
codepot/etc/codepot.ini.in
View File

@ -76,6 +76,8 @@ ldap_admin_password = "admin-password"
ldap_userid_search_filter = "(uid=${userid})" ldap_userid_search_filter = "(uid=${userid})"
ldap_userid_search_base = "ou=users,dc=codepot,dc=org" ldap_userid_search_base = "ou=users,dc=codepot,dc=org"
ldap_mail_attribute_name = "" ldap_mail_attribute_name = ""
ldap_insider_attribute_name = ""
ldap_insider_attribute_value = ""
;------------------------------------------------------------------------------ ;------------------------------------------------------------------------------
; default langage to use. set it to 'auto' to detect it automatically. ; default langage to use. set it to 'auto' to detect it automatically.
@ -98,17 +100,19 @@ signin_compulsory = "no"
;------------------------------------------------------------------------------ ;------------------------------------------------------------------------------
; Code read access is limited to the specified user type. The types ; Code read access is limited to the specified user type. The types
; include anonymous, authenticated, member. This applies to a public project ; include anonymous, authenticated, authenticated-insider, member.
; only. Write access to any projects and read access to a non-public project ; This applies to a public project only. Write access to any projects
; require membership regardless of this item. ; and read access to a non-public project require membership regardless
; of this item.
;------------------------------------------------------------------------------ ;------------------------------------------------------------------------------
code_read_access = "anonymous" code_read_access = "anonymous"
;------------------------------------------------------------------------------ ;------------------------------------------------------------------------------
; File read access is limited to the specified user type. The types ; File read access is limited to the specified user type. The types
; include anonymous, authenticated, member. This applies to a public project ; include anonymous, authenticated, authenticated-insider, member.
; only. Write access to any projects and read access to a non-public project ; This applies to a public project only. Write access to any projects
; require membership regardless of this item. ; and read access to a non-public project require membership regardless
; of this item.
;------------------------------------------------------------------------------ ;------------------------------------------------------------------------------
file_read_access = "anonymous" file_read_access = "anonymous"

9
codepot/src/codepot/controllers/code.php
View File

@ -28,9 +28,10 @@ class Code extends Controller
private function _can_read ($pm, $projectid, $login) private function _can_read ($pm, $projectid, $login)
{ {
if ($login['sysadmin?']) return TRUE;
$userid = $login['id']; $userid = $login['id'];
if ($userid != '' && $login['sysadmin?']) return TRUE;
if ($pm->projectIsPublic($projectid)) if ($pm->projectIsPublic($projectid))
{ {
if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'anonymous') == 0) return TRUE; if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'anonymous') == 0) return TRUE;
@ -38,6 +39,10 @@ class Code extends Controller
{ {
if ($userid != '') return TRUE; if ($userid != '') return TRUE;
} }
else if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'authenticated-insider') == 0)
{
if ($userid != '' && $login['insider?']) return TRUE;
}
else if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'member') == 0) else if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'member') == 0)
{ {
if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE; if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE;

9
codepot/src/codepot/controllers/file.php
View File

@ -21,9 +21,10 @@ class File extends Controller
private function _can_read ($pm, $projectid, $login) private function _can_read ($pm, $projectid, $login)
{ {
if ($login['sysadmin?']) return TRUE;
$userid = $login['id']; $userid = $login['id'];
if ($userid != '' && $login['sysadmin?']) return TRUE;
if ($pm->projectIsPublic($projectid)) if ($pm->projectIsPublic($projectid))
{ {
if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'anonymous') == 0) return TRUE; if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'anonymous') == 0) return TRUE;
@ -31,6 +32,10 @@ class File extends Controller
{ {
if ($userid != '') return TRUE; if ($userid != '') return TRUE;
} }
else if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'authenticated-insider') == 0)
{
if ($userid != '' && $login['insider?']) return TRUE;
}
else if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'member') == 0) else if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'member') == 0)
{ {
if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE; if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE;

1
codepot/src/codepot/models/dbloginmodel.php
View File

@ -76,6 +76,7 @@ class DbLoginModel extends LoginModel
return FALSE; return FALSE;
} }
// TODO: implement $insider like LdapLoginModel
return parent::authenticate ($userid, $user->passwd, $user->email); return parent::authenticate ($userid, $user->passwd, $user->email);
} }

64
codepot/src/codepot/models/ldaploginmodel.php
View File

@ -102,11 +102,73 @@ class LdapLoginModel extends LoginModel
} }
} }
$insider = FALSE;
if (CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME != '' && CODEPOT_LDAP_INSIDER_ATTRIBUTE_VALUE != '')
{
$filter = '(' . CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME . '=*)';
$r = @ldap_search ($ldap, $f_userid, $filter, array(CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME));
if ($r !== FALSE)
{
/* SAMPLE LDAP RESULT
array(2) {
["count"]=> int(1)
[0]=>
array(4) {
["mssfu30posixmemberof"]=>
array(4) {
["count"]=>
int(3)
[0]=>
string(36) "CN=group01,OU=Groups,DC=abiyo,DC=net"
[1]=>
string(36) "CN=group02,OU=Groups,DC=abiyo,DC=net"
[2]=>
string(45) "CN=group03,OU=Groups,DC=abiyo,DC=net"
}
[0]=>
string(20) "mssfu30posixmemberof"
["count"]=>
int(1)
["dn"]=>
string(37) "CN=user01,CN=Users,DC=abiyo,DC=net"
}
}
*/
$e = @ldap_get_entries($ldap, $r);
if ($e !== FALSE && array_key_exists('count', $e) && ($ec = $e['count']) > 0)
{
for ($i = 0; $i < $ec; $i++)
{
if (array_key_exists($i, $e) &&
array_key_exists(CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME, $e[$i]))
{
$va = $e[$i][CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME];
if (array_key_exists('count', $va) && ($vac = $va['count']) > 0)
{
for ($j = 0; $j < $vac; $j++)
{
if (strcasecmp($va[$j], CODEPOT_LDAP_INSIDER_ATTRIBUTE_VALUE) == 0)
{
$insider = TRUE;
break;
}
}
}
}
if ($insider) break;
}
}
}
}
//@ldap_unbind ($ldap); //@ldap_unbind ($ldap);
@ldap_close ($ldap); @ldap_close ($ldap);
if ($insider) error_log ("$userid is insider");
else error_log ("$userid is NOT insider");
return parent::authenticate ($userid, $password, $email); return parent::authenticate ($userid, $password, $email, $insider);
} }
function queryUserInfo ($userid) function queryUserInfo ($userid)

10
codepot/src/codepot/models/loginmodel.php
View File

@ -25,6 +25,7 @@ class LoginModel extends Model
$userid = ''; $userid = '';
$email = ''; $email = '';
$issysadmin = FALSE; $issysadmin = FALSE;
$isinsider = FALSE;
$settings = NULL; $settings = NULL;
} }
else else
@ -38,6 +39,9 @@ class LoginModel extends Model
$issysadmin = $this->session->userdata('sysadmin?'); $issysadmin = $this->session->userdata('sysadmin?');
if ($issysadmin === NULL) $issysadmin = FALSE; if ($issysadmin === NULL) $issysadmin = FALSE;
$isinsider = $this->session->userdata('insider?');
if ($isinsider === NULL) $isinsider = FALSE;
$settings = $this->session->userdata('user_settings'); $settings = $this->session->userdata('user_settings');
if ($settings !== NULL) if ($settings !== NULL)
{ {
@ -57,11 +61,12 @@ class LoginModel extends Model
'id' => $userid, 'id' => $userid,
'email' => $email, 'email' => $email,
'sysadmin?' => $issysadmin, 'sysadmin?' => $issysadmin,
'insider?' => $isinsider,
'settings' => $settings 'settings' => $settings
); );
} }
function authenticate ($userid, $password, $email = '') function authenticate ($userid, $password, $email = '', $insider = NULL)
{ {
//$server = $_SERVER['SERVER_NAME'].':'.$_SERVER['SERVER_PORT']; //$server = $_SERVER['SERVER_NAME'].':'.$_SERVER['SERVER_PORT'];
$server = $_SERVER['HTTP_HOST']; $server = $_SERVER['HTTP_HOST'];
@ -82,7 +87,8 @@ class LoginModel extends Model
'userid' => $userid, 'userid' => $userid,
'server' => $server, 'server' => $server,
'email' => $email, 'email' => $email,
'sysadmin?' => $sysadmin 'sysadmin?' => $sysadmin,
'insider?' => $insider
) )
); );

2
codepot/src/config.php.in
View File

@ -80,6 +80,8 @@ function load_ini ($file)
array ('ldap_userid_search_filter', 'string', '(uid=${userid})'), array ('ldap_userid_search_filter', 'string', '(uid=${userid})'),
array ('ldap_userid_search_base', 'string', ''), array ('ldap_userid_search_base', 'string', ''),
array ('ldap_mail_attribute_name', 'string', ''), array ('ldap_mail_attribute_name', 'string', ''),
array ('ldap_insider_attribute_name', 'string', ''),
array ('ldap_insider_attribute_value', 'string', ''),
array ('svnrepo_dir', 'string', CODEPOT_DEPOT_DIR.'/svnrepo'), array ('svnrepo_dir', 'string', CODEPOT_DEPOT_DIR.'/svnrepo'),
array ('file_dir', 'string', CODEPOT_DEPOT_DIR.'/files'), array ('file_dir', 'string', CODEPOT_DEPOT_DIR.'/files'),