added a new access level 'authenticated-insider' for code_read_access and file_read_access

added ldap_insider_attribute_name and ldap_insider_attribute_value to determine who are insiders using ldap

codepot/etc/codepot.ini.in

@@ -76,6 +76,8 @@ ldap_admin_password = "admin-password"
 ldap_userid_search_filter = "(uid=${userid})"
 ldap_userid_search_base = "ou=users,dc=codepot,dc=org"
 ldap_mail_attribute_name = ""
+ldap_insider_attribute_name = ""
+ldap_insider_attribute_value = ""
 
 ;------------------------------------------------------------------------------
 ; default langage to use. set it to 'auto' to detect it automatically.
@@ -98,17 +100,19 @@ signin_compulsory = "no"
 
 ;------------------------------------------------------------------------------
 ; Code read access is limited to the specified user type. The types 
-; include anonymous, authenticated, member. This applies to a public project 
-; only. Write access to any projects and read access to a non-public project
-; require membership regardless of this item.
+; include anonymous, authenticated, authenticated-insider, member. 
+; This applies to a public project only. Write access to any projects
+; and read access to a non-public project require membership regardless
+; of this item.
 ;------------------------------------------------------------------------------
 code_read_access = "anonymous"
 
 ;------------------------------------------------------------------------------
 ; File read access is limited to the specified user type. The types 
-; include anonymous, authenticated, member. This applies to a public project 
-; only. Write access to any projects and read access to a non-public project
-; require membership regardless of this item.
+; include anonymous, authenticated, authenticated-insider, member. 
+; This applies to a public project only. Write access to any projects
+; and read access to a non-public project require membership regardless
+; of this item.
 ;------------------------------------------------------------------------------
 file_read_access = "anonymous"
 

codepot/src/codepot/controllers/code.php

@@ -28,9 +28,10 @@ class Code extends Controller
 
 	private function _can_read ($pm, $projectid, $login)
 	{
-		if ($login['sysadmin?']) return TRUE;
-
 		$userid = $login['id'];
+
+		if ($userid != '' && $login['sysadmin?']) return TRUE;
+
 		if ($pm->projectIsPublic($projectid)) 
 		{
 			if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'anonymous') == 0) return TRUE;
@@ -38,6 +39,10 @@ class Code extends Controller
 			{
 				if ($userid != '') return TRUE;
 			}
+			else if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'authenticated-insider') == 0)
+			{
+				if ($userid != '' && $login['insider?']) return TRUE;
+			}
 			else if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'member') == 0)
 			{
 				if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE;

codepot/src/codepot/controllers/file.php

@@ -21,9 +21,10 @@ class File extends Controller
 
 	private function _can_read ($pm, $projectid, $login)
 	{
-		if ($login['sysadmin?']) return TRUE;
-
 		$userid = $login['id'];
+
+		if ($userid != '' && $login['sysadmin?']) return TRUE;
+
 		if ($pm->projectIsPublic($projectid)) 
 		{
 			if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'anonymous') == 0) return TRUE;
@@ -31,6 +32,10 @@ class File extends Controller
 			{
 				if ($userid != '') return TRUE;
 			}
+			else if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'authenticated-insider') == 0)
+			{
+				if ($userid != '' && $login['insider?']) return TRUE;
+			}
 			else if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'member') == 0)
 			{
 				if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE;

codepot/src/codepot/models/dbloginmodel.php

@@ -76,6 +76,7 @@ class DbLoginModel extends LoginModel
 			return FALSE;
 		}
 
+		// TODO: implement $insider like LdapLoginModel
 		return parent::authenticate ($userid, $user->passwd, $user->email);
 	}
 

codepot/src/codepot/models/ldaploginmodel.php

@@ -102,11 +102,73 @@ class LdapLoginModel extends LoginModel
 			}
 		}
 
+		$insider = FALSE;
+		if (CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME != '' && CODEPOT_LDAP_INSIDER_ATTRIBUTE_VALUE != '')
+		{
+			$filter = '(' . CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME . '=*)';
+			$r = @ldap_search ($ldap, $f_userid, $filter, array(CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME));
+			if ($r !== FALSE)
+			{
+
+				/* SAMPLE LDAP RESULT
+				array(2) {
+				  ["count"]=>  int(1)
+				  [0]=>
+				  array(4) {
+				    ["mssfu30posixmemberof"]=>
+				    array(4) {
+					 ["count"]=>
+					 int(3)
+					 [0]=>
+					 string(36) "CN=group01,OU=Groups,DC=abiyo,DC=net"
+					 [1]=>
+					 string(36) "CN=group02,OU=Groups,DC=abiyo,DC=net"
+					 [2]=>
+					 string(45) "CN=group03,OU=Groups,DC=abiyo,DC=net"
+				    }
+				    [0]=>
+				    string(20) "mssfu30posixmemberof"
+				    ["count"]=>
+				    int(1)
+				    ["dn"]=>
+				    string(37) "CN=user01,CN=Users,DC=abiyo,DC=net"
+				  }
+				}
+				*/
+				$e = @ldap_get_entries($ldap, $r);
+				if ($e !== FALSE && array_key_exists('count', $e) && ($ec = $e['count']) > 0)
+				{
+					for ($i = 0; $i < $ec; $i++)
+					{
+						if (array_key_exists($i, $e) &&
+						    array_key_exists(CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME, $e[$i]))
+						{
+							$va = $e[$i][CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME];
+
+							if (array_key_exists('count', $va) && ($vac = $va['count']) > 0)
+							{
+								for ($j = 0; $j < $vac; $j++)
+								{
+									if (strcasecmp($va[$j], CODEPOT_LDAP_INSIDER_ATTRIBUTE_VALUE) == 0) 
+									{
+										$insider = TRUE;
+										break;
+									}
+								}
+							}
+						}
+						if ($insider) break;
+					}
+				}
+			}
+		}
 
 		//@ldap_unbind ($ldap);
 		@ldap_close ($ldap);
+if ($insider) error_log ("$userid is insider");
+else error_log ("$userid is NOT insider");
 
-		return parent::authenticate ($userid, $password, $email);
+		return parent::authenticate ($userid, $password, $email, $insider);
 	}
 
 	function queryUserInfo ($userid)

codepot/src/codepot/models/loginmodel.php

@@ -25,6 +25,7 @@ class LoginModel extends Model
 			$userid = '';
 			$email = '';
 			$issysadmin = FALSE;
+			$isinsider = FALSE;
 			$settings = NULL;
 		}
 		else
@@ -38,6 +39,9 @@ class LoginModel extends Model
 			$issysadmin = $this->session->userdata('sysadmin?');
 			if ($issysadmin === NULL) $issysadmin = FALSE;
 
+			$isinsider = $this->session->userdata('insider?');
+			if ($isinsider === NULL) $isinsider = FALSE;
+
 			$settings = $this->session->userdata('user_settings');
 			if ($settings !== NULL) 
 			{
@@ -57,11 +61,12 @@ class LoginModel extends Model
 			'id' => $userid, 
 			'email' => $email,
 			'sysadmin?' => $issysadmin,
+			'insider?' => $isinsider,
 			'settings' => $settings
 		);
 	}
 
-	function authenticate ($userid, $password, $email = '')
+	function authenticate ($userid, $password, $email = '', $insider = NULL)
 	{
 		//$server = $_SERVER['SERVER_NAME'].':'.$_SERVER['SERVER_PORT'];
 		$server = $_SERVER['HTTP_HOST'];
@@ -82,7 +87,8 @@ class LoginModel extends Model
 				'userid' => $userid,
 				'server' => $server,
 				'email' => $email,
-				'sysadmin?' => $sysadmin
+				'sysadmin?' => $sysadmin,
+				'insider?' => $insider
 			)
 		);
 

codepot/src/config.php.in

@@ -80,6 +80,8 @@ function load_ini ($file)
 		array ('ldap_userid_search_filter',    'string',     '(uid=${userid})'),
 		array ('ldap_userid_search_base',      'string',     ''),
 		array ('ldap_mail_attribute_name',     'string',     ''),
+		array ('ldap_insider_attribute_name',  'string',     ''),
+		array ('ldap_insider_attribute_value', 'string',     ''),
 
 		array ('svnrepo_dir',                  'string',      CODEPOT_DEPOT_DIR.'/svnrepo'),
 		array ('file_dir',                     'string',      CODEPOT_DEPOT_DIR.'/files'),