diff --git a/doc/conf/srv-ldap.docbook b/doc/conf/srv-ldap.docbook
index ec4a83be..5a5ae70c 100644
--- a/doc/conf/srv-ldap.docbook
+++ b/doc/conf/srv-ldap.docbook
@@ -25,6 +25,7 @@ serveur LDAP.
'[object type 1]',
'[object type 2]' => array(
'filter' => '[LDAP filter]',
+ 'filter_function' => [callable],
'password_attribute' => '[attribute name]',
'web_access' => [booléen],
'api_access' => [booléen],
@@ -170,6 +171,21 @@ serveur LDAP.
+
+ filter_function
+
+ Callable (au sens PHP) utilisé pour filtrer les utilisateurs
+ trouvés dans l'annuaire à partir des autres paramètres : cette fonction, si elle est définie,
+ sera appelée pour chaque utilisateur trouvé, avec pour unique paramètre, une référence à l'objet
+ LDAP correspondant (LSldapObject). Cette méthode devra alors retourner
+ true ou false pour respectivement autoriser ou interdire
+ l'accès à l'application à l'utilisateur.
+ Si un utilisateur est exclus par cette méthode et qu'aucun autre utilisateur
+ correspondant n'a été trouvé dans l'annuaire, une page d'erreur sera affichée et indiquera que
+ l'accès à l'application est refusée.
+
+
+
password_attribute
diff --git a/src/includes/class/class.LSauth.php b/src/includes/class/class.LSauth.php
index baa82eae..51fb1c2a 100644
--- a/src/includes/class/class.LSauth.php
+++ b/src/includes/class/class.LSauth.php
@@ -132,6 +132,7 @@ class LSauth extends LSlog_staticLoggerClass {
$objTypes[$objType] = array(
'filter' => self :: getConfig("LSobjects.$objType.filter", null, 'string'),
+ 'filter_function' => self :: getConfig("LSobjects.$objType.filter_function", null),
'password_attribute' => self :: getConfig("LSobjects.$objType.password_attribute", 'userPassword', 'string'),
);
}
@@ -169,11 +170,19 @@ class LSauth extends LSlog_staticLoggerClass {
*/
public static function username2LSobjects($username) {
$user_objects = array();
+ $excluded_objects = false;
foreach (self :: getAuthObjectTypes() as $objType => $objParams) {
if (!LSsession :: loadLSobject($objType)) {
LSerror :: addErrorCode('LSauth_03', $objType);
return false;
}
+ if (isset($objParams['filter_function']) && !is_callable($objParams['filter_function'])) {
+ LSerror :: addErrorCode(
+ 'LSauth_09',
+ ['objtype' => $objType, 'function' => format_callable($objParams['filter_function'])]
+ );
+ return false;
+ }
$authobject = new $objType();
$result = $authobject -> searchObject(
$username,
@@ -181,12 +190,28 @@ class LSauth extends LSlog_staticLoggerClass {
$objParams['filter'],
array('withoutCache' => true, 'onlyAccessible' => false)
);
- for($i=0; $igetDn(), format_callable($objParams['filter_function'])
+ )
+ );
+ $excluded_objects = true;
+ continue;
+ }
$user_objects[$result[$i] -> getDn()] = $result[$i];
+ }
}
$nbresult = count($user_objects);
if ($nbresult == 0) {
+ if ($excluded_objects)
+ self :: accessDenied();
// incorrect login
self :: log_debug('Invalid username');
LSerror :: addErrorCode('LSauth_01');
@@ -306,6 +331,29 @@ class LSauth extends LSlog_staticLoggerClass {
return self :: $params['displayLoginForm'];
}
+ /**
+ * Handle access denied error
+ *
+ * @return never
+ **/
+ public static function accessDenied() {
+ http_response_code(401);
+ if (LSsession :: get('api_mode') || LSsession :: getAjaxDisplay()) {
+ header('Content-Type: application/json');
+ $errors = array(_("You are not authorized to access this application."));
+ echo json_encode(
+ ['errors' => [_("You are not authorized to access this application.")], 'success' => false],
+ (isset($_REQUEST['pretty'])?JSON_PRETTY_PRINT:0)
+ );
+ }
+ else if (class_exists('LStemplate')) {
+ LStemplate :: assign('pagetitle', _("Access denied."));
+ LStemplate :: assign('error', _("You are not authorized to access this application."));
+ LStemplate :: display("error.tpl");
+ }
+ exit();
+ }
+
}
/*
@@ -335,3 +383,6 @@ ___("LSauth : Failed to get authentication informations from provider.")
LSerror :: defineError('LSauth_08',
___("LSauth : Method %{method} configured doesn't support API mode.")
);
+LSerror :: defineError('LSauth_09',
+___("LSauth : The filter function speficied for %{objtype} is not callable (%{function}).")
+);
diff --git a/src/lang/fr_FR.UTF8/LC_MESSAGES/ldapsaisie.mo b/src/lang/fr_FR.UTF8/LC_MESSAGES/ldapsaisie.mo
index e2d54d73..3dcc5f8f 100644
Binary files a/src/lang/fr_FR.UTF8/LC_MESSAGES/ldapsaisie.mo and b/src/lang/fr_FR.UTF8/LC_MESSAGES/ldapsaisie.mo differ
diff --git a/src/lang/fr_FR.UTF8/LC_MESSAGES/ldapsaisie.po b/src/lang/fr_FR.UTF8/LC_MESSAGES/ldapsaisie.po
index 4b68db06..a750d78d 100644
--- a/src/lang/fr_FR.UTF8/LC_MESSAGES/ldapsaisie.po
+++ b/src/lang/fr_FR.UTF8/LC_MESSAGES/ldapsaisie.po
@@ -8,7 +8,7 @@ msgstr ""
"Project-Id-Version: LdapSaisie\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: \n"
-"PO-Revision-Date: 2023-07-19 12:07+0200\n"
+"PO-Revision-Date: 2023-08-18 15:44+0200\n"
"Last-Translator: Benjamin Renard \n"
"Language-Team: LdapSaisie \n"
@@ -2708,43 +2708,60 @@ msgstr ""
"LSattr_ldap_password : La fonction d'encodage %{function} n'est pas "
"disponible. Le mot de passe sera stocké en clair."
-#: includes/class/class.LSauth.php:315
+#: includes/class/class.LSauth.php:343 includes/class/class.LSauth.php:345
+#: includes/class/class.LSauth.php:351
+msgid "You are not authorized to access this application."
+msgstr "Vous n'êtes pas autorisé à accéder à cette application."
+
+#: includes/class/class.LSauth.php:350
+msgid "Access denied."
+msgstr "Accès interdit."
+
+#: includes/class/class.LSauth.php:363
msgid "LSauth : Login or password incorrect."
msgstr "LSauth : Identifiant ou mot de passe incorrects."
-#: includes/class/class.LSauth.php:318
+#: includes/class/class.LSauth.php:366
msgid "LSauth : Impossible to identify you : Duplication of identities."
msgstr "LSauth : Impossible de vous identifier : Duplication d'identité."
-#: includes/class/class.LSauth.php:321
+#: includes/class/class.LSauth.php:369
msgid "LSauth : Could not load type of identifiable objects %{type}."
msgstr "LSauth : Impossible de charger le type d'objets identifiables %{type}."
-#: includes/class/class.LSauth.php:324
+#: includes/class/class.LSauth.php:372
msgid "LSauth : Can't load authentication method %{method}."
msgstr ""
"LSauth : Impossible de charger la méthode d'authentification %{method}."
-#: includes/class/class.LSauth.php:327
+#: includes/class/class.LSauth.php:375
msgid "LSauth : Failed to build the authentication provider %{method}."
msgstr ""
"LSauth : Impossible de construire le gestionnaire d'authentification "
"%{method}."
-#: includes/class/class.LSauth.php:330
+#: includes/class/class.LSauth.php:378
msgid "LSauth : Not correctly initialized."
msgstr "LSauth : Mauvaise initialisation."
-#: includes/class/class.LSauth.php:333
+#: includes/class/class.LSauth.php:381
msgid "LSauth : Failed to get authentication informations from provider."
msgstr ""
"LSauth : Impossible de récupérer les informations authentification auprès du "
"gestionnaire."
-#: includes/class/class.LSauth.php:336
+#: includes/class/class.LSauth.php:384
msgid "LSauth : Method %{method} configured doesn't support API mode."
msgstr "LSauth : La méthode %{method} configurée ne supporte pas le mode API."
+#: includes/class/class.LSauth.php:387
+msgid ""
+"LSauth : The filter function speficied for %{objtype} is not callable "
+"(%{function})."
+msgstr ""
+"LSauth : La fonction de filtrage pour les %{objtype} n'est pas exécutable "
+"(%{function})."
+
#: includes/class/class.LSformElement_supannEtuInscription.php:41
msgid "Organism"
msgstr "Etablissement"
diff --git a/src/lang/ldapsaisie.pot b/src/lang/ldapsaisie.pot
index 236b8c1b..78f60390 100644
--- a/src/lang/ldapsaisie.pot
+++ b/src/lang/ldapsaisie.pot
@@ -2299,38 +2299,53 @@ msgid ""
"password will be stored in clear text."
msgstr ""
-#: includes/class/class.LSauth.php:315
+#: includes/class/class.LSauth.php:343 includes/class/class.LSauth.php:345
+#: includes/class/class.LSauth.php:351
+msgid "You are not authorized to access this application."
+msgstr ""
+
+#: includes/class/class.LSauth.php:350
+msgid "Access denied."
+msgstr ""
+
+#: includes/class/class.LSauth.php:363
msgid "LSauth : Login or password incorrect."
msgstr ""
-#: includes/class/class.LSauth.php:318
+#: includes/class/class.LSauth.php:366
msgid "LSauth : Impossible to identify you : Duplication of identities."
msgstr ""
-#: includes/class/class.LSauth.php:321
+#: includes/class/class.LSauth.php:369
msgid "LSauth : Could not load type of identifiable objects %{type}."
msgstr ""
-#: includes/class/class.LSauth.php:324
+#: includes/class/class.LSauth.php:372
msgid "LSauth : Can't load authentication method %{method}."
msgstr ""
-#: includes/class/class.LSauth.php:327
+#: includes/class/class.LSauth.php:375
msgid "LSauth : Failed to build the authentication provider %{method}."
msgstr ""
-#: includes/class/class.LSauth.php:330
+#: includes/class/class.LSauth.php:378
msgid "LSauth : Not correctly initialized."
msgstr ""
-#: includes/class/class.LSauth.php:333
+#: includes/class/class.LSauth.php:381
msgid "LSauth : Failed to get authentication informations from provider."
msgstr ""
-#: includes/class/class.LSauth.php:336
+#: includes/class/class.LSauth.php:384
msgid "LSauth : Method %{method} configured doesn't support API mode."
msgstr ""
+#: includes/class/class.LSauth.php:387
+msgid ""
+"LSauth : The filter function speficied for %{objtype} is not callable "
+"(%{function})."
+msgstr ""
+
#: includes/class/class.LSformElement_supannEtuInscription.php:41
msgid "Organism"
msgstr ""