Added CAS user whitelist feature
This feature filters users who may log in via CAS. This is useful when both CAS and password authentication is enabled and there is a mismatch between some GNU social account names and CAS user names. This prevents CAS users from logging in as someone else on GNU social.
This commit is contained in:
parent
2a8ab1c6ca
commit
6ca5bb4d41
|
@ -40,6 +40,7 @@ class CasAuthenticationPlugin extends AuthenticationPlugin
|
||||||
public $port = 443;
|
public $port = 443;
|
||||||
public $path = '';
|
public $path = '';
|
||||||
public $takeOverLogin = false;
|
public $takeOverLogin = false;
|
||||||
|
public $user_whitelist = null;
|
||||||
|
|
||||||
function checkPassword($username, $password)
|
function checkPassword($username, $password)
|
||||||
{
|
{
|
||||||
|
@ -145,6 +146,7 @@ class CasAuthenticationPlugin extends AuthenticationPlugin
|
||||||
$casSettings['port']=$this->port;
|
$casSettings['port']=$this->port;
|
||||||
$casSettings['path']=$this->path;
|
$casSettings['path']=$this->path;
|
||||||
$casSettings['takeOverLogin']=$this->takeOverLogin;
|
$casSettings['takeOverLogin']=$this->takeOverLogin;
|
||||||
|
$casSettings['user_whitelist']=$this->user_whitelist;
|
||||||
}
|
}
|
||||||
|
|
||||||
function onPluginVersion(array &$versions)
|
function onPluginVersion(array &$versions)
|
||||||
|
|
|
@ -24,6 +24,11 @@ path (): Path on the server to CAS. Usually blank.
|
||||||
takeOverLogin (false): Take over the main login action. If takeOverLogin is
|
takeOverLogin (false): Take over the main login action. If takeOverLogin is
|
||||||
set, anytime the standard username/password login form would be shown,
|
set, anytime the standard username/password login form would be shown,
|
||||||
a CAS login will be done instead.
|
a CAS login will be done instead.
|
||||||
|
user_whitelist (null): Only allow login via CAS for users listed in this
|
||||||
|
array. This is useful when both CAS and password authentication is enabled
|
||||||
|
and there is a mismatch between some GNU social account names and CAS user
|
||||||
|
names. This prevents CAS users from logging in as someone else on GNU
|
||||||
|
social. When set to null, no CAS logins are filtered by this feature.
|
||||||
|
|
||||||
* required
|
* required
|
||||||
default values are in (parenthesis)
|
default values are in (parenthesis)
|
||||||
|
|
|
@ -41,6 +41,11 @@ class CasloginAction extends Action
|
||||||
$this->serverError(_m('Incorrect username or password.'));
|
$this->serverError(_m('Incorrect username or password.'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ($casSettings['user_whitelist'] != null && !in_array($user->nickname, $casSettings['user_whitelist'])) {
|
||||||
|
// TRANS: Server error displayed when trying to log in with non-whitelisted user name (when whitelists are enabled.)
|
||||||
|
$this->serverError(_m('Incorrect username or password.'));
|
||||||
|
}
|
||||||
|
|
||||||
// success!
|
// success!
|
||||||
if (!common_set_user($user)) {
|
if (!common_set_user($user)) {
|
||||||
// TRANS: Server error displayed when login fails in CAS authentication plugin.
|
// TRANS: Server error displayed when login fails in CAS authentication plugin.
|
||||||
|
|
Loading…
Reference in New Issue
Block a user