Added CAS user whitelist feature

This feature filters users who may log in via CAS. This is useful when
both CAS and password authentication is enabled and there is a mismatch
between some GNU social account names and CAS user names. This prevents
CAS users from logging in as someone else on GNU social.
This commit is contained in:
Andrew Engelbrecht 2017-04-17 12:34:25 -04:00 committed by Andrew Engelbrecht
parent 2a8ab1c6ca
commit 6ca5bb4d41
3 changed files with 12 additions and 0 deletions

View File

@ -40,6 +40,7 @@ class CasAuthenticationPlugin extends AuthenticationPlugin
public $port = 443; public $port = 443;
public $path = ''; public $path = '';
public $takeOverLogin = false; public $takeOverLogin = false;
public $user_whitelist = null;
function checkPassword($username, $password) function checkPassword($username, $password)
{ {
@ -145,6 +146,7 @@ class CasAuthenticationPlugin extends AuthenticationPlugin
$casSettings['port']=$this->port; $casSettings['port']=$this->port;
$casSettings['path']=$this->path; $casSettings['path']=$this->path;
$casSettings['takeOverLogin']=$this->takeOverLogin; $casSettings['takeOverLogin']=$this->takeOverLogin;
$casSettings['user_whitelist']=$this->user_whitelist;
} }
function onPluginVersion(array &$versions) function onPluginVersion(array &$versions)

View File

@ -24,6 +24,11 @@ path (): Path on the server to CAS. Usually blank.
takeOverLogin (false): Take over the main login action. If takeOverLogin is takeOverLogin (false): Take over the main login action. If takeOverLogin is
set, anytime the standard username/password login form would be shown, set, anytime the standard username/password login form would be shown,
a CAS login will be done instead. a CAS login will be done instead.
user_whitelist (null): Only allow login via CAS for users listed in this
array. This is useful when both CAS and password authentication is enabled
and there is a mismatch between some GNU social account names and CAS user
names. This prevents CAS users from logging in as someone else on GNU
social. When set to null, no CAS logins are filtered by this feature.
* required * required
default values are in (parenthesis) default values are in (parenthesis)

View File

@ -41,6 +41,11 @@ class CasloginAction extends Action
$this->serverError(_m('Incorrect username or password.')); $this->serverError(_m('Incorrect username or password.'));
} }
if ($casSettings['user_whitelist'] != null && !in_array($user->nickname, $casSettings['user_whitelist'])) {
// TRANS: Server error displayed when trying to log in with non-whitelisted user name (when whitelists are enabled.)
$this->serverError(_m('Incorrect username or password.'));
}
// success! // success!
if (!common_set_user($user)) { if (!common_set_user($user)) {
// TRANS: Server error displayed when login fails in CAS authentication plugin. // TRANS: Server error displayed when login fails in CAS authentication plugin.