Skip to content
Snippets Groups Projects
Commit d6dc956f authored by Andreas Gohr's avatar Andreas Gohr
Browse files

added auth_isMember() 

This function abstracts checking a given user and her groups against a
given member list (as used in the superuser and manager options).

It is also used in auth_isManager() and auth_isAdmin(), unlike the
previous function, this one skips the nameencode step as it should be
unnessary here (all input is given decoded).

The test cases where extended by some non-ID user and group names.

People with non-plain auth backends should check that their
administrator and manager setups still work as expected
parent 5b72404c
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
_test/cases/inc/auth_admincheck.test.php
+ 8
2
View file @ d6dc956f
......@@ -15,8 +15,8 @@ class auth_admin_test extends UnitTestCase {
function test_ismanager(){
global $conf;
$conf['superuser'] = 'john,@admin';
$conf['manager'] = 'john,@managers,doe';
$conf['superuser'] = 'john,@admin,@Mötly Görls, Dörte';
$conf['manager'] = 'john,@managers,doe, @Mötly Böys, Dänny';
// anonymous user
$this->assertEqual(auth_ismanager('jill', null,false), false);
......@@ -25,9 +25,15 @@ class auth_admin_test extends UnitTestCase {
$this->assertEqual(auth_ismanager('john', null,false), true);
$this->assertEqual(auth_ismanager('doe', null,false), true);
$this->assertEqual(auth_ismanager('dörte', null,false), true);
$this->assertEqual(auth_ismanager('dänny', null,false), true);
// admin or manager groups
$this->assertEqual(auth_ismanager('jill', array('admin'),false), true);
$this->assertEqual(auth_ismanager('jill', array('managers'),false), true);
$this->assertEqual(auth_ismanager('jill', array('mötly görls'),false), true);
$this->assertEqual(auth_ismanager('jill', array('mötly böys'),false), true);
}
function test_isadmin(){
......
inc/auth.php
+ 52
54
View file @ d6dc956f
......@@ -371,63 +371,15 @@ function auth_ismanager($user=null,$groups=null,$adminonly=false){
$user = $_SERVER['REMOTE_USER'];
}
}
$user = trim($auth->cleanUser($user));
if($user === '') return false;
if(is_null($groups)) $groups = (array) $USERINFO['grps'];
$groups = array_map(array($auth,'cleanGroup'),$groups);
$user = auth_nameencode($user);
// check username against superuser and manager
$superusers = explode(',', $conf['superuser']);
$superusers = array_unique($superusers);
$superusers = array_map('trim', $superusers);
$superusers = array_filter($superusers);
// prepare an array containing only true values for array_map call
$alltrue = array_fill(0, count($superusers), true);
$superusers = array_map('auth_nameencode', $superusers, $alltrue);
// case insensitive?
if(!$auth->isCaseSensitive()){
$superusers = array_map('utf8_strtolower',$superusers);
$user = utf8_strtolower($user);
if(is_null($groups)){
$groups = (array) $USERINFO['grps'];
}
// check user match
if(in_array($user, $superusers)) return true;
// check superuser match
if(auth_isMember($conf['superuser'],$user, $groups)) return true;
if($adminonly) return false;
// check managers
if(!$adminonly){
$managers = explode(',', $conf['manager']);
$managers = array_unique($managers);
$managers = array_map('trim', $managers);
$managers = array_filter($managers);
// prepare an array containing only true values for array_map call
$alltrue = array_fill(0, count($managers), true);
$managers = array_map('auth_nameencode', $managers, $alltrue);
if(!$auth->isCaseSensitive()) $managers = array_map('utf8_strtolower',$managers);
if(in_array($user, $managers)) return true;
}
// check user's groups against superuser and manager
if (!empty($groups)) {
//prepend groups with @ and nameencode
$cnt = count($groups);
for($i=0; $i<$cnt; $i++){
$groups[$i] = '@'.auth_nameencode($groups[$i]);
if(!$auth->isCaseSensitive()){
$groups[$i] = utf8_strtolower($groups[$i]);
}
}
// check groups against superuser and manager
foreach($superusers as $supu)
if(in_array($supu, $groups)) return true;
if(!$adminonly){
foreach($managers as $mana)
if(in_array($mana, $groups)) return true;
}
}
if(auth_isMember($conf['manager'],$user, $groups)) return true;
return false;
}
......@@ -446,6 +398,52 @@ function auth_isadmin($user=null,$groups=null){
return auth_ismanager($user,$groups,true);
}
/**
* Match a user and his groups against a comma separated list of
* users and groups to determine membership status
*
* Note: all input should NOT be nameencoded.
*
* @param $memberlist string commaseparated list of allowed users and groups
* @param $user string user to match against
* @param $groups array groups the user is member of
* @returns bool true for membership acknowledged
*/
function auth_isMember($memberlist,$user,array $groups){
global $auth;
if (!$auth) return false;
// clean user and groups
if($auth->isCaseSensitive()){
$user = utf8_strtolower($user);
$groups = array_map('utf8_strtolower',$groups);
}
$user = $auth->cleanUser($user);
$groups = array_map(array($auth,'cleanGroup'),$groups);
// extract the memberlist
$members = explode(',',$memberlist);
$members = array_map('trim',$members);
$members = array_unique($members);
$members = array_filter($members);
// compare cleaned values
foreach($members as $member){
if($auth->isCaseSensitive()) $member = utf8_strtolower($member);
if($member[0] == '@'){
$member = $auth->cleanGroup(substr($member,1));
if(in_array($member, $groups)) return true;
}else{
$member = $auth->cleanUser($member);
if($member == $user) return true;
}
}
// still here? not a member!
return false;
}
/**
* Convinience function for auth_aclcheck()
*
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment