Added CAS user whitelist feature
This feature filters users who may log in via CAS. This is useful when both CAS and password authentication is enabled and there is a mismatch between some GNU social account names and CAS user names. This prevents CAS users from logging in as someone else on GNU social.
This commit is contained in:
parent
2a8ab1c6ca
commit
6ca5bb4d41
@ -40,6 +40,7 @@ class CasAuthenticationPlugin extends AuthenticationPlugin
|
||||
public $port = 443;
|
||||
public $path = '';
|
||||
public $takeOverLogin = false;
|
||||
public $user_whitelist = null;
|
||||
|
||||
function checkPassword($username, $password)
|
||||
{
|
||||
@ -145,6 +146,7 @@ class CasAuthenticationPlugin extends AuthenticationPlugin
|
||||
$casSettings['port']=$this->port;
|
||||
$casSettings['path']=$this->path;
|
||||
$casSettings['takeOverLogin']=$this->takeOverLogin;
|
||||
$casSettings['user_whitelist']=$this->user_whitelist;
|
||||
}
|
||||
|
||||
function onPluginVersion(array &$versions)
|
||||
|
@ -24,6 +24,11 @@ path (): Path on the server to CAS. Usually blank.
|
||||
takeOverLogin (false): Take over the main login action. If takeOverLogin is
|
||||
set, anytime the standard username/password login form would be shown,
|
||||
a CAS login will be done instead.
|
||||
user_whitelist (null): Only allow login via CAS for users listed in this
|
||||
array. This is useful when both CAS and password authentication is enabled
|
||||
and there is a mismatch between some GNU social account names and CAS user
|
||||
names. This prevents CAS users from logging in as someone else on GNU
|
||||
social. When set to null, no CAS logins are filtered by this feature.
|
||||
|
||||
* required
|
||||
default values are in (parenthesis)
|
||||
|
@ -41,6 +41,11 @@ class CasloginAction extends Action
|
||||
$this->serverError(_m('Incorrect username or password.'));
|
||||
}
|
||||
|
||||
if ($casSettings['user_whitelist'] != null && !in_array($user->nickname, $casSettings['user_whitelist'])) {
|
||||
// TRANS: Server error displayed when trying to log in with non-whitelisted user name (when whitelists are enabled.)
|
||||
$this->serverError(_m('Incorrect username or password.'));
|
||||
}
|
||||
|
||||
// success!
|
||||
if (!common_set_user($user)) {
|
||||
// TRANS: Server error displayed when login fails in CAS authentication plugin.
|
||||
|
Loading…
Reference in New Issue
Block a user