Merge branch 'cas-user-whitelist' into 'nightly'

Added CAS user whitelist feature See merge request gnu/gnu-social!142
2017-12-17 17:38:21 +00:00 · 2017-12-17 17:38:21 +00:00 · c285f80b18
parent 9c0c8a19dd 1e1543dd72
commit c285f80b18
3 changed files with 12 additions and 0 deletions
--- a/plugins/CasAuthentication/CasAuthenticationPlugin.php
+++ b/plugins/CasAuthentication/CasAuthenticationPlugin.php
@ -40,6 +40,7 @@ class CasAuthenticationPlugin extends AuthenticationPlugin
    public $port = 443;
    public $path = '';
    public $takeOverLogin = false;
+    public $user_whitelist = null;

    function checkPassword($username, $password)
    {
@ -145,6 +146,7 @@ class CasAuthenticationPlugin extends AuthenticationPlugin
        $casSettings['port']=$this->port;
        $casSettings['path']=$this->path;
        $casSettings['takeOverLogin']=$this->takeOverLogin;
+        $casSettings['user_whitelist']=$this->user_whitelist;
    }

    function onPluginVersion(array &$versions)
--- a/plugins/CasAuthentication/README
+++ b/plugins/CasAuthentication/README
@ -24,6 +24,11 @@ path (): Path on the server to CAS. Usually blank.
 takeOverLogin (false): Take over the main login action. If takeOverLogin is
    set, anytime the standard username/password login form would be shown,
    a CAS login will be done instead.
+user_whitelist (null): Only allow login via CAS for users listed in this
+    array. This is useful when both CAS and password authentication is enabled
+    and there is a mismatch between some GNU social account names and CAS user
+    names. This prevents CAS users from logging in as someone else on GNU
+    social. When set to null, no CAS logins are filtered by this feature.

 * required
 default values are in (parenthesis)
--- a/plugins/CasAuthentication/actions/caslogin.php
+++ b/plugins/CasAuthentication/actions/caslogin.php
@ -41,6 +41,11 @@ class CasloginAction extends Action
                $this->serverError(_m('Incorrect username or password.'));
            }

+            if (is_array($casSettings['user_whitelist']) && !in_array($user->nickname, $casSettings['user_whitelist'])) {
+                // TRANS: Server error displayed when trying to log in with non-whitelisted user name (when whitelists are enabled.)
+                $this->serverError(_m('Incorrect username or password.'));
+            }
+
            // success!
            if (!common_set_user($user)) {
                // TRANS: Server error displayed when login fails in CAS authentication plugin.