From 6ca5bb4d41bbdd0d88c37a52726c6b631ce87f66 Mon Sep 17 00:00:00 2001
From: Andrew Engelbrecht <andrew@fsf.org>
Date: Mon, 17 Apr 2017 12:34:25 -0400
Subject: [PATCH 1/2] Added CAS user whitelist feature

This feature filters users who may log in via CAS. This is useful when
both CAS and password authentication is enabled and there is a mismatch
between some GNU social account names and CAS user names. This prevents
CAS users from logging in as someone else on GNU social.
---
 plugins/CasAuthentication/CasAuthenticationPlugin.php | 2 ++
 plugins/CasAuthentication/README                      | 5 +++++
 plugins/CasAuthentication/actions/caslogin.php        | 5 +++++
 3 files changed, 12 insertions(+)

diff --git a/plugins/CasAuthentication/CasAuthenticationPlugin.php b/plugins/CasAuthentication/CasAuthenticationPlugin.php
index cf0bf4ac52..02ed4cb166 100644
--- a/plugins/CasAuthentication/CasAuthenticationPlugin.php
+++ b/plugins/CasAuthentication/CasAuthenticationPlugin.php
@@ -40,6 +40,7 @@ class CasAuthenticationPlugin extends AuthenticationPlugin
     public $port = 443;
     public $path = '';
     public $takeOverLogin = false;
+    public $user_whitelist = null;
 
     function checkPassword($username, $password)
     {
@@ -145,6 +146,7 @@ class CasAuthenticationPlugin extends AuthenticationPlugin
         $casSettings['port']=$this->port;
         $casSettings['path']=$this->path;
         $casSettings['takeOverLogin']=$this->takeOverLogin;
+        $casSettings['user_whitelist']=$this->user_whitelist;
     }
 
     function onPluginVersion(array &$versions)
diff --git a/plugins/CasAuthentication/README b/plugins/CasAuthentication/README
index c17a28e54a..2e770a0867 100644
--- a/plugins/CasAuthentication/README
+++ b/plugins/CasAuthentication/README
@@ -24,6 +24,11 @@ path (): Path on the server to CAS. Usually blank.
 takeOverLogin (false): Take over the main login action. If takeOverLogin is
     set, anytime the standard username/password login form would be shown,
     a CAS login will be done instead.
+user_whitelist (null): Only allow login via CAS for users listed in this
+    array. This is useful when both CAS and password authentication is enabled
+    and there is a mismatch between some GNU social account names and CAS user
+    names. This prevents CAS users from logging in as someone else on GNU
+    social. When set to null, no CAS logins are filtered by this feature.
 
 * required
 default values are in (parenthesis)
diff --git a/plugins/CasAuthentication/actions/caslogin.php b/plugins/CasAuthentication/actions/caslogin.php
index 7310072d92..9250b43b7a 100644
--- a/plugins/CasAuthentication/actions/caslogin.php
+++ b/plugins/CasAuthentication/actions/caslogin.php
@@ -41,6 +41,11 @@ class CasloginAction extends Action
                 $this->serverError(_m('Incorrect username or password.'));
             }
 
+            if ($casSettings['user_whitelist'] != null && !in_array($user->nickname, $casSettings['user_whitelist'])) {
+                // TRANS: Server error displayed when trying to log in with non-whitelisted user name (when whitelists are enabled.)
+                $this->serverError(_m('Incorrect username or password.'));
+            }
+
             // success!
             if (!common_set_user($user)) {
                 // TRANS: Server error displayed when login fails in CAS authentication plugin.

From 1e1543dd72be4d45236e2e3a53452a969f50cdb3 Mon Sep 17 00:00:00 2001
From: mmn <mmn@hethane.se>
Date: Sun, 17 Dec 2017 17:37:24 +0000
Subject: [PATCH 2/2] Test if $casSettings['user_whitelist'] is an array - and
 then perform in_array(...) instead of just checking if it's != null.

---
 plugins/CasAuthentication/actions/caslogin.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/CasAuthentication/actions/caslogin.php b/plugins/CasAuthentication/actions/caslogin.php
index 9250b43b7a..468718b4c9 100644
--- a/plugins/CasAuthentication/actions/caslogin.php
+++ b/plugins/CasAuthentication/actions/caslogin.php
@@ -41,7 +41,7 @@ class CasloginAction extends Action
                 $this->serverError(_m('Incorrect username or password.'));
             }
 
-            if ($casSettings['user_whitelist'] != null && !in_array($user->nickname, $casSettings['user_whitelist'])) {
+            if (is_array($casSettings['user_whitelist']) && !in_array($user->nickname, $casSettings['user_whitelist'])) {
                 // TRANS: Server error displayed when trying to log in with non-whitelisted user name (when whitelists are enabled.)
                 $this->serverError(_m('Incorrect username or password.'));
             }