0011118: LDAP auth: user without Tinebase permissions is able to login
authorPhilipp Schüle <p.schuele@metaways.de>
Fri, 3 Jul 2015 12:33:34 +0000 (14:33 +0200)
committerPhilipp Schüle <p.schuele@metaways.de>
Mon, 6 Jul 2015 11:12:57 +0000 (13:12 +0200)
* checks Tinebase run permission during login, too
* fixes some minor glitches in Tinebase_Controller

https://forge.tine20.org/view.php?id=11118

Change-Id: I521c75bed7e2dee966655fcbd054bf1143d64f46
Reviewed-on: http://gerrit.tine20.com/customers/2005
Tested-by: Jenkins CI (http://ci.tine20.com/)
Reviewed-by: Philipp Schüle <p.schuele@metaways.de>
tine20/Tinebase/Auth.php
tine20/Tinebase/Controller.php

index da29026..668ebae 100755 (executable)
@@ -80,7 +80,7 @@ class Tinebase_Auth
     const FAILURE_PASSWORD_EXPIRED      = -101;
     
     /**
-     * Failure due the account is temporarly blocked
+     * Failure due the account is temporarily blocked
      */
     const FAILURE_BLOCKED               = -102;
         
index 26a329a..8bd0b1e 100644 (file)
@@ -73,10 +73,13 @@ class Tinebase_Controller extends Tinebase_Controller_Event
      * @param   string                           $password
      * @param   Zend_Controller_Request_Abstract $request
      * @param   string                           $clientIdString
-     * @param   string                           $securitycode   the security code(captcha)
+     *
      * @return  bool
+     *
+     * TODO what happened to the $securitycode parameter?
+     *  ->  @param   string                           $securitycode   the security code(captcha)
      */
-    public function login($loginName, $password, \Zend\Http\Request $request, $clientIdString = NULL, $securitycode = NULL)
+    public function login($loginName, $password, \Zend\Http\Request $request, $clientIdString = NULL)
     {
         $authResult = Tinebase_Auth::getInstance()->authenticate($loginName, $password);
         
@@ -91,7 +94,7 @@ class Tinebase_Controller extends Tinebase_Controller_Event
         if (Tinebase_Core::isLogLevel(Zend_Log::INFO)) Tinebase_Core::getLogger()->info(
             __METHOD__ . '::' . __LINE__ . " Login with username {$accessLog->login_name} from {$accessLog->ip} succeeded.");
         
-        $this->_setSessionId($user, $accessLog, $clientIdString);
+        $this->_setSessionId($accessLog);
         
         $this->initUser($user);
         
@@ -158,21 +161,31 @@ class Tinebase_Controller extends Tinebase_Controller_Event
         if ($_accessLog->result == Tinebase_Auth::SUCCESS && $_user->accountStatus !== Tinebase_User::STATUS_ENABLED) {
             // is the account enabled?
             if ($_user->accountStatus == Tinebase_User::STATUS_DISABLED) {
-                if (Tinebase_Core::isLogLevel(Zend_Log::INFO)) Tinebase_Core::getLogger()->info(__METHOD__ . '::' . __LINE__ . ' Account: '. $_user->accountLoginName . ' is disabled');
+                if (Tinebase_Core::isLogLevel(Zend_Log::INFO)) Tinebase_Core::getLogger()->info(__METHOD__ . '::'
+                    . __LINE__ . ' Account: '. $_user->accountLoginName . ' is disabled');
                 $_accessLog->result = Tinebase_Auth::FAILURE_DISABLED;
             }
             
             // is the account expired?
             else if ($_user->accountStatus == Tinebase_User::STATUS_EXPIRED) {
-                if (Tinebase_Core::isLogLevel(Zend_Log::INFO)) Tinebase_Core::getLogger()->info(__METHOD__ . '::' . __LINE__ . ' Account: '. $_user->accountLoginName . ' password is expired');
+                if (Tinebase_Core::isLogLevel(Zend_Log::INFO)) Tinebase_Core::getLogger()->info(__METHOD__ . '::'
+                    . __LINE__ . ' Account: '. $_user->accountLoginName . ' password is expired');
                 $_accessLog->result = Tinebase_Auth::FAILURE_PASSWORD_EXPIRED;
             }
             
             // too many login failures?
             else if ($_user->accountStatus == Tinebase_User::STATUS_BLOCKED) {
-                if (Tinebase_Core::isLogLevel(Zend_Log::INFO)) Tinebase_Core::getLogger()->info(__METHOD__ . '::' . __LINE__ . ' Account: '. $_user->accountLoginName . ' is blocked');
+                if (Tinebase_Core::isLogLevel(Zend_Log::INFO)) Tinebase_Core::getLogger()->info(__METHOD__ . '::'
+                    . __LINE__ . ' Account: '. $_user->accountLoginName . ' is blocked');
                 $_accessLog->result = Tinebase_Auth::FAILURE_BLOCKED;
             }
+
+            // Tinebase run permission
+            else if (! $_user->hasRight('Tinebase', Tinebase_Acl_Rights_Abstract::RUN)) {
+                if (Tinebase_Core::isLogLevel(Zend_Log::INFO)) Tinebase_Core::getLogger()->info(__METHOD__ . '::'
+                    . __LINE__ . ' Account: '. $_user->accountLoginName . ' has not permissions for Tinebase');
+                $_accessLog->result = Tinebase_Auth::FAILURE_DISABLED;
+            }
         }
     }
     
@@ -604,10 +617,9 @@ class Tinebase_Controller extends Tinebase_Controller_Event
     /**
      * set session for current request
      * 
-     * @param Tinebase_Model_FullUser $user
      * @param Tinebase_Model_AccessLog $accessLog
      */
-    protected function _setSessionId(Tinebase_Model_FullUser $user, Tinebase_Model_AccessLog &$accessLog)
+    protected function _setSessionId(Tinebase_Model_AccessLog &$accessLog)
     {
         if (in_array($accessLog->clienttype, array(Tinebase_Server_WebDAV::REQUEST_TYPE, ActiveSync_Server_Http::REQUEST_TYPE))) {
             try {