From 6e734b900f0047e363ece8823eef4a23d3e0b642 Mon Sep 17 00:00:00 2001 From: Frank Dillon Date: Fri, 23 Jun 2006 01:49:34 +0000 Subject: [PATCH] LDAP isInGroup changes --- lib/WebGUI/Asset.pm | 1 + lib/WebGUI/Group.pm | 72 +++++++++++++++++++++++++++++++++- lib/WebGUI/User.pm | 95 +++++++++++++-------------------------------- 3 files changed, 100 insertions(+), 68 deletions(-) diff --git a/lib/WebGUI/Asset.pm b/lib/WebGUI/Asset.pm index 150a70512..f4e9fa329 100644 --- a/lib/WebGUI/Asset.pm +++ b/lib/WebGUI/Asset.pm @@ -155,6 +155,7 @@ sub canView { my $userId = shift; my $user = $self->session->user; $user = WebGUI::User->new($self->session, $userId) if (defined $userId); + my $eh = $self->session->errorHandler; if ($userId eq $self->get("ownerUserId")) { return 1; } elsif ($user->isInGroup($self->get("groupIdView"))) { diff --git a/lib/WebGUI/Group.pm b/lib/WebGUI/Group.pm index 2a6eaeae4..833e085f3 100755 --- a/lib/WebGUI/Group.pm +++ b/lib/WebGUI/Group.pm @@ -532,6 +532,7 @@ sub getAllUsers { push @users, @{ $self->getUsers($withoutExpired) }, @{ $self->getDatabaseUsers() }, + @{ $self->getLDAPUsers() }, @{ $self->getKarmaUsers() }, @{ $self->getScratchUsers() }, @{ $self->getIpUsers() }, @@ -586,7 +587,7 @@ sub getDatabaseUsers { } } return \@dbUsers; -} +} #------------------------------------------------------------------- @@ -722,6 +723,54 @@ sub getKarmaUsers { my $self = shift; return [] unless $self->session->setting->get('useKarma'); return $self->session->db->buildArrayRef('select userId from users where karma >= ?', [$self->karmaThreshold]); +} + +#------------------------------------------------------------------- + +=head2 getLDAPUsers ( ) + +Get the set of users allowed to be in this group via an LDAP connection. + +=cut + +sub getLDAPUsers { + my $self = shift; + my @ldapUsers = (); + my $gid = $self->getId; + ### Check LDAP + my $ldapLinkId = $self->get("ldapLinkId"); + my $ldapGroup = $self->get("ldapGroup"); + my $ldapGroupProperty = $self->get("ldapGroupProperty"); + my $ldapRecursiveProperty = $self->get("ldapRecursiveProperty"); + + return [] unless ($ldapLinkId && $ldapGroup && $ldapGroupProperty); + + my $ldapLink = WebGUI::LDAPLink->new($self->session,$ldapLinkId); + unless ($ldapLink && $ldapLink->bind) { + $self->session->errorHandler->warn("There was a problem connecting to LDAP link $ldapLinkId for group ID $gid."); + return []; + } + + my $people = []; + if($ldapRecursiveProperty) { + $ldapLink->recurseProperty($ldapGroup,$people,$ldapGroupProperty,$ldapRecursiveProperty); + } else { + $people = $ldapLink->getProperty($ldapGroup,$ldapGroupProperty); + } + $ldapLink->unbind; + + foreach my $person (@{$people}) { + $person =~ s/\s*,\s*/,/g; + $person = lc($person); + my ($userId) = $self->session->db->quickArray("select userId from authentication where authMethod='LDAP' and fieldName='connectDN' and lower(fieldData)=?",[$person]); + if($userId) { + push(@ldapUsers,$userId); + } else { + $self->session->errorHandler->warn("Could not find matching userId for dn $person in WebGUI for group $gid"); + } + } + + return \@ldapUsers; } #------------------------------------------------------------------- @@ -1079,6 +1128,27 @@ sub ldapGroupProperty { #------------------------------------------------------------------- +=head2 ldapLinkId ( [ value ] ) + +Returns the ldapLinkId for this group. + +=head3 value + +If specified, the ldapLinkId is set to this value and in-memory cached user and group data is cleared. + +=cut + +sub ldapLinkId { + my $self = shift; + my $value = shift; + if (defined $value) { + $self->set("ldapLinkId",$value); + } + return $self->get("ldapLinkId"); +} + +#------------------------------------------------------------------- + =head2 ldapRecursiveProperty ( [ value ] ) Returns the ldap group recursive property used to find groups of groups. diff --git a/lib/WebGUI/User.pm b/lib/WebGUI/User.pm index 1b9faeffe..65a59eae5 100644 --- a/lib/WebGUI/User.pm +++ b/lib/WebGUI/User.pm @@ -254,73 +254,34 @@ The group that you wish to verify against the user. Defaults to group with Id 3 =cut sub isInGroup { - my (@data, $groupId); - my ($self, $gid, $secondRun) = @_; - $gid = 3 unless (defined $gid); - my $uid = $self->userId; - ### The following several checks are to increase performance. If this section were removed, everything would continue to work as normal. - return 1 if ($gid eq '7'); # everyone is in the everyone group - return 1 if ($gid eq '1' && $uid eq '1'); # visitors are in the visitors group - return 1 if ($gid eq '2' && $uid ne '1'); # if you're not a visitor, then you're a registered user - ### Get data for auxillary checks. - my $isInGroup = $self->session->stow->get("isInGroup"); - ### Look to see if we've already looked up this group. - return $isInGroup->{$uid}{$gid} if exists $isInGroup->{$uid}{$gid}; - ### Lookup the actual groupings. - my $group = WebGUI::Group->new($self->session,$gid); - ### Check for groups of groups. - my $users = $group->getAllUsers(); - foreach my $user (@{$users}) { - $isInGroup->{$user}{$gid} = 1; - if ($uid eq $user) { - $self->session->stow->set("isInGroup",$isInGroup); - return 1; - } - } - - ### Check ldap - if ($group->get("ldapGroup") && $group->get("ldapGroupProperty")) { - # skip if not logged in - unless($uid eq '1') { - # skip if user is not set to LDAP - if($self->authMethod eq "LDAP") { - my $auth = WebGUI::Auth->new($self->session,"LDAP",$uid); - my $params = $auth->getParams(); - my $ldapLink = WebGUI::LDAPLink->new($self->session,$params->{ldapConnection}); - if($ldapLink ne "") { - my $people = []; - if($group->get("ldapRecursiveProperty")) { - $ldapLink->recurseProperty($group->get("ldapGroup"),$people,$group->get("ldapGroupProperty"),$group->get("ldapRecursiveProperty")); - } else { - $people = $ldapLink->getProperty($group->get("ldapGroup"),$group->get("ldapGroupProperty")); - } - my @peeps; - my $connectDn = lc($params->{connectDN}); - $connectDn =~ s/\s*,\s*/,/g; - foreach my $person (@{$people}) { - $person =~ s/\s*,\s*/,/g; - push(@peeps,lc($person)); - } - if(isIn($connectDn,@peeps)) { - $isInGroup->{$uid}{$gid} = 1; - if ($group->{'groupCacheTimeout'} > 10) { - $group->deleteUsers([$uid]); - $group->addUsers([$uid],$group->get("groupCacheTimeout")); - } - } else { - $isInGroup->{$uid}{$gid} = 0; - $group->deleteUsers([$uid]) if ($group->get("groupCacheTimeout") > 10); - } - $ldapLink->unbind; - $self->session->stow->set("isInGroup",$isInGroup); - return 1 if ($isInGroup->{$uid}{$gid}); - } - } - } - } - $isInGroup->{$uid}{$gid} = 0; - $self->session->stow->set("isInGroup",$isInGroup); - return 0; + my (@data, $groupId); + my ($self, $gid, $secondRun) = @_; + $gid = 3 unless (defined $gid); + my $uid = $self->userId; + ### The following several checks are to increase performance. If this section were removed, everything would continue to work as normal. + #my $eh = $self->session->errorHandler; + #$eh->warn("Group Id is: $gid for ".$tgroup->name); + return 1 if ($gid eq '7'); # everyone is in the everyone group + return 1 if ($gid eq '1' && $uid eq '1'); # visitors are in the visitors group + return 1 if ($gid eq '2' && $uid ne '1'); # if you're not a visitor, then you're a registered user + ### Get data for auxillary checks. + my $isInGroup = $self->session->stow->get("isInGroup"); + ### Look to see if we've already looked up this group. + return $isInGroup->{$uid}{$gid} if exists $isInGroup->{$uid}{$gid}; + ### Lookup the actual groupings. + my $group = WebGUI::Group->new($self->session,$gid); + ### Check for groups of groups. + my $users = $group->getAllUsers(); + foreach my $user (@{$users}) { + $isInGroup->{$user}{$gid} = 1; + if ($uid eq $user) { + $self->session->stow->set("isInGroup",$isInGroup); + return 1; + } + } + $isInGroup->{$uid}{$gid} = 0; + $self->session->stow->set("isInGroup",$isInGroup); + return 0; }