diff options
| author | Scott Ullrich <sullrich@pfsense.org> | 2008-01-01 00:06:18 +0000 |
|---|---|---|
| committer | Scott Ullrich <sullrich@pfsense.org> | 2008-01-01 00:06:18 +0000 |
| commit | 2f650197fb6965318123c40e6747558761063dfc (patch) | |
| tree | 0431742cf39652831587be089b80b29f6fc389c3 /etc | |
| parent | b97bcfd51d77da08bd30a9d81c8bcfd4fcc2e9a0 (diff) | |
| download | pfsense-2f650197fb6965318123c40e6747558761063dfc.zip pfsense-2f650197fb6965318123c40e6747558761063dfc.tar.gz | |
* Missing =
* Allow user manager to adhere to admins group
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/auth.inc | 42 | ||||
| -rw-r--r-- | etc/inc/authgui.inc | 6 |
2 files changed, 35 insertions, 13 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index cc486e0..734bb2a 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -60,10 +60,19 @@ function logout_session() { function getAllowedGroups($logged_in_user) { global $g, $config; + $allowed = array(); + $allowed_groups = array(); + log_error("Getting groups for {$logged_in_user}."); + $local_user = false; + + foreach($config['system']['user'] as $username) + if($username['name'] = $logged_in_user) + $local_user = true; + /* return ldap groups if we are in ldap mode */ - if($config['system']['webgui']['backend'] == "ldap") { + if($config['system']['webgui']['backend'] == "ldap" && $local_user == false) { $allowed_groups = ldap_get_groups($logged_in_user); $fdny = fopen("/tmp/groups","w"); fwrite($fdny, print_r($allowed, true)); @@ -82,12 +91,12 @@ function getAllowedGroups($logged_in_user) { } $final_allowed = array(); - + foreach($config['system']['user'] as $username) { - if($username['name'] = $logged_in_user) + if($username['name'] == $logged_in_user) $allowed_groups = explode(",", $username['groupname']); } - + foreach($config['system']['group'] as $group) { if(in_array($group['name'], $allowed_groups)) { foreach($group['pages'] as $page) { @@ -333,23 +342,35 @@ function getGroupHomePage($group = "") { } function isSystemAdmin($username = "") { - global $groupindex, $userindex, $config, $g; - + global $groupindex, $userindex, $config, $g, $_SESSION; + + if($_SESSION['isSystemAdmin']) + return $_SESSION['isSystemAdmin']; + if($config['system']['webgui']['backend'] == "ldap") { $groups = ldap_get_groups($username); - if(is_array($groups)) - if(in_array("admins", $groups)) + if(is_array($groups)){ + if(in_array("admins", $groups)) { + $_SESSION['isSystemAdmin'] = true; return true; + } + } } - if ($username == "") { return 0; } + if ($username == "") { + $_SESSION['isSystemAdmin'] = false; + return 0; + } $gname = $config['system']['group'][$groupindex[$config['system']['user'][$userindex[$username]]['groupname']]]['name']; if (isset($gname)) { + $_SESSION['isSystemAdmin'] = $gname === $g["admin_group"]; return ($gname === $g["admin_group"]); } + $_SESSION['isSystemAdmin'] = false; + return 0; } @@ -761,7 +782,8 @@ function ldap_get_groups($username) { if(!$ou) { log_error("Could not resolve users home container for {$username}"); - return false; + $status = htpasswd_backed($username, $passwd); + return $status; } $search = ldap_search($ldap, $ou . "," . $ldapsearchbase, $ldapfilter, array('memberOf')); diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc index c3d6f32..7dc1779 100644 --- a/etc/inc/authgui.inc +++ b/etc/inc/authgui.inc @@ -68,10 +68,10 @@ if (isset($_POST['scriptname']) && isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER']) // Once here, the user has authenticated with the web server. // Now, we give them access only to the appropriate pages for their group. if (!(isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER']))) { - $g['privs'] = getAllowedGroups($HTTP_SERVER_VARS['AUTH_USER']); - $allowed = $g['privs']; + $_SESSION['privs'] = getAllowedGroups($HTTP_SERVER_VARS['AUTH_USER']); + $allowed = $_SESSION['privs']; - $allowed_groups = print_r($g['privs'],true); + $allowed_groups = print_r($_SESSION['privs'],true); $fdny = fopen("/tmp/groups", "w"); fwrite($fdny, $allowed_groups); fclose($fdny); |
