From 936fc874b211185c55f32a361aedf4803e19c099 Mon Sep 17 00:00:00 2001
From: Ermal <eri@pfsense.org>
Date: Wed, 14 Nov 2012 20:46:42 +0000
Subject: For local users check the necessary priviledge is granted

---
 etc/inc/ipsec.auth-user.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'etc/inc/ipsec.auth-user.php')

diff --git a/etc/inc/ipsec.auth-user.php b/etc/inc/ipsec.auth-user.php
index 273abaf..553ba69 100755
--- a/etc/inc/ipsec.auth-user.php
+++ b/etc/inc/ipsec.auth-user.php
@@ -115,8 +115,14 @@ foreach ($authmodes as $authmode) {
 		continue;
 
 	$authenticated = authenticate_user($username, $password, $authcfg, $attributes);
-	if ($authenticated == true)
+	if ($authenticated == true) {
+		if (stristr($authmode, "local") && !userHasPrivilege($username, "user-ipsec-xauth-dialin")) {
+			$authenticated = false;
+			syslog(LOG_WARNING, "user '{$username}' cannot authenticate through IPSec since the required priviledges are missing.\n");
+			continue;
+		}
 		break;
+	}
 }
 
 if ($authenticated == false) {
-- 
cgit v1.1