From 6ca5bb4d41bbdd0d88c37a52726c6b631ce87f66 Mon Sep 17 00:00:00 2001 From: Andrew Engelbrecht Date: Mon, 17 Apr 2017 12:34:25 -0400 Subject: [PATCH] Added CAS user whitelist feature This feature filters users who may log in via CAS. This is useful when both CAS and password authentication is enabled and there is a mismatch between some GNU social account names and CAS user names. This prevents CAS users from logging in as someone else on GNU social. --- plugins/CasAuthentication/CasAuthenticationPlugin.php | 2 ++ plugins/CasAuthentication/README | 5 +++++ plugins/CasAuthentication/actions/caslogin.php | 5 +++++ 3 files changed, 12 insertions(+) diff --git a/plugins/CasAuthentication/CasAuthenticationPlugin.php b/plugins/CasAuthentication/CasAuthenticationPlugin.php index cf0bf4ac52..02ed4cb166 100644 --- a/plugins/CasAuthentication/CasAuthenticationPlugin.php +++ b/plugins/CasAuthentication/CasAuthenticationPlugin.php @@ -40,6 +40,7 @@ class CasAuthenticationPlugin extends AuthenticationPlugin public $port = 443; public $path = ''; public $takeOverLogin = false; + public $user_whitelist = null; function checkPassword($username, $password) { @@ -145,6 +146,7 @@ class CasAuthenticationPlugin extends AuthenticationPlugin $casSettings['port']=$this->port; $casSettings['path']=$this->path; $casSettings['takeOverLogin']=$this->takeOverLogin; + $casSettings['user_whitelist']=$this->user_whitelist; } function onPluginVersion(array &$versions) diff --git a/plugins/CasAuthentication/README b/plugins/CasAuthentication/README index c17a28e54a..2e770a0867 100644 --- a/plugins/CasAuthentication/README +++ b/plugins/CasAuthentication/README @@ -24,6 +24,11 @@ path (): Path on the server to CAS. Usually blank. takeOverLogin (false): Take over the main login action. If takeOverLogin is set, anytime the standard username/password login form would be shown, a CAS login will be done instead. +user_whitelist (null): Only allow login via CAS for users listed in this + array. This is useful when both CAS and password authentication is enabled + and there is a mismatch between some GNU social account names and CAS user + names. This prevents CAS users from logging in as someone else on GNU + social. When set to null, no CAS logins are filtered by this feature. * required default values are in (parenthesis) diff --git a/plugins/CasAuthentication/actions/caslogin.php b/plugins/CasAuthentication/actions/caslogin.php index 7310072d92..9250b43b7a 100644 --- a/plugins/CasAuthentication/actions/caslogin.php +++ b/plugins/CasAuthentication/actions/caslogin.php @@ -41,6 +41,11 @@ class CasloginAction extends Action $this->serverError(_m('Incorrect username or password.')); } + if ($casSettings['user_whitelist'] != null && !in_array($user->nickname, $casSettings['user_whitelist'])) { + // TRANS: Server error displayed when trying to log in with non-whitelisted user name (when whitelists are enabled.) + $this->serverError(_m('Incorrect username or password.')); + } + // success! if (!common_set_user($user)) { // TRANS: Server error displayed when login fails in CAS authentication plugin. -- 2.39.5