Skip to content

Commit

Permalink
Fix group-assignment in certain conditions
Browse files Browse the repository at this point in the history 
When the LDAP-group assignements change between logins and the admin has
set the LDAP-roles to overwrite the wordpress-roles, then the LDAP-Roles
now actually overwrite the WordPress roles.
  • Loading branch information
@heiglandreas
heiglandreas committed May 17, 2024
1 parent 2f2e440 commit e635959
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 6 deletions.
10 changes: 5 additions & 5 deletions authLdap.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -255,8 +255,8 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
$authLDAPUidAttr = authLdap_get_option('UidAttr');
$authLDAPWebAttr = authLdap_get_option('WebAttr');
$authLDAPDefaultRole = authLdap_get_option('DefaultRole');
$authLDAPGroupEnable = authLdap_get_option('GroupEnable');
$authLDAPGroupOverUser = authLdap_get_option('GroupOverUser');
$authLDAPGroupEnable = filter_var(authLdap_get_option('GroupEnable'), FILTER_VALIDATE_BOOLEAN);
$authLDAPGroupOverUser = filter_var(authLdap_get_option('GroupOverUser'), FILTER_VALIDATE_BOOLEAN);
$authLDAPUseUserAccount = authLdap_get_option('UserRead');

if (!$username) {
Expand Down Expand Up @@ -373,7 +373,7 @@ function authLdap_login($user, $username, $password, $already_md5 = false)

// we only need this if either LDAP groups are disabled or
// if the WordPress role of the user overrides LDAP groups
if (!$authLDAPGroupEnable || $authLDAPGroupOverUser) {
if ($authLDAPGroupEnable === false || $authLDAPGroupOverUser === false) {
$userRoles = authLdap_user_role($uid);
if ($userRoles !== []) {
$roles = array_merge($roles, $userRoles);
Expand All @@ -383,8 +383,8 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
}

// do LDAP group mapping if needed
// (if LDAP groups override worpress user role, $role is still empty)
if (empty($roles) && $authLDAPGroupEnable) {
// (if LDAP groups override wordpress user role, $role is still empty)
if ((empty($roles) || $authLDAPGroupOverUser === true) && $authLDAPGroupEnable === true) {
$mappedRoles = authLdap_groupmap($realuid, $dn);
if ($mappedRoles !== []) {
$roles = $mappedRoles;
Expand Down
1 change: 0 additions & 1 deletion features/log in using no groups at all.feature
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,5 @@ Feature: Log in without group assignment
When LDAP user "ldapuser" logs in with password "P@ssw0rd"
Then the login suceeds
And the WordPress user "ldapuser" is member of role "editor"
And the WordPress user "ldapuser" is member of role "wordpressrole"
And the WordPress user "ldapuser" is not member of role "administrator"
And the WordPress user "ldapuser" is not member of role "subscriber"
1 change: 1 addition & 0 deletions wordpress/info.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<?php

0 comments on commit e635959

Please sign in to comment.