From e6359595d5d4ab4b2cf0e688816601969453277c Mon Sep 17 00:00:00 2001 From: Andreas Heigl Date: Fri, 17 May 2024 14:58:51 +0200 Subject: [PATCH] Fix group-assignment in certain conditions When the LDAP-group assignements change between logins and the admin has set the LDAP-roles to overwrite the wordpress-roles, then the LDAP-Roles now actually overwrite the WordPress roles. --- authLdap.php | 10 +++++----- features/log in using no groups at all.feature | 1 - wordpress/info.php | 1 + 3 files changed, 6 insertions(+), 6 deletions(-) create mode 100644 wordpress/info.php diff --git a/authLdap.php b/authLdap.php index d8d3044..178fc4f 100644 --- a/authLdap.php +++ b/authLdap.php @@ -255,8 +255,8 @@ function authLdap_login($user, $username, $password, $already_md5 = false) $authLDAPUidAttr = authLdap_get_option('UidAttr'); $authLDAPWebAttr = authLdap_get_option('WebAttr'); $authLDAPDefaultRole = authLdap_get_option('DefaultRole'); - $authLDAPGroupEnable = authLdap_get_option('GroupEnable'); - $authLDAPGroupOverUser = authLdap_get_option('GroupOverUser'); + $authLDAPGroupEnable = filter_var(authLdap_get_option('GroupEnable'), FILTER_VALIDATE_BOOLEAN); + $authLDAPGroupOverUser = filter_var(authLdap_get_option('GroupOverUser'), FILTER_VALIDATE_BOOLEAN); $authLDAPUseUserAccount = authLdap_get_option('UserRead'); if (!$username) { @@ -373,7 +373,7 @@ function authLdap_login($user, $username, $password, $already_md5 = false) // we only need this if either LDAP groups are disabled or // if the WordPress role of the user overrides LDAP groups - if (!$authLDAPGroupEnable || $authLDAPGroupOverUser) { + if ($authLDAPGroupEnable === false || $authLDAPGroupOverUser === false) { $userRoles = authLdap_user_role($uid); if ($userRoles !== []) { $roles = array_merge($roles, $userRoles); @@ -383,8 +383,8 @@ function authLdap_login($user, $username, $password, $already_md5 = false) } // do LDAP group mapping if needed - // (if LDAP groups override worpress user role, $role is still empty) - if (empty($roles) && $authLDAPGroupEnable) { + // (if LDAP groups override wordpress user role, $role is still empty) + if ((empty($roles) || $authLDAPGroupOverUser === true) && $authLDAPGroupEnable === true) { $mappedRoles = authLdap_groupmap($realuid, $dn); if ($mappedRoles !== []) { $roles = $mappedRoles; diff --git a/features/log in using no groups at all.feature b/features/log in using no groups at all.feature index b469f13..a590ae2 100644 --- a/features/log in using no groups at all.feature +++ b/features/log in using no groups at all.feature @@ -80,6 +80,5 @@ Feature: Log in without group assignment When LDAP user "ldapuser" logs in with password "P@ssw0rd" Then the login suceeds And the WordPress user "ldapuser" is member of role "editor" - And the WordPress user "ldapuser" is member of role "wordpressrole" And the WordPress user "ldapuser" is not member of role "administrator" And the WordPress user "ldapuser" is not member of role "subscriber" diff --git a/wordpress/info.php b/wordpress/info.php new file mode 100644 index 0000000..b3d9bbc --- /dev/null +++ b/wordpress/info.php @@ -0,0 +1 @@ +