зеркало из https://github.com/mozilla/oldpto.git
Reworking code to function with pluggable authentication. Moving PHP_AUTH_USER to variable to be set via config instead of relying blindly on PHP_AUTH_USER
This commit is contained in:
Rob Tucker
Родитель
3db495c90f
Коммит
88307db24e
40
auth.php
40
auth.php
|
|
@ -1,40 +1,8 @@
|
|||
<?php
|
||||
|
||||
function ask() {
|
||||
header('WWW-Authenticate: Basic realm="Mozilla Corporation - LDAP Login"');
|
||||
}
|
||||
|
||||
function wail_and_bail() {
|
||||
header('HTTP/1.0 401 Unauthorized');
|
||||
ask();
|
||||
print "<h1>401 Unauthorized</h1>";
|
||||
die;
|
||||
}
|
||||
|
||||
if (!isset($_SERVER["PHP_AUTH_USER"])) {
|
||||
ask();
|
||||
wail_and_bail();
|
||||
} else {
|
||||
// Check for validity of login
|
||||
$user = $_SERVER["PHP_AUTH_USER"];
|
||||
if (preg_match('/[a-z.]+@(.+?)\.(.+)/', $user, $m)) {
|
||||
$o = "net";
|
||||
if (($m[1] == "mozilla" && $m[2] == "com") ||
|
||||
($m[1] == "mozilla-japan" && $m[2] == "org")) {
|
||||
$o = "com";
|
||||
} elseif (($m[1] == "mozilla" && $m[2] == "org") ||
|
||||
($m[1] == "mozillafoundation" && $m[2] == "org")) {
|
||||
$o = "org";
|
||||
}
|
||||
$dn = "mail=$user,o={$o},dc=mozilla";
|
||||
$password = $_SERVER["PHP_AUTH_PW"];
|
||||
} else {
|
||||
wail_and_bail();
|
||||
}
|
||||
}
|
||||
require_once('config.php');
|
||||
|
||||
$connection = ldap_connect($ldap["host"], $ldap["port"]);
|
||||
// Actually perform authentication
|
||||
if (!ldap_bind($connection, $dn, $password)) {
|
||||
wail_and_bail();
|
||||
if (!ldap_bind($connection, $LDAP_BIND_USER, $LDAP_BIND_PASS)) {
|
||||
echo "LDAP conneciton failed";
|
||||
die;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,6 +13,13 @@ $mysql = array(
|
|||
"database" => ""
|
||||
);
|
||||
|
||||
$LDAP_BIND_USER = 'id=username@domain.com,ou=logins,dc=foo';
|
||||
$LDAP_BIND_PASS = 'LDAPBINDPASS';
|
||||
|
||||
// No longer rely on PHP_AUTH_USER blindly
|
||||
// $_SERVER['OIDC_CLAIM_email'] would work for Open ID Connect
|
||||
$GLOBAL_AUTH_USERNAME = $_SERVER['PHP_AUTH_USER'];
|
||||
|
||||
# Set the constants below to FALSE to do various debugging.
|
||||
define("ENABLE_MAIL", TRUE);
|
||||
define("ENABLE_DB", TRUE);
|
||||
|
|
|
|||
8
edit.php
8
edit.php
|
|
@ -14,10 +14,10 @@ $is_editing = false;
|
|||
|
||||
$data = ldap_find(
|
||||
$connection,
|
||||
"mail=". $_SERVER["PHP_AUTH_USER"],
|
||||
"mail=". $GLOBAL_AUTH_USERNAME,
|
||||
array("cn", "manager")
|
||||
);
|
||||
$notifier_email = $_SERVER["PHP_AUTH_USER"];
|
||||
$notifier_email = $GLOBAL_AUTH_USERNAME;
|
||||
$notifier_name = $data[0]["cn"][0];
|
||||
|
||||
$manager_dn = $data[0]["manager"][0];
|
||||
|
|
@ -39,11 +39,11 @@ if (ENABLE_MANAGER_NOTIFYING) {
|
|||
if (isset($_REQUEST['id']) && $_REQUEST['id']) {
|
||||
$data = ldap_find(
|
||||
$connection,
|
||||
"mail=". $_SERVER["PHP_AUTH_USER"],
|
||||
"mail=". $GLOBAL_AUTH_USERNAME,
|
||||
array("cn", "manager")
|
||||
);
|
||||
|
||||
$notifier_email = $_SERVER["PHP_AUTH_USER"];
|
||||
$notifier_email = $GLOBAL_AUTH_USERNAME;
|
||||
$notifier_name = $data[0]["cn"][0];
|
||||
|
||||
$manager_dn = $data[0]["manager"][0];
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
require("prefetch.inc");
|
||||
|
||||
if (!in_array($_SERVER["PHP_AUTH_USER"], $export_users)) {
|
||||
if (!in_array($GLOBAL_AUTH_USERNAME, $export_users)) {
|
||||
include "./templates/header.php";
|
||||
echo "You are not permitted to view this page.";
|
||||
include "./templates/footer.php";
|
||||
|
|
|
|||
|
|
@ -4,13 +4,14 @@ require_once('config.php');
|
|||
require_once('auth.php');
|
||||
|
||||
function pretty_die() {
|
||||
global $GLOBAL_AUTH_USERNAME;
|
||||
include './templates/header.php';
|
||||
echo 'There was a problem getting your PTO records. Please try again later.';
|
||||
include './templates/footer.php';
|
||||
exit;
|
||||
}
|
||||
|
||||
$me = $_SERVER['PHP_AUTH_USER'];
|
||||
$me = $GLOBAL_AUTH_USERNAME;
|
||||
|
||||
$conn = @mysql_connect($mysql['host'], $mysql['user'], $mysql['password'])
|
||||
or pretty_die();
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ if (!defined("LIMITED_FIELDS")) {
|
|||
define("LIMITED_FIELDS", "id, person, added, hours, start, end, details");
|
||||
}
|
||||
|
||||
$notifier_email = $_SERVER["PHP_AUTH_USER"];
|
||||
$notifier_email = $GLOBAL_AUTH_USERNAME;
|
||||
$data = ldap_find($connection, "mail=". $notifier_email, array("manager", "cn"));
|
||||
$notifier_name = $data[0]["cn"][0];
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
<?php
|
||||
require("prefetch.inc");
|
||||
|
||||
if (!in_array($_SERVER["PHP_AUTH_USER"], $export_users)) {
|
||||
if (!in_array($GLOBAL_AUTH_USERNAME, $export_users)) {
|
||||
include "./templates/header.php";
|
||||
echo "You are not permitted to view this page.";
|
||||
include "./templates/footer.php";
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@ if (isset($_REQUEST["id"]) && $_REQUEST["id"]) {
|
|||
}
|
||||
|
||||
|
||||
$notifier_email = $_SERVER["PHP_AUTH_USER"];
|
||||
$notifier_email = $GLOBAL_AUTH_USERNAME;
|
||||
$data = ldap_find(
|
||||
$connection, "mail=". $notifier_email, array("manager", "cn")
|
||||
);
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@
|
|||
<li><a href="./">Notify</a></li>
|
||||
<li><a href="./mypto.php">My PTO</a></li>
|
||||
<?php
|
||||
if (in_array($_SERVER["PHP_AUTH_USER"], $export_users)) {
|
||||
if (in_array($GLOBAL_AUTH_USERNAME, $export_users)) {
|
||||
?><li><a href="./export.php">List</a></li>
|
||||
<li><a href="./report.php">Report</a></li><?php
|
||||
}
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче