Fix some secuity tests were not done.
This commit is contained in:
Laurent Destailleur
parent
f75c115140
commit
8be08c692f
@ -36,9 +36,6 @@
|
||||
function check_user_password_dolibarr($usertotest,$passwordtotest,$entitytotest=1)
|
||||
{
|
||||
global $db,$conf,$langs;
|
||||
global $mc;
|
||||
|
||||
dol_syslog("functions_dolibarr::check_user_password_dolibarr usertotest=".$usertotest);
|
||||
|
||||
// Force master entity in transversal mode
|
||||
$entity=$entitytotest;
|
||||
@ -48,6 +45,8 @@ function check_user_password_dolibarr($usertotest,$passwordtotest,$entitytotest=
|
||||
|
||||
if (! empty($usertotest))
|
||||
{
|
||||
dol_syslog("functions_dolibarr::check_user_password_dolibarr usertotest=".$usertotest." passwordtotest=".preg_replace('/./','*',$passwordtotest)." entitytotest=".$entitytotest);
|
||||
|
||||
// If test username/password asked, we define $test=false and $login var if ok, set $_SESSION["dol_loginmesg"] if ko
|
||||
$table = MAIN_DB_PREFIX."user";
|
||||
$usernamecol1 = 'login';
|
||||
@ -60,7 +59,6 @@ function check_user_password_dolibarr($usertotest,$passwordtotest,$entitytotest=
|
||||
if (preg_match('/@/',$usertotest)) $sql.=' OR '.$usernamecol2." = '".$db->escape($usertotest)."'";
|
||||
$sql.=') AND '.$entitycol." IN (0," . ($entity ? $entity : 1) . ")";
|
||||
|
||||
dol_syslog("functions_dolibarr::check_user_password_dolibarr", LOG_DEBUG);
|
||||
$resql=$db->query($sql);
|
||||
if ($resql)
|
||||
{
|
||||
@ -99,12 +97,6 @@ function check_user_password_dolibarr($usertotest,$passwordtotest,$entitytotest=
|
||||
}
|
||||
}
|
||||
|
||||
if ($passok && ! empty($obj->entity) && (! empty($conf->multicompany->enabled) && ! empty($conf->multicompany->transverse_mode)))
|
||||
{
|
||||
$ret=$mc->checkRight($obj->rowid, $entitytotest); // The module multicompany check here user belong to at least one group into company. This is a bugged behaviour, so you must hack module to make thing working.
|
||||
if ($ret < 0) $passok=false;
|
||||
}
|
||||
|
||||
// Password ok ?
|
||||
if ($passok)
|
||||
{
|
||||
@ -112,12 +104,24 @@ function check_user_password_dolibarr($usertotest,$passwordtotest,$entitytotest=
|
||||
}
|
||||
else
|
||||
{
|
||||
dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ko bad password pour '".$usertotest."'");
|
||||
dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ko bad password for '".$usertotest."'");
|
||||
sleep(1);
|
||||
$langs->load('main');
|
||||
$langs->load('errors');
|
||||
$_SESSION["dol_loginmesg"]=$langs->trans("ErrorBadLoginPassword");
|
||||
}
|
||||
|
||||
if ($passok && ! empty($conf->multicompany->enabled)) // We must check entity
|
||||
{
|
||||
global $mc;
|
||||
|
||||
$ret=$mc->checkRight($obj->rowid, $entitytotest);
|
||||
if ($ret < 0)
|
||||
{
|
||||
dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ko entity '".$entitytotest."' not allowed for user '".$obj->rowid."'");
|
||||
$login=''; // force authentication failure
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
@ -34,7 +34,8 @@
|
||||
*/
|
||||
function check_user_password_ldap($usertotest,$passwordtotest,$entitytotest)
|
||||
{
|
||||
global $_POST,$db,$conf,$langs;
|
||||
global $db,$conf,$langs;
|
||||
global $_POST;
|
||||
global $dolibarr_main_auth_ldap_host,$dolibarr_main_auth_ldap_port;
|
||||
global $dolibarr_main_auth_ldap_version,$dolibarr_main_auth_ldap_servertype;
|
||||
global $dolibarr_main_auth_ldap_login_attribute,$dolibarr_main_auth_ldap_dn;
|
||||
@ -42,6 +43,13 @@ function check_user_password_ldap($usertotest,$passwordtotest,$entitytotest)
|
||||
global $dolibarr_main_auth_ldap_filter;
|
||||
global $dolibarr_main_auth_ldap_debug;
|
||||
|
||||
// Force master entity in transversal mode
|
||||
$entity=$entitytotest;
|
||||
if (! empty($conf->multicompany->enabled) && ! empty($conf->multicompany->transverse_mode)) $entity=1;
|
||||
|
||||
$login='';
|
||||
$resultFetchUser='';
|
||||
|
||||
if (! function_exists("ldap_connect"))
|
||||
{
|
||||
dol_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP. LDAP functions are disabled on this PHP");
|
||||
@ -52,11 +60,10 @@ function check_user_password_ldap($usertotest,$passwordtotest,$entitytotest)
|
||||
return;
|
||||
}
|
||||
|
||||
$login='';
|
||||
$resultFetchUser='';
|
||||
|
||||
if (!empty($_POST["username"]) || $usertotest)
|
||||
if ($usertotest)
|
||||
{
|
||||
dol_syslog("functions_ldap::check_user_password_ldap usertotest=".$usertotest." passwordtotest=".preg_replace('/./','*',$passwordtotest)." entitytotest=".$entitytotest);
|
||||
|
||||
// If test username/password asked, we define $test=false and $login var if ok, set $_SESSION["dol_loginmesg"] if ko
|
||||
$ldaphost=$dolibarr_main_auth_ldap_host;
|
||||
$ldapport=$dolibarr_main_auth_ldap_port;
|
||||
@ -80,7 +87,6 @@ function check_user_password_ldap($usertotest,$passwordtotest,$entitytotest)
|
||||
$ldap->searchUser=$ldapadminlogin;
|
||||
$ldap->searchPassword=$ldapadminpass;
|
||||
|
||||
dol_syslog("functions_ldap::check_user_password_ldap usertotest=".$usertotest);
|
||||
if ($ldapdebug)
|
||||
{
|
||||
dol_syslog("functions_ldap::check_user_password_ldap Server:".join(',',$ldap->server).", Port:".$ldap->serverPort.", Protocol:".$ldap->ldapProtocolVersion.", Type:".$ldap->serverType);
|
||||
@ -146,52 +152,56 @@ function check_user_password_ldap($usertotest,$passwordtotest,$entitytotest)
|
||||
$login=$usertotest;
|
||||
|
||||
// ldap2dolibarr synchronisation
|
||||
if ($login && ! empty($conf->ldap->enabled) && $conf->global->LDAP_SYNCHRO_ACTIVE == 'ldap2dolibarr')
|
||||
if ($login && ! empty($conf->ldap->enabled) && $conf->global->LDAP_SYNCHRO_ACTIVE == 'ldap2dolibarr') // ldap2dolibarr synchronisation
|
||||
{
|
||||
dol_syslog("functions_ldap::check_user_password_ldap Sync ldap2dolibarr");
|
||||
dol_syslog("functions_ldap::check_user_password_ldap Sync ldap2dolibarr");
|
||||
|
||||
// On charge les attributs du user ldap
|
||||
if ($ldapdebug) print "DEBUG: login ldap = ".$login."<br>\n";
|
||||
$resultFetchLdapUser = $ldap->fetch($login,$userSearchFilter);
|
||||
// On charge les attributs du user ldap
|
||||
if ($ldapdebug) print "DEBUG: login ldap = ".$login."<br>\n";
|
||||
$resultFetchLdapUser = $ldap->fetch($login,$userSearchFilter);
|
||||
|
||||
if ($ldapdebug) print "DEBUG: UACF = ".join(',',$ldap->uacf)."<br>\n";
|
||||
if ($ldapdebug) print "DEBUG: pwdLastSet = ".dol_print_date($ldap->pwdlastset,'day')."<br>\n";
|
||||
if ($ldapdebug) print "DEBUG: badPasswordTime = ".dol_print_date($ldap->badpwdtime,'day')."<br>\n";
|
||||
if ($ldapdebug) print "DEBUG: UACF = ".join(',',$ldap->uacf)."<br>\n";
|
||||
if ($ldapdebug) print "DEBUG: pwdLastSet = ".dol_print_date($ldap->pwdlastset,'day')."<br>\n";
|
||||
if ($ldapdebug) print "DEBUG: badPasswordTime = ".dol_print_date($ldap->badpwdtime,'day')."<br>\n";
|
||||
|
||||
// On recherche le user dolibarr en fonction de son SID ldap
|
||||
$sid = $ldap->getObjectSid($login);
|
||||
if ($ldapdebug) print "DEBUG: sid = ".$sid."<br>\n";
|
||||
// On recherche le user dolibarr en fonction de son SID ldap
|
||||
$sid = $ldap->getObjectSid($login);
|
||||
if ($ldapdebug) print "DEBUG: sid = ".$sid."<br>\n";
|
||||
|
||||
$user=new User($db);
|
||||
$resultFetchUser=$user->fetch('',$login,$sid);
|
||||
if ($resultFetchUser > 0)
|
||||
{
|
||||
dol_syslog("functions_ldap::check_user_password_ldap Sync user found id=".$user->id);
|
||||
// On verifie si le login a change et on met a jour les attributs dolibarr
|
||||
|
||||
if ($conf->multicompany->enabled)
|
||||
$usertmp=new User($db);
|
||||
$resultFetchUser=$usertmp->fetch('',$login,$sid);
|
||||
if ($resultFetchUser > 0)
|
||||
{
|
||||
global $mc;
|
||||
dol_syslog("functions_ldap::check_user_password_ldap Sync user found user id=".$usertmp->id);
|
||||
// On verifie si le login a change et on met a jour les attributs dolibarr
|
||||
|
||||
$ret=$mc->checkRight($user->id, $entitytotest, $user); // The module multicompany check here user belong to at least one group into company. This is a bugged behaviour, so you must hack module to make thing working.
|
||||
if ($ret < 0)
|
||||
if ($usertmp->login != $ldap->login && $ldap->login)
|
||||
{
|
||||
dol_syslog("Failed to checkRight by module multicompany for user id = ".$user->id." into entity ".$entitytotest);
|
||||
$login=false; // force error of authentication
|
||||
$usertmp->login = $ldap->login;
|
||||
$usertmp->update($usertmp);
|
||||
// TODO Que faire si update echoue car on update avec un login deja existant.
|
||||
}
|
||||
|
||||
//$resultUpdate = $usertmp->update_ldap2dolibarr($ldap);
|
||||
}
|
||||
|
||||
|
||||
if ($user->login != $ldap->login && $ldap->login)
|
||||
{
|
||||
$user->login = $ldap->login;
|
||||
$user->update($user);
|
||||
// TODO Que faire si update echoue car on update avec un login deja existant.
|
||||
}
|
||||
|
||||
//$resultUpdate = $user->update_ldap2dolibarr($ldap);
|
||||
}
|
||||
unset($usertmp);
|
||||
}
|
||||
|
||||
if (! empty($conf->multicompany->enabled)) // We must check entity (even if sync is not active)
|
||||
{
|
||||
global $mc;
|
||||
|
||||
$usertmp=new User($db);
|
||||
$usertmp->fetch('',$login);
|
||||
$ret=$mc->checkRight($usertmp->id, $entitytotest);
|
||||
if ($ret < 0)
|
||||
{
|
||||
dol_syslog("functions_ldap::check_user_password_ldap Authentification ko entity '".$entitytotest."' not allowed for user '".$usertmp->id."'");
|
||||
$login=''; // force authentication failure
|
||||
}
|
||||
unset($usertmp);
|
||||
}
|
||||
|
||||
}
|
||||
if ($result == 1)
|
||||
{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user