diff --git a/canapGEST/API/app/Http/Controllers/AuthController.php b/canapGEST/API/app/Http/Controllers/AuthController.php
index b54913f657a3610280f3f37cbb32e298b46247f6..a0250c9e115122a8d00fa8fe30e7ed425f370119 100644
--- a/canapGEST/API/app/Http/Controllers/AuthController.php
+++ b/canapGEST/API/app/Http/Controllers/AuthController.php
@@ -40,7 +40,6 @@ class AuthController extends Controller
public function login()
{
- // TODO: Limit group access to canap-gest-users
$oClient = new TequilaClient("https://tequila.epfl.ch/cgi-bin/tequila/");
$oClient->setParam(
@@ -48,19 +47,20 @@ class AuthController extends Controller
'urlacces' => url("/api/auth/tequilareturn"),
'service' => "Canap-Gest",
'language' => "francais",
- 'usecookie' => "on",
- // 'allows' => "group=formateurs-epfl",
+ 'usecookie' => "off"
)
);
$oClient->setRequested(
array(
'request' => "name,firstname,uniqueid,group",
- //~ 'require' => "role-respaccred",
+ 'require' => "group=canap-gest-users"
)
);
+
if (!empty($_GET['key'])) {
$attributs = $oClient->checkUser($_GET['key']);
+
if (!$attributs) {
exit("Unknown tequila error");
}
@@ -74,8 +74,8 @@ class AuthController extends Controller
public function tequilareturn()
{
- // return redirect()->to("https://canap-gest-dev.local:8080/#/?key=" . $_GET["key"]);
- return redirect()->to("https://canap-gest.epfl.ch/#/?key=" . $_GET["key"]);
+ return redirect()->to("https://canap-gest-dev.local:8080/#/?key=" . $_GET["key"]);
+ // return redirect()->to("https://canap-gest.epfl.ch/#/?key=" . $_GET["key"]); // PROD
}
public function logout()
diff --git a/canapGEST/API/app/Providers/TequilaClient.php b/canapGEST/API/app/Providers/TequilaClient.php
index 950c7d9480a7904c3c62f3c5e724cf76700efcf1..c14eb244ab4e395fd5605a0bc06042f5c3872f81 100644
--- a/canapGEST/API/app/Providers/TequilaClient.php
+++ b/canapGEST/API/app/Providers/TequilaClient.php
@@ -145,7 +145,7 @@ class TequilaClient {
// }
return $url;
}
-
+
/**
* Sends an authentication request to Tequila.
*/
@@ -165,18 +165,22 @@ class TequilaClient {
if (!$response) {
return false;
}
-
+
$attributes = $this->parseAttributes($response);
-
- // Check required
+ // Check required
foreach ($this->requested as $requestedAttributes) {
foreach (explode(",", $requestedAttributes) as $requestedAttribute) {
- if (!array_key_exists($requestedAttribute, $attributes)) {
+ if (strpos($requestedAttribute, 'group=') !== false) {
+ $requested_group = str_replace('group=', '', $requestedAttribute);
+ $user_groups = explode(',', $attributes['group']);
+ if (!in_array($requested_group, $user_groups)) {
+ exit("Pas d'accès");
+ }
+ } else if (!array_key_exists($requestedAttribute, $attributes)) {
exit("Tequila error: missing attribute $requestedAttribute");
}
}
}
-
return $attributes;
}