From 8e73be0b937c526943b587419858cb200d20776a Mon Sep 17 00:00:00 2001
From: nicrausaz <n.crausaz99@gmail.com>
Date: Thu, 27 Jun 2019 15:14:10 +0200
Subject: [PATCH] =?UTF-8?q?Validation=20du=20groupe=20d'acc=C3=A8s?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../API/app/Http/Controllers/AuthController.php | 12 ++++++------
canapGEST/API/app/Providers/TequilaClient.php | 16 ++++++++++------
2 files changed, 16 insertions(+), 12 deletions(-)
diff --git a/canapGEST/API/app/Http/Controllers/AuthController.php b/canapGEST/API/app/Http/Controllers/AuthController.php
index b54913f..a0250c9 100644
--- a/canapGEST/API/app/Http/Controllers/AuthController.php
+++ b/canapGEST/API/app/Http/Controllers/AuthController.php
@@ -40,7 +40,6 @@ class AuthController extends Controller
public function login()
{
- // TODO: Limit group access to canap-gest-users
$oClient = new TequilaClient("https://tequila.epfl.ch/cgi-bin/tequila/");
$oClient->setParam(
@@ -48,19 +47,20 @@ class AuthController extends Controller
'urlacces' => url("/api/auth/tequilareturn"),
'service' => "Canap-Gest",
'language' => "francais",
- 'usecookie' => "on",
- // 'allows' => "group=formateurs-epfl",
+ 'usecookie' => "off"
)
);
$oClient->setRequested(
array(
'request' => "name,firstname,uniqueid,group",
- //~ 'require' => "role-respaccred",
+ 'require' => "group=canap-gest-users"
)
);
+
if (!empty($_GET['key'])) {
$attributs = $oClient->checkUser($_GET['key']);
+
if (!$attributs) {
exit("Unknown tequila error");
}
@@ -74,8 +74,8 @@ class AuthController extends Controller
public function tequilareturn()
{
- // return redirect()->to("https://canap-gest-dev.local:8080/#/?key=" . $_GET["key"]);
- return redirect()->to("https://canap-gest.epfl.ch/#/?key=" . $_GET["key"]);
+ return redirect()->to("https://canap-gest-dev.local:8080/#/?key=" . $_GET["key"]);
+ // return redirect()->to("https://canap-gest.epfl.ch/#/?key=" . $_GET["key"]); // PROD
}
public function logout()
diff --git a/canapGEST/API/app/Providers/TequilaClient.php b/canapGEST/API/app/Providers/TequilaClient.php
index 950c7d9..c14eb24 100644
--- a/canapGEST/API/app/Providers/TequilaClient.php
+++ b/canapGEST/API/app/Providers/TequilaClient.php
@@ -145,7 +145,7 @@ class TequilaClient {
// }
return $url;
}
-
+
/**
* Sends an authentication request to Tequila.
*/
@@ -165,18 +165,22 @@ class TequilaClient {
if (!$response) {
return false;
}
-
+
$attributes = $this->parseAttributes($response);
-
- // Check required
+ // Check required
foreach ($this->requested as $requestedAttributes) {
foreach (explode(",", $requestedAttributes) as $requestedAttribute) {
- if (!array_key_exists($requestedAttribute, $attributes)) {
+ if (strpos($requestedAttribute, 'group=') !== false) {
+ $requested_group = str_replace('group=', '', $requestedAttribute);
+ $user_groups = explode(',', $attributes['group']);
+ if (!in_array($requested_group, $user_groups)) {
+ exit("Pas d'accès");
+ }
+ } else if (!array_key_exists($requestedAttribute, $attributes)) {
exit("Tequila error: missing attribute $requestedAttribute");
}
}
}
-
return $attributes;
}
--
GitLab