updated plugin AuthLDAP version 2.5.2

wp-content/plugins/authldap/authLdap.php

@@ -3,7 +3,7 @@
 Plugin Name: AuthLDAP
 Plugin URI: https://github.com/heiglandreas/authLdap
 Description: This plugin allows you to use your existing LDAP as authentication base for WordPress
-Version: 2.4.10
+Version: 2.5.2
 Author: Andreas Heigl <andreas@heigl.org>
 Author URI: http://andreas.heigl.org
 License: MIT
@@ -82,6 +82,7 @@ function authLdap_options_panel()
             'GroupEnable'   => authLdap_get_post('authLDAPGroupEnable', false),
             'GroupOverUser' => authLdap_get_post('authLDAPGroupOverUser', false),
             'DoNotOverwriteNonLdapUsers' => authLdap_get_post('authLDAPDoNotOverwriteNonLdapUsers', false),
+			'UserRead' => authLdap_get_post('authLDAPUseUserAccount', false),
         );
         if (authLdap_set_options($new_options)) {
             echo "<div class='updated'><p>Saved Options!</p></div>";
@@ -112,6 +113,7 @@ function authLdap_options_panel()
     $authLDAPGroupEnable   = authLdap_get_option('GroupEnable');
     $authLDAPGroupOverUser = authLdap_get_option('GroupOverUser');
     $authLDAPDoNotOverwriteNonLdapUsers = authLdap_get_option('DoNotOverwriteNonLdapUsers');
+	$authLDAPUseUserAccount= authLdap_get_option('UserRead');
 
     $tChecked              = ($authLDAP)               ? ' checked="checked"' : '';
     $tDebugChecked         = ($authLDAPDebug)          ? ' checked="checked"' : '';
@@ -120,6 +122,7 @@ function authLdap_options_panel()
     $tGroupOverUserChecked = ($authLDAPGroupOverUser)  ? ' checked="checked"' : '';
     $tStartTLSChecked      = ($authLDAPStartTLS)       ? ' checked="checked"' : '';
     $tDoNotOverwriteNonLdapUsers = ($authLDAPDoNotOverwriteNonLdapUsers)       ? ' checked="checked"' : '';
+	$tUserRead             = ($authLDAPUseUserAccount) ? ' checked="checked"' : '';
 
     $roles = new WP_Roles();
 
@@ -233,6 +236,7 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
         $authLDAPDefaultRole    = authLdap_get_option('DefaultRole');
         $authLDAPGroupEnable    = authLdap_get_option('GroupEnable');
         $authLDAPGroupOverUser  = authLdap_get_option('GroupOverUser');
+		$authLDAPUseUserAccount = authLdap_get_option('UserRead');
 
         if (! $username) {
             authLdap_debug('Username not supplied: return false');
@@ -281,10 +285,13 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
             return false;
         }
 
-        // Rebind with the default credentials after the user has been loged in
-        // Otherwise the credentials of the user trying to login will be used
-        // This fixes #55
-        authLdap_get_server()->bind();
+		// Make optional querying from the admin account #213
+        if (! authLdap_get_option('UserRead')) {
+			// Rebind with the default credentials after the user has been loged in
+			// Otherwise the credentials of the user trying to login will be used
+			// This fixes #55
+			authLdap_get_server()->bind();
+		}
 
         if (true !== $result) {
             authLdap_debug('LDAP authentication failed');
@@ -293,7 +300,7 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
             return;
         }
 
-        authLdap_debug('LDAP authentication successfull');
+        authLdap_debug('LDAP authentication successful');
         $attributes = array_values(
             array_filter(
                 apply_filters(
@@ -440,6 +447,13 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
             $userid = wp_insert_user($user_info);
         }
 
+        // if the user exists, wp_insert_user will update the existing user record
+        if (is_wp_error($userid)) {
+            authLdap_debug('Error creating user : ' . $userid->get_error_message());
+            trigger_error('Error creating user: ' . $userid->get_error_message());
+            return $userid;
+        }
+
         /**
          * Add hook for custom updates
          *
@@ -448,13 +462,6 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
          */
         do_action('authLdap_login_successful', $userid, $attribs[0]);
 
-        // if the user exists, wp_insert_user will update the existing user record
-        if (is_wp_error($userid)) {
-            authLdap_debug('Error creating user : ' . $userid->get_error_message());
-            trigger_error('Error creating user: ' . $userid->get_error_message());
-            return $userid;
-        }
-
         authLdap_debug('user id = ' . $userid);
 
         // flag the user as an ldap user so we can hide the password fields in the user profile
@@ -505,23 +512,25 @@ function authLdap_get_uid($username)
  */
 function authLdap_user_role($uid)
 {
-    global $wpdb;
+    global $wpdb, $wp_roles;
 
     if (!$uid) {
         return '';
     }
 
-    $meta_value = $wpdb->get_var(
-        "SELECT meta_value FROM {$wpdb->usermeta} WHERE meta_key = '{$wpdb->prefix}capabilities' AND user_id = {$uid}"
-    );
-
-    if (!$meta_value) {
+    /** @var array<string, bool> $usercapabilities */
+    $usercapabilities = get_user_meta( $uid, "{$wpdb->prefix}capabilities", true);
+    if ( ! is_array( $usercapabilities ) ) {
         return '';
     }
 
-    $capabilities = unserialize($meta_value);
-    $roles = is_array($capabilities) ? array_keys($capabilities) : array('');
-    $role = $roles[0];
+    /** @var array<string, array{name: string, capabilities: array<mixed>} $editable_roles */
+    $editable_roles = $wp_roles->roles;
+
+    // By using this approach we are now using the order of the roles from the WP_Roles object
+    // and not from the capabilities any more.
+    $userroles = array_keys(array_intersect_key($editable_roles, $usercapabilities));
+    $role = $userroles[0];
 
     authLdap_debug("Existing user's role: {$role}");
     return $role;

wp-content/plugins/authldap/ldap.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * $Id: ldap.php 2450394 2021-01-05 07:38:43Z heiglandreas $
+ * $Id: ldap.php 2676679 2022-02-10 18:26:37Z heiglandreas $
  *
  * authLdap - Authenticate Wordpress against an LDAP-Backend.
  * Copyright (c) 2008 Andreas Heigl<andreas@heigl.org>
@@ -46,7 +46,7 @@ class LDAP
     /**
      * This property contains the connection handle to the ldap-server
      *
-     * @var Ressource
+     * @var Ressource|Connection|null
      */
     private $ch = null;
 
@@ -117,7 +117,8 @@ class LDAP
         }
 
         $this->ch = @ldap_connect($this->scheme . '://' . $this->server . ':' . $this -> port);
-        if (! $this->ch) {
+        if (false === $this->ch) {
+            $this->ch = null;
             throw new Error('Could not connect to the server');
         }
         ldap_set_option($this->ch, LDAP_OPT_PROTOCOL_VERSION, 3);
@@ -136,7 +137,7 @@ class LDAP
      */
     public function disconnect()
     {
-        if (is_resource($this->ch)) {
+        if (null !== $this->ch ) {
             @ldap_unbind($this->ch);
         }
         $this->ch = null;
@@ -154,8 +155,8 @@ class LDAP
         if (! $this->ch) {
             $this->connect();
         }
-        if (! is_resource($this->ch)) {
-            throw new Error('No Resource-handle given');
+        if (null === $this->ch) {
+            throw new Error('No valid LDAP connection available');
         }
         $bind = false;
         if (( ( $this->username )
@@ -195,7 +196,7 @@ class LDAP
      */
     public function search($filter, $attributes = array('uid'), $base = '')
     {
-        if (! is_Resource($this->ch)) {
+        if (null === $this->ch) {
             throw new Error('No resource handle avbailable');
         }
         if (! $base) {

wp-content/plugins/authldap/readme.txt

@@ -2,7 +2,7 @@
 Contributors: heiglandreas
 Tags: ldap, auth, authentication, active directory, AD, openLDAP, Open Directory
 Requires at least: 2.5.0
-Tested up to: 5.6.0
+Tested up to: 5.9.0
 Requires PHP: 7.2
 Stable tag: trunk
 License: MIT
@@ -41,6 +41,12 @@ Please use the issuetracker at https://github.com/heiglandreas/authLdap/issues
 
 == Changelog ==
 
+= 2.5.0 =
+* Ignore the order of capabilities to tell the role. In addition the filter `editable_roles` can be used to limit the roles
+
+= 2.4.11 =
+* Fix issue with running on PHP8.1
+
 = 2.4.9 =
 * Improve group-assignement UI
 

wp-content/plugins/authldap/src/LdapList.php

@@ -42,6 +42,7 @@ class LdapList
 
     public function authenticate($username, $password, $filter = '(uid=%s)')
     {
+        /** @var LDAP $item */
         foreach ($this->items as $key => $item) {
             if (! $item->authenticate($username, $password, $filter)) {
                 unset($this->items[$key]);

wp-content/plugins/authldap/view/admin.phtml

@@ -185,6 +185,18 @@
         <fieldset class="options">
             <table class="form-table">
                 <tr>
+                    <th scope="row">
+                        <label for="authLDAPUseUserAccount">User-Read</label>
+                    </th>
+                    <td>
+                        <input type="checkbox" name="authLDAPUseUserAccount" id="authLDAPUseUserAccount" value="1"<?php echo $tUserRead; ?>/><br />
+                        <p class="description">
+                            If checked the plugin will use the user's account to query their own information. If not it will use the admin account.
+                        </p>
+						
+                    </td>
+                </tr>
+				<tr>
                     <th scope="row">
                         <label for="authLDAPNameAttr">Name-Attribute</label>
                     </th>