From 350836f064114290681d88fd79ce7ce36b4ed814 Mon Sep 17 00:00:00 2001 From: Lai Power Date: Mon, 21 Mar 2022 13:34:57 +0000 Subject: [PATCH] updated plugin `AuthLDAP` version 2.5.2 --- wp-content/plugins/authldap/authLdap.php | 53 ++++++++++++-------- wp-content/plugins/authldap/ldap.php | 15 +++--- wp-content/plugins/authldap/readme.txt | 8 ++- wp-content/plugins/authldap/src/LdapList.php | 1 + wp-content/plugins/authldap/view/admin.phtml | 12 +++++ 5 files changed, 59 insertions(+), 30 deletions(-) diff --git a/wp-content/plugins/authldap/authLdap.php b/wp-content/plugins/authldap/authLdap.php index a71c0091..4e09bce8 100644 --- a/wp-content/plugins/authldap/authLdap.php +++ b/wp-content/plugins/authldap/authLdap.php @@ -3,7 +3,7 @@ Plugin Name: AuthLDAP Plugin URI: https://github.com/heiglandreas/authLdap Description: This plugin allows you to use your existing LDAP as authentication base for WordPress -Version: 2.4.10 +Version: 2.5.2 Author: Andreas Heigl Author URI: http://andreas.heigl.org License: MIT @@ -82,6 +82,7 @@ function authLdap_options_panel() 'GroupEnable' => authLdap_get_post('authLDAPGroupEnable', false), 'GroupOverUser' => authLdap_get_post('authLDAPGroupOverUser', false), 'DoNotOverwriteNonLdapUsers' => authLdap_get_post('authLDAPDoNotOverwriteNonLdapUsers', false), + 'UserRead' => authLdap_get_post('authLDAPUseUserAccount', false), ); if (authLdap_set_options($new_options)) { echo "

Saved Options!

"; @@ -112,6 +113,7 @@ function authLdap_options_panel() $authLDAPGroupEnable = authLdap_get_option('GroupEnable'); $authLDAPGroupOverUser = authLdap_get_option('GroupOverUser'); $authLDAPDoNotOverwriteNonLdapUsers = authLdap_get_option('DoNotOverwriteNonLdapUsers'); + $authLDAPUseUserAccount= authLdap_get_option('UserRead'); $tChecked = ($authLDAP) ? ' checked="checked"' : ''; $tDebugChecked = ($authLDAPDebug) ? ' checked="checked"' : ''; @@ -120,6 +122,7 @@ function authLdap_options_panel() $tGroupOverUserChecked = ($authLDAPGroupOverUser) ? ' checked="checked"' : ''; $tStartTLSChecked = ($authLDAPStartTLS) ? ' checked="checked"' : ''; $tDoNotOverwriteNonLdapUsers = ($authLDAPDoNotOverwriteNonLdapUsers) ? ' checked="checked"' : ''; + $tUserRead = ($authLDAPUseUserAccount) ? ' checked="checked"' : ''; $roles = new WP_Roles(); @@ -233,6 +236,7 @@ function authLdap_login($user, $username, $password, $already_md5 = false) $authLDAPDefaultRole = authLdap_get_option('DefaultRole'); $authLDAPGroupEnable = authLdap_get_option('GroupEnable'); $authLDAPGroupOverUser = authLdap_get_option('GroupOverUser'); + $authLDAPUseUserAccount = authLdap_get_option('UserRead'); if (! $username) { authLdap_debug('Username not supplied: return false'); @@ -281,10 +285,13 @@ function authLdap_login($user, $username, $password, $already_md5 = false) return false; } - // Rebind with the default credentials after the user has been loged in - // Otherwise the credentials of the user trying to login will be used - // This fixes #55 - authLdap_get_server()->bind(); + // Make optional querying from the admin account #213 + if (! authLdap_get_option('UserRead')) { + // Rebind with the default credentials after the user has been loged in + // Otherwise the credentials of the user trying to login will be used + // This fixes #55 + authLdap_get_server()->bind(); + } if (true !== $result) { authLdap_debug('LDAP authentication failed'); @@ -293,7 +300,7 @@ function authLdap_login($user, $username, $password, $already_md5 = false) return; } - authLdap_debug('LDAP authentication successfull'); + authLdap_debug('LDAP authentication successful'); $attributes = array_values( array_filter( apply_filters( @@ -440,6 +447,13 @@ function authLdap_login($user, $username, $password, $already_md5 = false) $userid = wp_insert_user($user_info); } + // if the user exists, wp_insert_user will update the existing user record + if (is_wp_error($userid)) { + authLdap_debug('Error creating user : ' . $userid->get_error_message()); + trigger_error('Error creating user: ' . $userid->get_error_message()); + return $userid; + } + /** * Add hook for custom updates * @@ -448,13 +462,6 @@ function authLdap_login($user, $username, $password, $already_md5 = false) */ do_action('authLdap_login_successful', $userid, $attribs[0]); - // if the user exists, wp_insert_user will update the existing user record - if (is_wp_error($userid)) { - authLdap_debug('Error creating user : ' . $userid->get_error_message()); - trigger_error('Error creating user: ' . $userid->get_error_message()); - return $userid; - } - authLdap_debug('user id = ' . $userid); // flag the user as an ldap user so we can hide the password fields in the user profile @@ -505,23 +512,25 @@ function authLdap_get_uid($username) */ function authLdap_user_role($uid) { - global $wpdb; + global $wpdb, $wp_roles; if (!$uid) { return ''; } - $meta_value = $wpdb->get_var( - "SELECT meta_value FROM {$wpdb->usermeta} WHERE meta_key = '{$wpdb->prefix}capabilities' AND user_id = {$uid}" - ); - - if (!$meta_value) { + /** @var array $usercapabilities */ + $usercapabilities = get_user_meta( $uid, "{$wpdb->prefix}capabilities", true); + if ( ! is_array( $usercapabilities ) ) { return ''; } - $capabilities = unserialize($meta_value); - $roles = is_array($capabilities) ? array_keys($capabilities) : array(''); - $role = $roles[0]; + /** @var array} $editable_roles */ + $editable_roles = $wp_roles->roles; + + // By using this approach we are now using the order of the roles from the WP_Roles object + // and not from the capabilities any more. + $userroles = array_keys(array_intersect_key($editable_roles, $usercapabilities)); + $role = $userroles[0]; authLdap_debug("Existing user's role: {$role}"); return $role; diff --git a/wp-content/plugins/authldap/ldap.php b/wp-content/plugins/authldap/ldap.php index bd753d70..68930179 100644 --- a/wp-content/plugins/authldap/ldap.php +++ b/wp-content/plugins/authldap/ldap.php @@ -1,6 +1,6 @@ @@ -46,7 +46,7 @@ class LDAP /** * This property contains the connection handle to the ldap-server * - * @var Ressource + * @var Ressource|Connection|null */ private $ch = null; @@ -117,7 +117,8 @@ class LDAP } $this->ch = @ldap_connect($this->scheme . '://' . $this->server . ':' . $this -> port); - if (! $this->ch) { + if (false === $this->ch) { + $this->ch = null; throw new Error('Could not connect to the server'); } ldap_set_option($this->ch, LDAP_OPT_PROTOCOL_VERSION, 3); @@ -136,7 +137,7 @@ class LDAP */ public function disconnect() { - if (is_resource($this->ch)) { + if (null !== $this->ch ) { @ldap_unbind($this->ch); } $this->ch = null; @@ -154,8 +155,8 @@ class LDAP if (! $this->ch) { $this->connect(); } - if (! is_resource($this->ch)) { - throw new Error('No Resource-handle given'); + if (null === $this->ch) { + throw new Error('No valid LDAP connection available'); } $bind = false; if (( ( $this->username ) @@ -195,7 +196,7 @@ class LDAP */ public function search($filter, $attributes = array('uid'), $base = '') { - if (! is_Resource($this->ch)) { + if (null === $this->ch) { throw new Error('No resource handle avbailable'); } if (! $base) { diff --git a/wp-content/plugins/authldap/readme.txt b/wp-content/plugins/authldap/readme.txt index 1b7ebeee..e04dca51 100644 --- a/wp-content/plugins/authldap/readme.txt +++ b/wp-content/plugins/authldap/readme.txt @@ -2,7 +2,7 @@ Contributors: heiglandreas Tags: ldap, auth, authentication, active directory, AD, openLDAP, Open Directory Requires at least: 2.5.0 -Tested up to: 5.6.0 +Tested up to: 5.9.0 Requires PHP: 7.2 Stable tag: trunk License: MIT @@ -41,6 +41,12 @@ Please use the issuetracker at https://github.com/heiglandreas/authLdap/issues == Changelog == += 2.5.0 = +* Ignore the order of capabilities to tell the role. In addition the filter `editable_roles` can be used to limit the roles + += 2.4.11 = +* Fix issue with running on PHP8.1 + = 2.4.9 = * Improve group-assignement UI diff --git a/wp-content/plugins/authldap/src/LdapList.php b/wp-content/plugins/authldap/src/LdapList.php index 5e77d00c..9e699bdd 100644 --- a/wp-content/plugins/authldap/src/LdapList.php +++ b/wp-content/plugins/authldap/src/LdapList.php @@ -42,6 +42,7 @@ class LdapList public function authenticate($username, $password, $filter = '(uid=%s)') { + /** @var LDAP $item */ foreach ($this->items as $key => $item) { if (! $item->authenticate($username, $password, $filter)) { unset($this->items[$key]); diff --git a/wp-content/plugins/authldap/view/admin.phtml b/wp-content/plugins/authldap/view/admin.phtml index cc483406..978bcf5a 100644 --- a/wp-content/plugins/authldap/view/admin.phtml +++ b/wp-content/plugins/authldap/view/admin.phtml @@ -185,6 +185,18 @@
+ + + +
+ + + />
+

+ If checked the plugin will use the user's account to query their own information. If not it will use the admin account. +

+ +