From 65d26d4d83d4df3e87ff4fe8f73325ca4110f09b Mon Sep 17 00:00:00 2001
From: Lai Power <kawaiipunk@posteo.net>
Date: Thu, 27 Jun 2024 12:10:42 +0000
Subject: [PATCH] updated plugin `AuthLDAP` version 2.6.2

---
 wp-content/plugins/authldap/authLdap.php      | 14 +++----
 .../features/bootstrap/FeatureContext.php     | 21 +++++++++-
 .../log in using no groups at all.feature     | 21 ++++++++++
 wp-content/plugins/authldap/readme.txt        |  5 ++-
 .../authldap/src/Exception/UnknownOption.php  |  4 +-
 .../plugins/authldap/src/OptionFactory.php    |  4 +-
 wp-content/plugins/authldap/src/Options.php   |  5 ++-
 .../plugins/authldap/src/UserRoleHandler.php  |  2 +-
 wp-content/plugins/authldap/view/admin.phtml  | 39 ++++++++++---------
 .../plugins/authldap/wordpress/info.php       |  1 +
 10 files changed, 81 insertions(+), 35 deletions(-)
 create mode 100644 wp-content/plugins/authldap/wordpress/info.php

diff --git a/wp-content/plugins/authldap/authLdap.php b/wp-content/plugins/authldap/authLdap.php
index cbe009d3..c0c54f5d 100644
--- a/wp-content/plugins/authldap/authLdap.php
+++ b/wp-content/plugins/authldap/authLdap.php
@@ -4,7 +4,7 @@
 Plugin Name: AuthLDAP
 Plugin URI: https://github.com/heiglandreas/authLdap
 Description: This plugin allows you to use your existing LDAP as authentication base for WordPress
-Version: 2.6.0
+Version: 2.6.2
 Author: Andreas Heigl <andreas@heigl.org>
 Author URI: http://andreas.heigl.org
 License: MIT
@@ -77,7 +77,7 @@ function authLdap_options_panel()
 		if (!isset($_POST['authLdapNonce'])) {
 			die("Go away!");
 		}
-		if (!wp_verify_nonce($_POST['authLdapNonce'],'authLdapNonce')) {
+		if (!wp_verify_nonce($_POST['authLdapNonce'], 'authLdapNonce')) {
 			die("Go away!");
 		}
 
@@ -255,8 +255,8 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
 		$authLDAPUidAttr = authLdap_get_option('UidAttr');
 		$authLDAPWebAttr = authLdap_get_option('WebAttr');
 		$authLDAPDefaultRole = authLdap_get_option('DefaultRole');
-		$authLDAPGroupEnable = authLdap_get_option('GroupEnable');
-		$authLDAPGroupOverUser = authLdap_get_option('GroupOverUser');
+		$authLDAPGroupEnable = filter_var(authLdap_get_option('GroupEnable'), FILTER_VALIDATE_BOOLEAN);
+		$authLDAPGroupOverUser = filter_var(authLdap_get_option('GroupOverUser'), FILTER_VALIDATE_BOOLEAN);
 		$authLDAPUseUserAccount = authLdap_get_option('UserRead');
 
 		if (!$username) {
@@ -373,7 +373,7 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
 
 		// we only need this if either LDAP groups are disabled or
 		// if the WordPress role of the user overrides LDAP groups
-		if (!$authLDAPGroupEnable || $authLDAPGroupOverUser) {
+		if ($authLDAPGroupEnable === false || $authLDAPGroupOverUser === false) {
 			$userRoles = authLdap_user_role($uid);
 			if ($userRoles !== []) {
 				$roles = array_merge($roles, $userRoles);
@@ -383,8 +383,8 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
 		}
 
 		// do LDAP group mapping if needed
-		// (if LDAP groups override worpress user role, $role is still empty)
-		if (empty($roles) && $authLDAPGroupEnable) {
+		// (if LDAP groups override wordpress user role, $role is still empty)
+		if ((empty($roles) || $authLDAPGroupOverUser === true) && $authLDAPGroupEnable === true) {
 			$mappedRoles = authLdap_groupmap($realuid, $dn);
 			if ($mappedRoles !== []) {
 				$roles = $mappedRoles;
diff --git a/wp-content/plugins/authldap/features/bootstrap/FeatureContext.php b/wp-content/plugins/authldap/features/bootstrap/FeatureContext.php
index 1e495b2c..a2d109cb 100644
--- a/wp-content/plugins/authldap/features/bootstrap/FeatureContext.php
+++ b/wp-content/plugins/authldap/features/bootstrap/FeatureContext.php
@@ -284,6 +284,25 @@ LDIF',
 			return trim($item);
 		}, explode(',', $user['roles']));
 		Assert::false(in_array($arg2, $roles));
-
 	}
+
+	/**
+	 * @Given LDAP user :arg1 is not member of LDAP group :arg2
+	 */
+	public function ldapUserIsNotMemberOfLdapGroup($arg1, $arg2)
+	{
+		exec(sprintf(
+			'ldapmodify -x -H %1$s -D "%2$s" -w %3$s 2>&1 <<LDIF
+%4$s
+LDIF',
+			'ldap://openldap',
+			'cn=admin,dc=example,dc=org',
+			'insecure',
+			<<<LDIF
+			dn: cn=$arg2,dc=example,dc=org
+			changetype: modify
+			delete: uniqueMember
+			uniqueMember: uid=$arg1,dc=example,dc=org
+			LDIF
+		));	}
 }
diff --git a/wp-content/plugins/authldap/features/log in using no groups at all.feature b/wp-content/plugins/authldap/features/log in using no groups at all.feature
index b8515c84..1d2e0dab 100644
--- a/wp-content/plugins/authldap/features/log in using no groups at all.feature	
+++ b/wp-content/plugins/authldap/features/log in using no groups at all.feature	
@@ -61,3 +61,24 @@ Feature: Log in without group assignment
 		And the WordPress user "ldapuser" is member of role "wordpressrole"
 		And the WordPress user "ldapuser" is not member of role "editor"
 		And the WordPress user "ldapuser" is not member of role "subscriber"
+
+	Scenario: Second Login with group assignment that changes between first and second login
+		Given a default configuration
+		And configuration value "GroupEnable" is set to "true"
+		And configuration value "DefaultRole" is set to "subscriber"
+		And configuration value "Groups" is set to "administrator=ldapgroup1" and "editor=ldapgroup2"
+		And configuration value "GroupAttr" is set to "cn"
+		And configuration value "GroupFilter" is set to "uniquemember=%dn%"
+		And configuration value "GroupOverUser" is set to "true"
+		And an LDAP user "ldapuser" with name "LDAP User", password "P@ssw0rd" and email "ldapuser@example.com" exists
+		And an LDAP group "ldapgroup1" exists
+		And an LDAP group "ldapgroup2" exists
+		And LDAP user "ldapuser" is member of LDAP group "ldapgroup1"
+		And LDAP user "ldapuser" logs in with password "P@ssw0rd"
+		And LDAP user "ldapuser" is member of LDAP group "ldapgroup2"
+		And LDAP user "ldapuser" is not member of LDAP group "ldapgroup1"
+		When LDAP user "ldapuser" logs in with password "P@ssw0rd"
+		Then the login suceeds
+		And the WordPress user "ldapuser" is member of role "editor"
+		And the WordPress user "ldapuser" is not member of role "administrator"
+		And the WordPress user "ldapuser" is not member of role "subscriber"
diff --git a/wp-content/plugins/authldap/readme.txt b/wp-content/plugins/authldap/readme.txt
index 00476fe6..ec9d2311 100644
--- a/wp-content/plugins/authldap/readme.txt
+++ b/wp-content/plugins/authldap/readme.txt
@@ -2,7 +2,7 @@
 Contributors: heiglandreas
 Tags: ldap, auth, authentication, active directory, AD, openLDAP, Open Directory
 Requires at least: 2.5.0
-Tested up to: 6.4.0
+Tested up to: 6.5.0
 Requires PHP: 7.4
 Stable tag: trunk
 License: MIT
@@ -46,6 +46,9 @@ In essence: Report a security vulnerability at https://github.com/heiglandreas/a
 Please see https://github.com/heiglandreas/authLdap/blob/master/SECURITY.md for more details
 
 == Changelog ==
+= 2.6.2 =
+
+* Fix issue with Groups not being updated on existing accounts (see https://github.com/heiglandreas/authLdap/issues/250 for details)
 
 = 2.6.0 =
 
diff --git a/wp-content/plugins/authldap/src/Exception/UnknownOption.php b/wp-content/plugins/authldap/src/Exception/UnknownOption.php
index b2737b19..ce0147a1 100644
--- a/wp-content/plugins/authldap/src/Exception/UnknownOption.php
+++ b/wp-content/plugins/authldap/src/Exception/UnknownOption.php
@@ -1,13 +1,13 @@
 <?php
 
-declare(strict_types=1);
-
 /**
  * Copyright Andreas Heigl <andreas@heigl.org>
  *
  * Licensed under the MIT-license. For details see the included file LICENSE.md
  */
 
+declare(strict_types=1);
+
 namespace Org_Heigl\AuthLdap\Exception;
 
 use RuntimeException;
diff --git a/wp-content/plugins/authldap/src/OptionFactory.php b/wp-content/plugins/authldap/src/OptionFactory.php
index aa2955e4..97446145 100644
--- a/wp-content/plugins/authldap/src/OptionFactory.php
+++ b/wp-content/plugins/authldap/src/OptionFactory.php
@@ -1,13 +1,13 @@
 <?php
 
-declare(strict_types=1);
-
 /**
  * Copyright Andreas Heigl <andreas@heigl.org>
  *
  * Licensed under the MIT-license. For details see the included file LICENSE.md
  */
 
+declare(strict_types=1);
+
 namespace Org_Heigl\AuthLdap;
 
 use function json_decode;
diff --git a/wp-content/plugins/authldap/src/Options.php b/wp-content/plugins/authldap/src/Options.php
index ee7b969c..c4d3928b 100644
--- a/wp-content/plugins/authldap/src/Options.php
+++ b/wp-content/plugins/authldap/src/Options.php
@@ -1,16 +1,17 @@
 <?php
 
-declare(strict_types=1);
-
 /**
  * Copyright Andreas Heigl <andreas@heigl.org>
  *
  * Licensed under the MIT-license. For details see the included file LICENSE.md
  */
 
+declare(strict_types=1);
+
 namespace Org_Heigl\AuthLdap;
 
 use Org_Heigl\AuthLdap\Exception\UnknownOption;
+
 use function array_key_exists;
 
 class Options
diff --git a/wp-content/plugins/authldap/src/UserRoleHandler.php b/wp-content/plugins/authldap/src/UserRoleHandler.php
index 8966980f..d8c3a006 100644
--- a/wp-content/plugins/authldap/src/UserRoleHandler.php
+++ b/wp-content/plugins/authldap/src/UserRoleHandler.php
@@ -23,7 +23,7 @@ class UserRoleHandler
 	 * @param string[] $roles
 	 * @return void
 	 */
-	public function addRolesToUser(WP_User $user, $roles) : void
+	public function addRolesToUser(WP_User $user, $roles): void
 	{
 		if ($roles === []) {
 			return;
diff --git a/wp-content/plugins/authldap/view/admin.phtml b/wp-content/plugins/authldap/view/admin.phtml
index 0c55b319..779ba26c 100644
--- a/wp-content/plugins/authldap/view/admin.phtml
+++ b/wp-content/plugins/authldap/view/admin.phtml
@@ -101,7 +101,7 @@
                     </th>
                     <td>
                         <input type="text" name="authLDAPURI" id="authLDAPURI" placeholder="LDAP-URI"
-                          class="regular-text" value="<?php echo $authLDAPURI; ?>"/>
+                          class="regular-text" value="<?php echo esc_attr($authLDAPURI); ?>"/>
                         <p class="description">
                             The <abbr title="Uniform Ressource Identifier">URI</abbr>
                             for connecting to the LDAP-Server. This usualy takes the form
@@ -139,7 +139,7 @@
                     </th>
                     <td>
                         <input type="text" name="authLDAPURISeparator" id="authLDAPURISeparator" placeholder="LDAP-URI Separator"
-                               class="regular-text" value="<?php echo $authLDAPURISeparator; ?>"/>
+                               class="regular-text" value="<?php echo esc_attr($authLDAPURISeparator); ?>"/>
                         <p class="description">
                             A separator that separates multiple LDAP-URIs from one another.
                             You can use that feature to try to authenticate against multiple LDAP-Servers
@@ -152,7 +152,7 @@
                           <label for="authLDAPStartTLS" class="description">StartTLS</label>
                       </th>
                       <td>
-                          <input type="checkbox" name="authLDAPStartTLS" id="authLDAPStartTLS" value="1"<?php echo $tStartTLSChecked; ?>/>
+                          <input type="checkbox" name="authLDAPStartTLS" id="authLDAPStartTLS" value="1"<?php echo esc_attr($tStartTLSChecked); ?>/>
                           <p class="description">
                               Use StartTLS for encryption of ldap connections. This setting is not to be used in combination with ldaps connections (ldap:// only).
                           </p>
@@ -163,7 +163,7 @@
                     </th>
                     <td>
                         <input type="text" name="authLDAPFilter" id="authLDAPFilter" placeholder="(uid=%s)"
-                          class="regular-text" value="<?php echo $authLDAPFilter; ?>"/>
+                          class="regular-text" value="<?php echo esc_attr($authLDAPFilter); ?>"/>
                         <p class="description">
                             Please provide a valid filter that can be used for querying the
                             <abbr title="Lightweight Directory Access Protocol">LDAP</abbr>
@@ -190,7 +190,7 @@
                         <label for="authLDAPUseUserAccount">User-Read</label>
                     </th>
                     <td>
-                        <input type="checkbox" name="authLDAPUseUserAccount" id="authLDAPUseUserAccount" value="1"<?php echo $tUserRead; ?>/><br />
+                        <input type="checkbox" name="authLDAPUseUserAccount" id="authLDAPUseUserAccount" value="1"<?php echo esc_attr($tUserRead); ?>/><br />
                         <p class="description">
                             If checked the plugin will use the user's account to query their own information. If not it will use the admin account.
                         </p>
@@ -203,7 +203,7 @@
                     </th>
                     <td>
                         <input type="text" name="authLDAPNameAttr" id="authLDAPNameAttr" placeholder="name"
-                          class="regular-text" value="<?php echo $authLDAPNameAttr; ?>"/><br />
+                          class="regular-text" value="<?php echo esc_attr($authLDAPNameAttr); ?>"/><br />
                         <p class="description">
                             Which Attribute from the LDAP contains the Full or the First name
                             of the user trying to log in.
@@ -220,7 +220,7 @@
                     </th>
                     <td>
                         <input type="text" name="authLDAPSecName" id="authLDAPSecName" placeholder=""
-                          class="regular-text" value="<?php echo $authLDAPSecName; ?>" />
+                          class="regular-text" value="<?php echo esc_attr($authLDAPSecName); ?>" />
                         <p class="description">
                             If the above Name-Attribute only contains the First Name of the
                             user you can here specify an Attribute that contains the second name.
@@ -236,7 +236,7 @@
                     </th>
                     <td>
                         <input type="text" name="authLDAPUidAttr" id="authLDAPUidAttr" placeholder="uid"
-                          class="regular-text" value="<?php echo $authLDAPUidAttr; ?>" />
+                          class="regular-text" value="<?php echo esc_attr($authLDAPUidAttr); ?>" />
                         <p class="description">
                             Please give the Attribute, that is used to identify the user. This
                             should be the same as you used in the above <em>Filter</em>-Option
@@ -252,7 +252,7 @@
                     </th>
                     <td>
                         <input type="text" name="authLDAPMailAttr" id="authLDAPMailAttr" placeholder="mail"
-                          class="regular-text" value="<?php echo $authLDAPMailAttr; ?>" />
+                          class="regular-text" value="<?php echo esc_attr($authLDAPMailAttr); ?>" />
                         <p class="description">
                             Which Attribute holds the eMail-Address of the user?
                         </p>
@@ -270,7 +270,7 @@
                     </th>
                     <td>
                         <input type="text" name="authLDAPWebAttr" id="authLDAPWebAttr" placeholder=""
-                          class="regular-text" value="<?php echo $authLDAPWebAttr; ?>" />
+                          class="regular-text" value="<?php echo esc_attr($authLDAPWebAttr); ?>" />
                         <p class="description">
                             If your users have a personal page (URI) stored in the LDAP, it can
                             be provided here.
@@ -291,7 +291,7 @@
                             </option>
 <?php foreach ($roles->get_names() as $group => $vals) : ?>
                             <option value="<?php echo $group; ?>" <?php echo ( $authLDAPDefaultRole == $group ? 'selected="selected"' : '' ); ?>>
-                                <?php echo $vals; ?>
+                                <?php echo esc_attr($vals); ?>
                             </option>
 <?php endforeach; ?>
                         </select>
@@ -317,7 +317,7 @@
                         <label for="authLDAPGroupOverUser">LDAP Groups override role of existing users?</label>
                     </th>
                     <td>
-                        <input type="checkbox" name="authLDAPGroupOverUser" id="authLDAPGroupOverUser" value="1"<?php echo $tGroupOverUserChecked; ?>/>
+                        <input type="checkbox" name="authLDAPGroupOverUser" id="authLDAPGroupOverUser" value="1"<?php echo esc_attr($tGroupOverUserChecked); ?>/>
                         <p class="description">
                             If role determined by LDAP Group differs from existing Wordpress User's role, use LDAP Group.
                         </p>
@@ -329,7 +329,7 @@
                     </th>
                     <td>
                         <input type="text" name="authLDAPGroupBase" id="authLDAPGroupBase" placeholder=""
-                          class="regular-text" value="<?php echo $authLDAPGroupBase; ?>" />
+                          class="regular-text" value="<?php echo esc_attr($authLDAPGroupBase); ?>" />
                         <p class="description">
                             This is the base dn to lookup groups.
                         </p>
@@ -344,7 +344,7 @@
                     </th>
                     <td>
                         <input type="text" name="authLDAPGroupAttr" id="authLDAPGroupAttr" placeholder="gidNumber"
-                          class="regular-text" value="<?php echo $authLDAPGroupAttr; ?>" />
+                          class="regular-text" value="<?php echo esc_attr($authLDAPGroupAttr); ?>" />
                         <p class="description">
                             This is the attribute that defines the Group-ID that can be matched
                             against the Groups defined further down
@@ -360,7 +360,7 @@
                     </th>
                     <td>
                         <input type="text" name="authLDAPGroupSeparator" id="authLDAPGroupSeparator" placeholder=","
-                          class="regular-text" value="<?php echo $authLDAPGroupSeparator; ?>" />
+                          class="regular-text" value="<?php echo esc_attr($authLDAPGroupSeparator); ?>" />
                         <p class="description">
                             This attribute defines the separator used for the Group-IDs listed in the
                             Groups defined further down. This is useful if the value of Group-Attribute
@@ -378,7 +378,7 @@
                     <td>
                         <input type="text" name="authLDAPGroupFilter" id="authLDAPGroupFilter"
                           placeholder="(&amp;(objectClass=posixGroup)(memberUid=%s))"
-                          class="regular-text" value="<?php echo $authLDAPGroupFilter; ?>" />
+                          class="regular-text" value="<?php echo esc_attr($authLDAPGroupFilter); ?>" />
                         <p class="description">
                             Here you can add the filter for selecting groups for ther
                             currentlly logged in user
@@ -416,12 +416,13 @@
                 <tr>
                     <th scope="row" style="width:auto; min-width: 200px;">
                         <label for="authLDAPGroups[<?php echo $group; ?>]">
-                            <?php echo $vals; ?>
+                            <?php echo esc_attr($vals); ?>
                         </label>
                     </th>
                     <td>
-                        <input type="text" name="authLDAPGroups[<?php echo $group; ?>]" id="authLDAPGroups[<?php echo $group; ?>]"
-                          value="<?php echo $aGroup; ?>" />
+						<textarea name="authLDAPGroups[<?php echo $group; ?>]" id="authLDAPGroups[<?php echo $group; ?>]" cols=60 rows=5><?php
+							echo esc_textarea($aGroup);
+						?></textarea>
                     </td>
                 </tr>
 <?php endforeach; ?>
diff --git a/wp-content/plugins/authldap/wordpress/info.php b/wp-content/plugins/authldap/wordpress/info.php
new file mode 100644
index 00000000..b3d9bbc7
--- /dev/null
+++ b/wp-content/plugins/authldap/wordpress/info.php
@@ -0,0 +1 @@
+<?php