kawaiipunk/laipower
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated plugin AuthLDAP version 2.6.2

Browse Source
This commit is contained in:
KawaiiPunk 2024-06-27 12:10:42 +00:00 committed by Gitium
parent 4e493c268e
commit 65d26d4d83
10 changed files with 81 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
wp-content/plugins/authldap/authLdap.php
View File

@ -4,7 +4,7 @@
Plugin Name: AuthLDAP Plugin Name: AuthLDAP
Plugin URI: https://github.com/heiglandreas/authLdap Plugin URI: https://github.com/heiglandreas/authLdap
Description: This plugin allows you to use your existing LDAP as authentication base for WordPress Description: This plugin allows you to use your existing LDAP as authentication base for WordPress
Version: 2.6.0 Version: 2.6.2
Author: Andreas Heigl <andreas@heigl.org> Author: Andreas Heigl <andreas@heigl.org>
Author URI: http://andreas.heigl.org Author URI: http://andreas.heigl.org
License: MIT License: MIT
@ -77,7 +77,7 @@ function authLdap_options_panel()
if (!isset($_POST['authLdapNonce'])) { if (!isset($_POST['authLdapNonce'])) {
die("Go away!"); die("Go away!");
} }
if (!wp_verify_nonce($_POST['authLdapNonce'],'authLdapNonce')) { if (!wp_verify_nonce($_POST['authLdapNonce'], 'authLdapNonce')) {
die("Go away!"); die("Go away!");
} }
@ -255,8 +255,8 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
$authLDAPUidAttr = authLdap_get_option('UidAttr'); $authLDAPUidAttr = authLdap_get_option('UidAttr');
$authLDAPWebAttr = authLdap_get_option('WebAttr'); $authLDAPWebAttr = authLdap_get_option('WebAttr');
$authLDAPDefaultRole = authLdap_get_option('DefaultRole'); $authLDAPDefaultRole = authLdap_get_option('DefaultRole');
$authLDAPGroupEnable = authLdap_get_option('GroupEnable'); $authLDAPGroupEnable = filter_var(authLdap_get_option('GroupEnable'), FILTER_VALIDATE_BOOLEAN);
$authLDAPGroupOverUser = authLdap_get_option('GroupOverUser'); $authLDAPGroupOverUser = filter_var(authLdap_get_option('GroupOverUser'), FILTER_VALIDATE_BOOLEAN);
$authLDAPUseUserAccount = authLdap_get_option('UserRead'); $authLDAPUseUserAccount = authLdap_get_option('UserRead');
if (!$username) { if (!$username) {
@ -373,7 +373,7 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
// we only need this if either LDAP groups are disabled or // we only need this if either LDAP groups are disabled or
// if the WordPress role of the user overrides LDAP groups // if the WordPress role of the user overrides LDAP groups
if (!$authLDAPGroupEnable || $authLDAPGroupOverUser) { if ($authLDAPGroupEnable === false || $authLDAPGroupOverUser === false) {
$userRoles = authLdap_user_role($uid); $userRoles = authLdap_user_role($uid);
if ($userRoles !== []) { if ($userRoles !== []) {
$roles = array_merge($roles, $userRoles); $roles = array_merge($roles, $userRoles);
@ -383,8 +383,8 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
} }
// do LDAP group mapping if needed // do LDAP group mapping if needed
// (if LDAP groups override worpress user role, $role is still empty) // (if LDAP groups override wordpress user role, $role is still empty)
if (empty($roles) && $authLDAPGroupEnable) { if ((empty($roles) || $authLDAPGroupOverUser === true) && $authLDAPGroupEnable === true) {
$mappedRoles = authLdap_groupmap($realuid, $dn); $mappedRoles = authLdap_groupmap($realuid, $dn);
if ($mappedRoles !== []) { if ($mappedRoles !== []) {
$roles = $mappedRoles; $roles = $mappedRoles;

21
wp-content/plugins/authldap/features/bootstrap/FeatureContext.php
View File

@ -284,6 +284,25 @@ LDIF',
return trim($item); return trim($item);
}, explode(',', $user['roles'])); }, explode(',', $user['roles']));
Assert::false(in_array($arg2, $roles)); Assert::false(in_array($arg2, $roles));
} }
/**
* @Given LDAP user :arg1 is not member of LDAP group :arg2
*/
public function ldapUserIsNotMemberOfLdapGroup($arg1, $arg2)
{
exec(sprintf(
'ldapmodify -x -H %1$s -D "%2$s" -w %3$s 2>&1 <<LDIF
%4$s
LDIF',
'ldap://openldap',
'cn=admin,dc=example,dc=org',
'insecure',
<<<LDIF
dn: cn=$arg2,dc=example,dc=org
changetype: modify
delete: uniqueMember
uniqueMember: uid=$arg1,dc=example,dc=org
LDIF
)); }
} }

21
wp-content/plugins/authldap/features/log in using no groups at all.feature
View File

@ -61,3 +61,24 @@ Feature: Log in without group assignment
And the WordPress user "ldapuser" is member of role "wordpressrole" And the WordPress user "ldapuser" is member of role "wordpressrole"
And the WordPress user "ldapuser" is not member of role "editor" And the WordPress user "ldapuser" is not member of role "editor"
And the WordPress user "ldapuser" is not member of role "subscriber" And the WordPress user "ldapuser" is not member of role "subscriber"
Scenario: Second Login with group assignment that changes between first and second login
Given a default configuration
And configuration value "GroupEnable" is set to "true"
And configuration value "DefaultRole" is set to "subscriber"
And configuration value "Groups" is set to "administrator=ldapgroup1" and "editor=ldapgroup2"
And configuration value "GroupAttr" is set to "cn"
And configuration value "GroupFilter" is set to "uniquemember=%dn%"
And configuration value "GroupOverUser" is set to "true"
And an LDAP user "ldapuser" with name "LDAP User", password "P@ssw0rd" and email "ldapuser@example.com" exists
And an LDAP group "ldapgroup1" exists
And an LDAP group "ldapgroup2" exists
And LDAP user "ldapuser" is member of LDAP group "ldapgroup1"
And LDAP user "ldapuser" logs in with password "P@ssw0rd"
And LDAP user "ldapuser" is member of LDAP group "ldapgroup2"
And LDAP user "ldapuser" is not member of LDAP group "ldapgroup1"
When LDAP user "ldapuser" logs in with password "P@ssw0rd"
Then the login suceeds
And the WordPress user "ldapuser" is member of role "editor"
And the WordPress user "ldapuser" is not member of role "administrator"
And the WordPress user "ldapuser" is not member of role "subscriber"

5
wp-content/plugins/authldap/readme.txt
View File

@ -2,7 +2,7 @@
Contributors: heiglandreas Contributors: heiglandreas
Tags: ldap, auth, authentication, active directory, AD, openLDAP, Open Directory Tags: ldap, auth, authentication, active directory, AD, openLDAP, Open Directory
Requires at least: 2.5.0 Requires at least: 2.5.0
Tested up to: 6.4.0 Tested up to: 6.5.0
Requires PHP: 7.4 Requires PHP: 7.4
Stable tag: trunk Stable tag: trunk
License: MIT License: MIT
@ -46,6 +46,9 @@ In essence: Report a security vulnerability at https://github.com/heiglandreas/a
Please see https://github.com/heiglandreas/authLdap/blob/master/SECURITY.md for more details Please see https://github.com/heiglandreas/authLdap/blob/master/SECURITY.md for more details
== Changelog == == Changelog ==
= 2.6.2 =
* Fix issue with Groups not being updated on existing accounts (see https://github.com/heiglandreas/authLdap/issues/250 for details)
= 2.6.0 = = 2.6.0 =

4
wp-content/plugins/authldap/src/Exception/UnknownOption.php
View File

@ -1,13 +1,13 @@
<?php <?php
declare(strict_types=1);
/** /**
* Copyright Andreas Heigl <andreas@heigl.org> * Copyright Andreas Heigl <andreas@heigl.org>
* *
* Licensed under the MIT-license. For details see the included file LICENSE.md * Licensed under the MIT-license. For details see the included file LICENSE.md
*/ */
declare(strict_types=1);
namespace Org_Heigl\AuthLdap\Exception; namespace Org_Heigl\AuthLdap\Exception;
use RuntimeException; use RuntimeException;

4
wp-content/plugins/authldap/src/OptionFactory.php
View File

@ -1,13 +1,13 @@
<?php <?php
declare(strict_types=1);
/** /**
* Copyright Andreas Heigl <andreas@heigl.org> * Copyright Andreas Heigl <andreas@heigl.org>
* *
* Licensed under the MIT-license. For details see the included file LICENSE.md * Licensed under the MIT-license. For details see the included file LICENSE.md
*/ */
declare(strict_types=1);
namespace Org_Heigl\AuthLdap; namespace Org_Heigl\AuthLdap;
use function json_decode; use function json_decode;

5
wp-content/plugins/authldap/src/Options.php
View File

@ -1,16 +1,17 @@
<?php <?php
declare(strict_types=1);
/** /**
* Copyright Andreas Heigl <andreas@heigl.org> * Copyright Andreas Heigl <andreas@heigl.org>
* *
* Licensed under the MIT-license. For details see the included file LICENSE.md * Licensed under the MIT-license. For details see the included file LICENSE.md
*/ */
declare(strict_types=1);
namespace Org_Heigl\AuthLdap; namespace Org_Heigl\AuthLdap;
use Org_Heigl\AuthLdap\Exception\UnknownOption; use Org_Heigl\AuthLdap\Exception\UnknownOption;
use function array_key_exists; use function array_key_exists;
class Options class Options

2
wp-content/plugins/authldap/src/UserRoleHandler.php
View File

@ -23,7 +23,7 @@ class UserRoleHandler
* @param string[] $roles * @param string[] $roles
* @return void * @return void
*/ */
public function addRolesToUser(WP_User $user, $roles) : void public function addRolesToUser(WP_User $user, $roles): void
{ {
if ($roles === []) { if ($roles === []) {
return; return;

39
wp-content/plugins/authldap/view/admin.phtml
View File

@ -101,7 +101,7 @@
</th> </th>
<td> <td>
<input type="text" name="authLDAPURI" id="authLDAPURI" placeholder="LDAP-URI" <input type="text" name="authLDAPURI" id="authLDAPURI" placeholder="LDAP-URI"
class="regular-text" value="<?php echo $authLDAPURI; ?>"/> class="regular-text" value="<?php echo esc_attr($authLDAPURI); ?>"/>
<p class="description"> <p class="description">
The <abbr title="Uniform Ressource Identifier">URI</abbr> The <abbr title="Uniform Ressource Identifier">URI</abbr>
for connecting to the LDAP-Server. This usualy takes the form for connecting to the LDAP-Server. This usualy takes the form
@ -139,7 +139,7 @@
</th> </th>
<td> <td>
<input type="text" name="authLDAPURISeparator" id="authLDAPURISeparator" placeholder="LDAP-URI Separator" <input type="text" name="authLDAPURISeparator" id="authLDAPURISeparator" placeholder="LDAP-URI Separator"
class="regular-text" value="<?php echo $authLDAPURISeparator; ?>"/> class="regular-text" value="<?php echo esc_attr($authLDAPURISeparator); ?>"/>
<p class="description"> <p class="description">
A separator that separates multiple LDAP-URIs from one another. A separator that separates multiple LDAP-URIs from one another.
You can use that feature to try to authenticate against multiple LDAP-Servers You can use that feature to try to authenticate against multiple LDAP-Servers
@ -152,7 +152,7 @@
<label for="authLDAPStartTLS" class="description">StartTLS</label> <label for="authLDAPStartTLS" class="description">StartTLS</label>
</th> </th>
<td> <td>
<input type="checkbox" name="authLDAPStartTLS" id="authLDAPStartTLS" value="1"<?php echo $tStartTLSChecked; ?>/> <input type="checkbox" name="authLDAPStartTLS" id="authLDAPStartTLS" value="1"<?php echo esc_attr($tStartTLSChecked); ?>/>
<p class="description"> <p class="description">
Use StartTLS for encryption of ldap connections. This setting is not to be used in combination with ldaps connections (ldap:// only). Use StartTLS for encryption of ldap connections. This setting is not to be used in combination with ldaps connections (ldap:// only).
</p> </p>
@ -163,7 +163,7 @@
</th> </th>
<td> <td>
<input type="text" name="authLDAPFilter" id="authLDAPFilter" placeholder="(uid=%s)" <input type="text" name="authLDAPFilter" id="authLDAPFilter" placeholder="(uid=%s)"
class="regular-text" value="<?php echo $authLDAPFilter; ?>"/> class="regular-text" value="<?php echo esc_attr($authLDAPFilter); ?>"/>
<p class="description"> <p class="description">
Please provide a valid filter that can be used for querying the Please provide a valid filter that can be used for querying the
<abbr title="Lightweight Directory Access Protocol">LDAP</abbr> <abbr title="Lightweight Directory Access Protocol">LDAP</abbr>
@ -190,7 +190,7 @@
<label for="authLDAPUseUserAccount">User-Read</label> <label for="authLDAPUseUserAccount">User-Read</label>
</th> </th>
<td> <td>
<input type="checkbox" name="authLDAPUseUserAccount" id="authLDAPUseUserAccount" value="1"<?php echo $tUserRead; ?>/><br /> <input type="checkbox" name="authLDAPUseUserAccount" id="authLDAPUseUserAccount" value="1"<?php echo esc_attr($tUserRead); ?>/><br />
<p class="description"> <p class="description">
If checked the plugin will use the user's account to query their own information. If not it will use the admin account. If checked the plugin will use the user's account to query their own information. If not it will use the admin account.
</p> </p>
@ -203,7 +203,7 @@
</th> </th>
<td> <td>
<input type="text" name="authLDAPNameAttr" id="authLDAPNameAttr" placeholder="name" <input type="text" name="authLDAPNameAttr" id="authLDAPNameAttr" placeholder="name"
class="regular-text" value="<?php echo $authLDAPNameAttr; ?>"/><br /> class="regular-text" value="<?php echo esc_attr($authLDAPNameAttr); ?>"/><br />
<p class="description"> <p class="description">
Which Attribute from the LDAP contains the Full or the First name Which Attribute from the LDAP contains the Full or the First name
of the user trying to log in. of the user trying to log in.
@ -220,7 +220,7 @@
</th> </th>
<td> <td>
<input type="text" name="authLDAPSecName" id="authLDAPSecName" placeholder="" <input type="text" name="authLDAPSecName" id="authLDAPSecName" placeholder=""
class="regular-text" value="<?php echo $authLDAPSecName; ?>" /> class="regular-text" value="<?php echo esc_attr($authLDAPSecName); ?>" />
<p class="description"> <p class="description">
If the above Name-Attribute only contains the First Name of the If the above Name-Attribute only contains the First Name of the
user you can here specify an Attribute that contains the second name. user you can here specify an Attribute that contains the second name.
@ -236,7 +236,7 @@
</th> </th>
<td> <td>
<input type="text" name="authLDAPUidAttr" id="authLDAPUidAttr" placeholder="uid" <input type="text" name="authLDAPUidAttr" id="authLDAPUidAttr" placeholder="uid"
class="regular-text" value="<?php echo $authLDAPUidAttr; ?>" /> class="regular-text" value="<?php echo esc_attr($authLDAPUidAttr); ?>" />
<p class="description"> <p class="description">
Please give the Attribute, that is used to identify the user. This Please give the Attribute, that is used to identify the user. This
should be the same as you used in the above <em>Filter</em>-Option should be the same as you used in the above <em>Filter</em>-Option
@ -252,7 +252,7 @@
</th> </th>
<td> <td>
<input type="text" name="authLDAPMailAttr" id="authLDAPMailAttr" placeholder="mail" <input type="text" name="authLDAPMailAttr" id="authLDAPMailAttr" placeholder="mail"
class="regular-text" value="<?php echo $authLDAPMailAttr; ?>" /> class="regular-text" value="<?php echo esc_attr($authLDAPMailAttr); ?>" />
<p class="description"> <p class="description">
Which Attribute holds the eMail-Address of the user? Which Attribute holds the eMail-Address of the user?
</p> </p>
@ -270,7 +270,7 @@
</th> </th>
<td> <td>
<input type="text" name="authLDAPWebAttr" id="authLDAPWebAttr" placeholder="" <input type="text" name="authLDAPWebAttr" id="authLDAPWebAttr" placeholder=""
class="regular-text" value="<?php echo $authLDAPWebAttr; ?>" /> class="regular-text" value="<?php echo esc_attr($authLDAPWebAttr); ?>" />
<p class="description"> <p class="description">
If your users have a personal page (URI) stored in the LDAP, it can If your users have a personal page (URI) stored in the LDAP, it can
be provided here. be provided here.
@ -291,7 +291,7 @@
</option> </option>
<?php foreach ($roles->get_names() as $group => $vals) : ?> <?php foreach ($roles->get_names() as $group => $vals) : ?>
<option value="<?php echo $group; ?>" <?php echo ( $authLDAPDefaultRole == $group ? 'selected="selected"' : '' ); ?>> <option value="<?php echo $group; ?>" <?php echo ( $authLDAPDefaultRole == $group ? 'selected="selected"' : '' ); ?>>
<?php echo $vals; ?> <?php echo esc_attr($vals); ?>
</option> </option>
<?php endforeach; ?> <?php endforeach; ?>
</select> </select>
@ -317,7 +317,7 @@
<label for="authLDAPGroupOverUser">LDAP Groups override role of existing users?</label> <label for="authLDAPGroupOverUser">LDAP Groups override role of existing users?</label>
</th> </th>
<td> <td>
<input type="checkbox" name="authLDAPGroupOverUser" id="authLDAPGroupOverUser" value="1"<?php echo $tGroupOverUserChecked; ?>/> <input type="checkbox" name="authLDAPGroupOverUser" id="authLDAPGroupOverUser" value="1"<?php echo esc_attr($tGroupOverUserChecked); ?>/>
<p class="description"> <p class="description">
If role determined by LDAP Group differs from existing Wordpress User's role, use LDAP Group. If role determined by LDAP Group differs from existing Wordpress User's role, use LDAP Group.
</p> </p>
@ -329,7 +329,7 @@
</th> </th>
<td> <td>
<input type="text" name="authLDAPGroupBase" id="authLDAPGroupBase" placeholder="" <input type="text" name="authLDAPGroupBase" id="authLDAPGroupBase" placeholder=""
class="regular-text" value="<?php echo $authLDAPGroupBase; ?>" /> class="regular-text" value="<?php echo esc_attr($authLDAPGroupBase); ?>" />
<p class="description"> <p class="description">
This is the base dn to lookup groups. This is the base dn to lookup groups.
</p> </p>
@ -344,7 +344,7 @@
</th> </th>
<td> <td>
<input type="text" name="authLDAPGroupAttr" id="authLDAPGroupAttr" placeholder="gidNumber" <input type="text" name="authLDAPGroupAttr" id="authLDAPGroupAttr" placeholder="gidNumber"
class="regular-text" value="<?php echo $authLDAPGroupAttr; ?>" /> class="regular-text" value="<?php echo esc_attr($authLDAPGroupAttr); ?>" />
<p class="description"> <p class="description">
This is the attribute that defines the Group-ID that can be matched This is the attribute that defines the Group-ID that can be matched
against the Groups defined further down against the Groups defined further down
@ -360,7 +360,7 @@
</th> </th>
<td> <td>
<input type="text" name="authLDAPGroupSeparator" id="authLDAPGroupSeparator" placeholder="," <input type="text" name="authLDAPGroupSeparator" id="authLDAPGroupSeparator" placeholder=","
class="regular-text" value="<?php echo $authLDAPGroupSeparator; ?>" /> class="regular-text" value="<?php echo esc_attr($authLDAPGroupSeparator); ?>" />
<p class="description"> <p class="description">
This attribute defines the separator used for the Group-IDs listed in the This attribute defines the separator used for the Group-IDs listed in the
Groups defined further down. This is useful if the value of Group-Attribute Groups defined further down. This is useful if the value of Group-Attribute
@ -378,7 +378,7 @@
<td> <td>
<input type="text" name="authLDAPGroupFilter" id="authLDAPGroupFilter" <input type="text" name="authLDAPGroupFilter" id="authLDAPGroupFilter"
placeholder="(&amp;(objectClass=posixGroup)(memberUid=%s))" placeholder="(&amp;(objectClass=posixGroup)(memberUid=%s))"
class="regular-text" value="<?php echo $authLDAPGroupFilter; ?>" /> class="regular-text" value="<?php echo esc_attr($authLDAPGroupFilter); ?>" />
<p class="description"> <p class="description">
Here you can add the filter for selecting groups for ther Here you can add the filter for selecting groups for ther
currentlly logged in user currentlly logged in user
@ -416,12 +416,13 @@
<tr> <tr>
<th scope="row" style="width:auto; min-width: 200px;"> <th scope="row" style="width:auto; min-width: 200px;">
<label for="authLDAPGroups[<?php echo $group; ?>]"> <label for="authLDAPGroups[<?php echo $group; ?>]">
<?php echo $vals; ?> <?php echo esc_attr($vals); ?>
</label> </label>
</th> </th>
<td> <td>
<input type="text" name="authLDAPGroups[<?php echo $group; ?>]" id="authLDAPGroups[<?php echo $group; ?>]" <textarea name="authLDAPGroups[<?php echo $group; ?>]" id="authLDAPGroups[<?php echo $group; ?>]" cols=60 rows=5><?php
value="<?php echo $aGroup; ?>" /> echo esc_textarea($aGroup);
?></textarea>
</td> </td>
</tr> </tr>
<?php endforeach; ?> <?php endforeach; ?>

1
wp-content/plugins/authldap/wordpress/info.php Normal file
View File

@ -0,0 +1 @@
<?php