Drive/roundcubemail-plugins-kolab
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add kolab_auth capability to use nsroledn attribute values attached to a user's entry (roles for users) to imply loading/setting configuration settings and loading additional plugins

Browse source
This commit is contained in:
Jeroen van Meeuwen (Kolab Systems) 2011-12-04 14:11:07 +00:00
parent 2f570dd126
commit d3d3a6e323
2 changed files with 122 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
plugins/kolab_auth/config.inc.php.dist
View file

@ -22,13 +22,41 @@ $rcmail_config['kolab_auth_admin_password'] = '';
// Enable audit logging for abuse of administrative privileges.
$rcmail_config['kolab_auth_auditlog'] = true;
// Administrative role field (from fieldmap configuration) which must be filled with
// specified value which adds privilege to login as another user.
$rcmail_config['kolab_auth_role'] = '';
// Role field (from fieldmap configuration)
$rcmail_config['kolab_auth_role'] = 'role';
// The required value for the role attribute to contain should the user be allowed
// to login as another user.
$rcmail_config['kolab_auth_role_value'] = '';
// Administrative group name to which user must be assigned to
// which adds privilege to login as another user.
$rcmail_config['kolab_auth_group'] = '';
// Enable plugins on a role-by-role basis. In this example, the 'acl' plugin
// is enabled for people with a 'cn=professional-user,dc=mykolab,dc=ch' role.
//
// Note that this does NOT mean the 'acl' plugin is disabled for other people.
$rcmail_config['kolab_auth_role_plugins'] = Array(
'cn=professional-user,dc=mykolab,dc=ch' => Array(
'acl',
),
);
// Settings on a role-by-role basis. In this example, the 'htmleditor' setting
// is enabled(1) for people with a 'cn=professional-user,dc=mykolab,dc=ch' role,
// and it cannot be overridden. Sample use-case: disable htmleditor for normal people,
// do not allow the setting to be controlled through the preferences, enable the
// html editor for professional users and allow them to override the setting in
// the preferences.
$rcmail_config['kolab_auth_role_settings'] = Array(
'cn=professional-user,dc=mykolab,dc=ch' => Array(
'htmleditor' => Array(
'mode' => 'override',
'value' => 1,
'allow_override' => true
),
),
);
?>

91
plugins/kolab_auth/kolab_auth.php
View file

@ -38,6 +38,7 @@ class kolab_auth extends rcube_plugin
$rcmail = rcmail::get_instance();
$this->add_hook('authenticate', array($this, 'authenticate'));
$this->add_hook('startup', array($this, 'startup'));
$this->add_hook('user_create', array($this, 'user_create'));
// Hooks related to "Login As" feature
@ -48,6 +49,7 @@ class kolab_auth extends rcube_plugin
$this->add_hook('write_log', array($this, 'write_log'));
// TODO: This section does not actually seem to work
if ($rcmail->config->get('kolab_auth_auditlog', false)) {
$rcmail->config->set('debug_level', 1);
$rcmail->config->set('devel_mode', true);
@ -64,6 +66,89 @@ class kolab_auth extends rcube_plugin
}
public function startup($args) {
// Arguments are task / action, not interested
if (!empty($_SESSION['user_roledns'])) {
$this->load_user_role_plugins_and_settings($_SESSION['user_roledns']);
}
return $args;
}
public function load_user_role_plugins_and_settings($role_dns) {
$rcmail = rcmail::get_instance();
$this->load_config();
// Check role dependent plugins to enable and settings to modify
// Example 'kolab_auth_role_plugins' =
//
// Array(
// '<role_dn>' => Array('plugin1', 'plugin2'),
// );
$role_plugins = $rcmail->config->get('kolab_auth_role_plugins');
// Example $rcmail_config['kolab_auth_role_settings'] =
//
// Array(
// '<role_dn>' => Array(
// '$setting' => Array(
// 'mode' => '(override|merge)', (default: override)
// 'value' => <>,
// 'allow_override' => (true|false) (default: false)
// ),
// ),
// );
$role_settings = $rcmail->config->get('kolab_auth_role_settings');
foreach ($role_dns as $role_dn) {
if (isset($role_plugins[$role_dn]) && is_array($role_plugins[$role_dn])) {
foreach ($role_plugins[$role_dn] as $plugin) {
$this->require_plugin($plugin);
}
}
if (isset($role_settings[$role_dn]) && is_array($role_settings[$role_dn])) {
foreach ($role_settings[$role_dn] as $setting_name => $setting) {
if (!isset($setting['mode'])) {
$setting['mode'] = 'override';
}
if ($setting['mode'] == "override") {
$rcmail->config->set($setting_name, $setting['value']);
} elseif ($setting['mode'] == "merge") {
$orig_setting = $rcmail->config->get($setting_name);
if (!empty($orig_setting)) {
if (is_array($orig_setting)) {
$rcmail->config->set($setting_name, array_merge($orig_setting, $setting['value']));
}
} else {
$rcmail->config->set($setting_name, $setting['value']);
}
}
if (!isset($setting['allow_override']) || !$setting['allow_override']) {
$rcmail->config->set('dont_override', array_merge($rcmail->config->get('dont_override', Array()), Array($setting_name)));
} else {
$dont_override = $rcmail->config->get('dont_override');
if (in_array($setting_name, $dont_override)) {
$_dont_override = Array();
foreach ($dont_override as $_setting) {
if ($_setting != $setting_name) {
$_dont_override[] = $_setting;
}
}
$rcmail->config->set('dont_override', $_dont_override);
}
}
}
}
}
}
public function write_log($args) {
$rcmail = rcmail::get_instance();
@ -188,6 +273,12 @@ class kolab_auth extends rcube_plugin
return $args;
}
$role_attr = $rcmail->config->get('kolab_auth_role');
if (!empty($role_attr) && !empty($record[$role_attr])) {
$_SESSION['user_roledns'] = (array)($record[$role_attr]);
}
// Login As...
if (!empty($loginas) && $admin_login) {
// Authenticate to LDAP