LimeSurvey · olleharstedt · Oct 6, 2022 · May 31, 2022 · Jun 2, 2022 · Jul 25, 2022
diff --git a/application/core/plugins/Authwebserver/Authwebserver.php b/application/core/plugins/Authwebserver/Authwebserver.php
@@ -3,7 +3,7 @@
 class Authwebserver extends LimeSurvey\PluginManager\AuthPluginBase
 {
     protected $storage = 'DbStorage';
-    
+
     protected static $description = 'Core: Webserver authentication';
     protected static $name = 'Webserver';
 
@@ -21,12 +21,12 @@ class Authwebserver extends LimeSurvey\PluginManager\AuthPluginBase
             'default' => 'REMOTE_USER',
         ),
         'is_default' => array(
-                'type' => 'checkbox',
-                'label' => 'Check to make default authentication method (This disable Default LimeSurvey authentification by database)',
-                'default' => true,
-                )
+            'type' => 'checkbox',
+            'label' => 'Check to make default authentication method (This disable Default LimeSurvey authentification by database)',
+            'default' => true,
+        )
     );
-    
+
     public function init()
     {
         /**
@@ -61,6 +61,7 @@ public function beforeLogin()
     {
         // normal login through webserver authentication
         $serverKey = $this->get('serverkey');
+
         if (!empty($serverKey) && isset($_SERVER[$serverKey])) {
             $sUser = $_SERVER[$serverKey];
             // Only strip domain part when desired
@@ -77,10 +78,14 @@ public function beforeLogin()
             if (isset($aUserMappings[$sUser])) {
                 $sUser = $aUserMappings[$sUser];
             }
+            $authEvent = $this->getEvent();
             $oUser = $this->api->getUserByName($sUser);
-            if ($oUser || $this->api->getConfigKey('auth_webserver_autocreate_user')) {
+            if (
+                ($oUser && Permission::model()->hasGlobalPermission('auth_webserver', 'read', $oUser->uid))
+                || (!$oUser && $this->api->getConfigKey('auth_webserver_autocreate_user'))
+            ) {
                 $this->setUsername($sUser);
-                $this->setAuthPlugin(); // This plugin handles authentication, halt further execution of auth plugins
+                $this->setAuthPlugin($authEvent); // This plugin handles authentication, halt further execution of auth plugins
                 return;
             }
         }
@@ -96,10 +101,10 @@ public function newUserSession()
         if ($identity->plugin != 'Authwebserver') {
             return;
         }
-
+        /* @var $authEvent LimeSurvey\PluginManager\PluginEvent */
+        $authEvent = $this->getEvent();
         /* @var $identity LSUserIdentity */
         $sUser = $this->getUserName();
-
         $oUser = $this->api->getUserByName($sUser);
         if (is_null($oUser)) {
             if (function_exists("hook_get_auth_webserver_profile")) {
@@ -110,12 +115,11 @@ public function newUserSession()
                 $aUserProfile = $this->api->getConfigKey('auth_webserver_autocreate_profile');
             }
         } else {
-            if (Permission::model()->find('permission = :permission AND uid=:uid AND read_p =1', array(":permission" => 'auth_webserver', ":uid" => $oUser->uid))) {
-                // Don't use Permission::model()->hasGlobalPermission : it's update the plugins event (and remove user/pass from event)
-                $this->setAuthSuccess($oUser);
+            if (Permission::model()->hasGlobalPermission('auth_webserver', 'read', $oUser->uid)) {
+                $this->setAuthSuccess($oUser, $authEvent);
                 return;
             } else {
-                $this->setAuthFailure(self::ERROR_AUTH_METHOD_INVALID, gT('Web server authentication method is not allowed for this user'));
+                $this->setAuthFailure(self::ERROR_AUTH_METHOD_INVALID, gT('Web server authentication method is not allowed for this user'), $authEvent);
                 return;
             }
         }
@@ -135,10 +139,10 @@ public function newUserSession()
                 Permission::model()->setGlobalPermission($oUser->uid, 'auth_webserver');
 
                 // read again user from newly created entry
-                $this->setAuthSuccess($oUser);
+                $this->setAuthSuccess($oUser, $authEvent);
                 return;
             } else {
-                $this->setAuthFailure(self::ERROR_USERNAME_INVALID);
+                $this->setAuthFailure(self::ERROR_USERNAME_INVALID, gT('Unable to create user'), $authEvent);
             }
         }
     }
@@ -154,7 +158,7 @@ public function getPluginSettings($getValues = true)
         $settings = parent::getPluginSettings($getValues);
 
         if (!empty($settings['serverkey']) && !empty($settings['serverkey']['current'])) {
-            if(!isset($_SERVER[$settings['serverkey']['current']])) {
+            if (!isset($_SERVER[$settings['serverkey']['current']])) {
                 $settings['serverkey']['help'] = "<p class='alert alert-danger'>" . gT("The server key is not currently set. If you set this plugin as default you will not be able to log in again.") . "<p>";
             }
         }

diff --git a/application/libraries/PluginManager/AuthPluginBase.php b/application/libraries/PluginManager/AuthPluginBase.php
@@ -4,6 +4,7 @@
 
 use User;
 use LSAuthResult;
+use LimeSurvey\PluginManager\PluginEvent;
 
 abstract class AuthPluginBase extends PluginBase
 {
@@ -85,17 +86,19 @@ public function remoteControlLogin()
      * Set authentication result to success for the given user object.
      *
      * @param User $user
+     * @param \LimeSurvey\PluginManager\PluginEvent, current event if not set
      * @return AuthPluginBase
      */
-    public function setAuthSuccess(User $user)
+    public function setAuthSuccess(User $user, PluginEvent $event = null)
     {
-        $event = $this->getEvent();
-        $identity = $this->getEvent()->get('identity');
+        if (empty($event)) {
+            $event = $this->getEvent();
+        }
+        $identity = $event->get('identity');
         $identity->id = $user->uid;
         $identity->user = $user;
-        $this->getEvent()->set('identity', $identity);
+        $event->set('identity', $identity);
         $event->set('result', new LSAuthResult(self::ERROR_NONE));
-
         return $this;
     }
 
@@ -104,30 +107,34 @@ public function setAuthSuccess(User $user)
      *
      * @param int $code Any of the constants defined in this class
      * @param string $message An optional message to return about the failure
+     * @param \LimeSurvey\PluginManager\PluginEvent, current event if not set
      * @return AuthPluginBase
      */
-    public function setAuthFailure($code = self::ERROR_UNKNOWN_IDENTITY, $message = '')
+    public function setAuthFailure($code = self::ERROR_UNKNOWN_IDENTITY, $message = '', PluginEvent $event = null)
     {
-        $event = $this->getEvent();
+        if (empty($event)) {
+            $event = $this->getEvent();
+        }
         $identity = $this->getEvent()->get('identity');
         $identity->id = null;
         $event->set('result', new LSAuthResult($code, $message));
-
         return $this;
     }
 
     /**
      * Set this plugin to handle the authentication
      *
+     * @param \LimeSurvey\PluginManager\PluginEvent, current event if not set
      * @return AuthPluginBase
      */
-    public function setAuthPlugin()
+    public function setAuthPlugin(PluginEvent $event = null)
     {
-        $this->getEvent();
-        $identity = $this->getEvent()->get('identity');
+        if (empty($event)) {
+            $event = $this->getEvent();
+        }
+        $identity = $event->get('identity');
         $identity->plugin = get_class($this);
-        $this->getEvent()->stop();
-
+        $event->stop();
         return $this;
     }