Permalink
Browse files

Can now limit authorization based on groups or other attributes.

  • Loading branch information...
1 parent ed96312 commit 3fa45e9e9755f0ab115d7b930f86a5985d0dee52 @adamfranco adamfranco committed Dec 6, 2012
Showing with 38 additions and 0 deletions.
  1. +8 −0 config.inc.php-sample
  2. +30 −0 public/index.php
View
@@ -8,6 +8,14 @@ define('CAS_PATH', '/cas');
// Define $getUserDisplayName as a custom callback function for accessing the current user's name.
// $getUserDisplayName = create_function('', " return phpCAS::getAttribute('FirstName').' '.phpCAS::getAttribute('LastName');");
+// Define a list of attributes which if any are matched, will grant the user access
+// to the application.
+// Values can be either a single string or an array of strings. If an array, each value
+// will be checked separately.
+// $authorizedUserAttributes = array(
+// 'MemberOf' => 'CN=institution,OU=General,OU=Groups,DC=middlebury,DC=edu',
+// );
+
// Configure the first LDAP Server.
$ldapConfig = array();
$ldapConfig['LDAPHost'] = 'ad.middlebury.edu';
View
@@ -60,6 +60,36 @@
$ldap->connect();
try {
+ // Check authorization
+ if (!empty($authorizedUserAttributes)) {
+ if (!is_array($authorizedUserAttributes))
+ throw new Exception('Configuration Error: $authorizedUserAttributes must be an array');
+ $isAuthorized = false;
+ $attributes = phpCAS::getAttributes();
+ foreach ($authorizedUserAttributes as $attr => $authorized_values) {
+ if (!is_array($authorized_values))
+ $authorized_values = array($authorized_values);
+ foreach ($authorized_values as $authorized_value) {
+ if (!empty($attributes[$attr])) {
+ if (is_array($attributes[$attr])) {
+ if (in_array($authorized_value, $attributes[$attr])) {
+ $isAuthorized = true;
+ break;
+ break;
+ }
+ } else if ($attributes[$attr] == $authorized_value) {
+ $isAuthorized = true;
+ break;
+ break;
+ }
+ }
+ }
+ }
+
+ if (!$isAuthorized)
+ throw new PermissionDeniedException("You are not authorized to use this application.");
+ }
+
// Parse/validate our arguments and run the specified action.
if (isset($_REQUEST['action'])) {
if (preg_match('/^[a-z0-9_-]+$/i', $_REQUEST['action']))

0 comments on commit 3fa45e9

Please sign in to comment.