From 4fe1473f9aa1d4b36744b6ab3cc3544868ef2108 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Thu, 28 Feb 2019 21:59:59 +0100 Subject: [PATCH] Check access rules (#1658) --- .../lib/Lemonldap/NG/Portal/Main/Plugin.pm | 22 ++++++++++++++++--- .../lib/Lemonldap/NG/Portal/Main/Run.pm | 4 ++-- .../Lemonldap/NG/Portal/Plugins/CheckUser.pm | 19 +++++++++++++--- 3 files changed, 37 insertions(+), 8 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugin.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugin.pm index f1d918a26..c6f5f64b4 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugin.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugin.pm @@ -5,8 +5,9 @@ package Lemonldap::NG::Portal::Main::Plugin; use strict; use Mouse; use HTML::Template; +use Data::Dumper; -our $VERSION = '2.0.2'; +our $VERSION = '2.0.3'; extends 'Lemonldap::NG::Common::Module'; @@ -38,13 +39,13 @@ sub _addRoute { return sub { shift; return $sub->( $self, @_ ); - } + } } else { return sub { shift; return $self->$sub(@_); - } + } } }; $self->p->$type( $word, $subName, $methods, $transform ); @@ -56,6 +57,21 @@ sub loadTemplate { return $self->p->loadTemplate(@_); } +sub accessCtrl { + my ( $self, $req, $uri ) = @_; + my $url = $self->conf->{portal} . $uri; + $self->logger->debug("Plugin call setSecurity for URL: $url"); + + # Check access rule + my ( $vhost, $appuri ) = $url =~ m#^https?://([^/]*)(.*)#; + $vhost =~ s/:\d+$//; + $appuri ||= '/'; + $self->logger->debug( + "grant function call with VH: $vhost and URI: $appuri"); + return $self->p->HANDLER->grant( $req, $req->{userData}, $appuri, + undef, $vhost ); +} + 1; __END__ diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm index f835b4352..98814ac2e 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm @@ -848,8 +848,8 @@ sub sendCss { } sub lmError { - my ( $self, $req ) = @_; - my $httpError = $req->param('code'); + my ( $self, $req, $error ) = @_; + my $httpError = $req->param('code') || $error; # Check URL $self->controlUrl($req); diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm index 228c1247c..b464180de 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm @@ -44,6 +44,14 @@ sub check { my ( $attrs, $array_attrs, $array_hdrs ) = ( {}, [], [] ); my $msg = my $auth = ''; + # Check access rule + unless ( $self->accessCtrl( $req, 'checkuser' ) ) { + $self->userLogger->error( + "$req->{user} not allowed to access /checkuser"); + return $self->p->lmError( $req, 403 ); + } + $self->userLogger->notice("$req->{user} is allowed to access /checkuser"); + # Check token if ( $self->conf->{requireToken} ) { my $token = $req->param('token'); @@ -148,6 +156,14 @@ sub check { sub display { my ( $self, $req ) = @_; + + # Check access rule + unless ( $self->accessCtrl( $req, 'checkuser' ) ) { + $self->userLogger->error( + "$req->{user} not allowed to access /checkuser"); + return $self->p->lmError( $req, 403 ); + } + $self->userLogger->notice("$req->{user} is allowed to access /checkuser"); my $token = $self->ott->createToken( $req->sessionInfo ); # Display form @@ -193,11 +209,8 @@ sub _userDatas { sub _authorization { my ( $self, $req, $uri ) = @_; - - # Check rights my ( $vhost, $appuri ) = $uri =~ m#^https?://([^/]*)(.*)#; $vhost =~ s/:\d+$//; - $vhost = $self->p->HANDLER->resolveAlias($vhost); $appuri ||= '/'; return $self->p->HANDLER->grant( $req, $req->{sessionInfo}, $appuri, undef, $vhost );