From 1591c16e956809c7433a649b1a06a367af4ba6cb Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Sat, 22 Sep 2012 12:36:00 +0200
Subject: [PATCH] Ajout du support de liste blanche de groupes

---
 .../templates/usr/share/mozilla-mcd/conf.php/10All | 12 ++++++------
 root/usr/share/mozilla-mcd/thunderbird.php         | 14 ++++++++++++++
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/root/etc/e-smith/templates/usr/share/mozilla-mcd/conf.php/10All b/root/etc/e-smith/templates/usr/share/mozilla-mcd/conf.php/10All
index 7defc76..ceacea6 100644
--- a/root/etc/e-smith/templates/usr/share/mozilla-mcd/conf.php/10All
+++ b/root/etc/e-smith/templates/usr/share/mozilla-mcd/conf.php/10All
@@ -7,12 +7,11 @@ my $ldapbase = esmith::util::ldapBase ($DomainName);
 my $tbpref = ((${'mozilla-mcd'}{'TBEnforce'} || 'disabled') =~ m/^enabled|on|1|yes$/) ? "lockPref":"defaultPref";
 my $ffpref = ((${'mozilla-mcd'}{'FFEnforce'} || 'disabled') =~ m/^enabled|on|1|yes$/) ? "lockPref":"defaultPref";
 my $url = ${'mozilla-mcd'}{'HomeURL'} || 'https://auth.' . "$DomainName";
-my $noenforcegroups = ${'mozilla-mcd'}{'NoEnforceGroups'} || '';
-# Format as a PHP array
-$noenforcegroups =~ s/^,+|,+$//g;
-$noenforcegroups =~ s/^/'/g;
-$noenforcegroups =~ s/$/'/g;
-$noenforcegroups =~ s/[;,]/','/g;
+my @noenforcegroups = split( /[;,]/, (${'mozilla-mcd'}{'NoEnforceGroups'} || '') );
+my @wlgroups = split( /[;,]/, (${'mozilla-mcd'}{'WhiteListGroups'} || '') );
+
+my $noenforcegroups = join (',', @noenforcegroups);
+my $wlgroups = join (',', @wlgroups);
 
 $OUT .=<<"EOF";
 
@@ -27,6 +26,7 @@ define('TB_PREF', '$tbpref');
 define('FF_PREF', '$ffpref');
 define('HOME_URL', '$url');
 \$NOENFORCEGROUPS = array($noenforcegroups);
+\$WHITELISTGROUPS = array($wlgroups);
 
 EOF
 
diff --git a/root/usr/share/mozilla-mcd/thunderbird.php b/root/usr/share/mozilla-mcd/thunderbird.php
index 01e7aad..73a86a6 100644
--- a/root/usr/share/mozilla-mcd/thunderbird.php
+++ b/root/usr/share/mozilla-mcd/thunderbird.php
@@ -41,6 +41,20 @@ if(isset($_SERVER['QUERY_STRING']) && preg_match('/^.+@' . DOMAIN . '$/', $_SERV
             break;
         }
     }
+    // Stop here if the user is not part of the whitelist groups
+    if (count($WHITELISTGROUPS) > 0){
+        $conf = 0;
+        foreach ($user[0]['posixmemberof'] as $group){
+            if (in_array($group, $WHITELISTGROUPS)){
+                $conf = 1;
+                break;
+            }
+        }
+        if ($conf != 1){
+            header("HTTP/1.1 403 Forbidden");
+            exit;
+        }
+    }
 }
 else {
     // We've not received a valid email address