r45350 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r45349‎ \| r45350 \| r45351 >
Date:	21:58, 2 January 2009
Author:	laner
Status:	deferred
Tags:
Comment:	* Added support for exclusion groups; configured via $wgLDAPExcludedGroups. This should be configured exactly like $wgLDAPRequiredGroups. * Cleaned up the checkGroups() function; removed a stupid check against the count of the groups; performance should be better for organizations with a lot of groups.
Modified paths:	/trunk/extensions/LdapAuthentication/LdapAuthentication.php (modified) (history)

Diff [purge]

Index: trunk/extensions/LdapAuthentication/LdapAuthentication.php
—	—	@@ -1208,7 +1208,7 @@
1209	1209	*/
1210	1210	function checkGroups( $username ) {
1211	1211	global $wgLDAPGroupDN;
1212		~~- global $wgLDAPRequiredGroups;~~
	1212	+ global $wgLDAPRequiredGroups, $wgLDAPExcludedGroups;
1213	1213
1214	1214	$this->printDebug("Entering checkGroups", NONSENSITIVE);
1215	1215
—	—	@@ -1223,6 +1223,24 @@
1224	1224	return ( $info["count"] >= 1 );
1225	1225	}
1226	1226
	1227	+ if ( isset( $wgLDAPExcludedGroups[$_SESSION['wsDomain']] ) ) {
	1228	+ $this->printDebug( "Checking for excluded group membership", NONSENSITIVE );
	1229	+ $excgroups = $wgLDAPExcludedGroups[$_SESSION['wsDomain']];
	1230	+ for ( $i = 0; $i < count( $excgroups ); $i++ ) {
	1231	+ $excgroups[$i] = strtolower( $excgroups[$i] );
	1232	+ }
	1233	+
	1234	+ $this->printDebug( "Excluded groups:", NONSENSITIVE, $excgroups );
	1235	+
	1236	+ foreach ( $this->userLDAPGroups["dn"] as $group ) {
	1237	+ $this->printDebug( "Checking against: $group", NONSENSITIVE );
	1238	+ if ( in_array( $group, $excgroups ) ) {
	1239	+ $this->printDebug( "Found user in an excluded group.", NONSENSITIVE );
	1240	+ return false;
	1241	+ }
	1242	+ }
	1243	+ }
	1244	+
1227	1245	//New style group checking
1228	1246	if ( isset( $wgLDAPRequiredGroups[$_SESSION['wsDomain']] ) ) {
1229	1247	$this->printDebug( "Checking for (new style) group membership", NONSENSITIVE );
—	—	@@ -1233,25 +1251,16 @@
1234	1252
1235	1253	$this->printDebug( "Required groups:", NONSENSITIVE, $reqgroups );
1236	1254
1237		~~- if ( count( $this->userLDAPGroups ) == 0 ) {~~
1238		~~- $this->printDebug( "Couldn't find the user in any groups (1).", NONSENSITIVE );~~
1239		-
1240		~~- //User isn't in any groups, so he/she obviously can't be in~~
1241		~~- //a required one~~
1242		~~- return false;~~
1243		~~- } else {~~
1244		~~- //User is in groups, let's see if a required group is one of them~~
1245		~~- foreach ( $this->userLDAPGroups["dn"] as $group ) {~~
1246		~~- $this->printDebug( "Checking against: $group", NONSENSITIVE );~~
1247		~~- if ( in_array( $group, $reqgroups ) ) {~~
1248		~~- $this->printDebug( "Found user in a group.", NONSENSITIVE );~~
1249		~~- return true;~~
1250		~~- }~~
	1255	+ foreach ( $this->userLDAPGroups["dn"] as $group ) {
	1256	+ $this->printDebug( "Checking against: $group", NONSENSITIVE );
	1257	+ if ( in_array( $group, $reqgroups ) ) {
	1258	+ $this->printDebug( "Found user in a group.", NONSENSITIVE );
	1259	+ return true;
1251	1260	}
	1261	+ }
1252	1262
1253		~~- $this->printDebug("Couldn't find the user in any groups (2).", NONSENSITIVE );~~
1254		~~- return false;~~
1255		~~- }~~
	1263	+ $this->printDebug("Couldn't find the user in any groups.", NONSENSITIVE );
	1264	+ return false;
1256	1265	}
1257	1266
1258	1267	// Ensure we return true if we aren't checking groups.

Status & tagging log

05:27, 3 January 2009 Aaron Schulz (talk | contribs) changed the status of r45350 [removed: new added: deferred]