Fix role precedence in LDAP integration

2018-03-08 22:20:33 +01:00 · 2018-03-08 22:20:33 +01:00 · d34a5c50c4
parent a66d080698
commit d34a5c50c4
2 changed files with 24 additions and 7 deletions
--- a/app/Core/Ldap/User.php
+++ b/app/Core/Ldap/User.php
@ -120,17 +120,25 @@ class User
            return null;
        }

+        // Init with smallest role
+        $role = Role::APP_USER ;
+
        foreach ($groupIds as $groupId) {
            $groupId = strtolower($groupId);

            if ($groupId === strtolower($this->getGroupAdminDn())) {
-                return Role::APP_ADMIN;
-            } elseif ($groupId === strtolower($this->getGroupManagerDn())) {
-                return Role::APP_MANAGER;
+                // Highest role found : we can and we must exit the loop
+                $role = Role::APP_ADMIN;
+                break;
+            }
+
+            if ($groupId === strtolower($this->getGroupManagerDn())) {
+                // Intermediate role found : we must continue to loop, maybe admin role after ?
+	        $role = Role::APP_MANAGER;
            }
        }

-        return Role::APP_USER;
+        return $role;
    }

    /**
--- a/tests/units/Core/Ldap/LdapUserTest.php
+++ b/tests/units/Core/Ldap/LdapUserTest.php
@ -231,8 +231,10 @@ class LdapUserTest extends Base
                    0 => 'my_ldap_user',
                ),
                'memberof' => array(
-                    'count' => 1,
-                    0 => 'CN=Kanboard-Admins,CN=Users,DC=kanboard,DC=local',
+                    'count' => 3,
+                    0 => 'CN=Kanboard-Users,CN=Users,DC=kanboard,DC=local',
+                    1 => 'CN=Kanboard-Managers,CN=Users,DC=kanboard,DC=local',
+                    2 => 'CN=Kanboard-Admins,CN=Users,DC=kanboard,DC=local',
                ),
                0 => 'displayname',
                1 => 'mail',
@ -301,7 +303,14 @@ class LdapUserTest extends Base
        $this->assertEquals('My LDAP user', $user->getName());
        $this->assertEquals('user1@localhost', $user->getEmail());
        $this->assertEquals(Role::APP_ADMIN, $user->getRole());
-        $this->assertEquals(array('CN=Kanboard-Admins,CN=Users,DC=kanboard,DC=local'), $user->getExternalGroupIds());
+        $this->assertEquals(
+            array(
+                'CN=Kanboard-Users,CN=Users,DC=kanboard,DC=local',
+                'CN=Kanboard-Managers,CN=Users,DC=kanboard,DC=local',
+                'CN=Kanboard-Admins,CN=Users,DC=kanboard,DC=local',
+            ),
+            $user->getExternalGroupIds()
+        );
        $this->assertEquals(array('is_ldap_user' => 1), $user->getExtraAttributes());
    }