Rewrite of the authentication and authorization system
This commit is contained in:
Frederic Guillot
@@ -3,7 +3,6 @@
|
||||
namespace Kanboard\Api;
|
||||
|
||||
use JsonRPC\AuthenticationFailure;
|
||||
use Symfony\Component\EventDispatcher\Event;
|
||||
|
||||
/**
|
||||
* Base class
|
||||
@@ -24,15 +23,43 @@ class Auth extends Base
|
||||
*/
|
||||
public function checkCredentials($username, $password, $class, $method)
|
||||
{
|
||||
$this->container['dispatcher']->dispatch('api.bootstrap', new Event);
|
||||
$this->container['dispatcher']->dispatch('app.bootstrap');
|
||||
|
||||
if ($username !== 'jsonrpc' && ! $this->authentication->hasCaptcha($username) && $this->authentication->authenticate($username, $password)) {
|
||||
if ($this->isUserAuthenticated($username, $password)) {
|
||||
$this->checkProcedurePermission(true, $method);
|
||||
$this->userSession->initialize($this->user->getByUsername($username));
|
||||
} elseif ($username === 'jsonrpc' && $password === $this->config->get('api_token')) {
|
||||
} elseif ($this->isAppAuthenticated($username, $password)) {
|
||||
$this->checkProcedurePermission(false, $method);
|
||||
} else {
|
||||
throw new AuthenticationFailure('Wrong credentials');
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Check user credentials
|
||||
*
|
||||
* @access public
|
||||
* @param string $username
|
||||
* @param string $password
|
||||
* @return boolean
|
||||
*/
|
||||
private function isUserAuthenticated($username, $password)
|
||||
{
|
||||
return $username !== 'jsonrpc' &&
|
||||
! $this->userLocking->isLocked($username) &&
|
||||
$this->authenticationManager->passwordAuthentication($username, $password);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check administrative credentials
|
||||
*
|
||||
* @access public
|
||||
* @param string $username
|
||||
* @param string $password
|
||||
* @return boolean
|
||||
*/
|
||||
private function isAppAuthenticated($username, $password)
|
||||
{
|
||||
return $username === 'jsonrpc' && $password === $this->config->get('api_token');
|
||||
}
|
||||
}
|
||||
|
||||
@@ -20,7 +20,7 @@ class Me extends Base
|
||||
public function getMyDashboard()
|
||||
{
|
||||
$user_id = $this->userSession->getId();
|
||||
$projects = $this->project->getQueryColumnStats($this->projectPermission->getActiveMemberProjectIds($user_id))->findAll();
|
||||
$projects = $this->project->getQueryColumnStats($this->projectPermission->getActiveProjectIds($user_id))->findAll();
|
||||
$tasks = $this->taskFinder->getUserQuery($user_id)->findAll();
|
||||
|
||||
return array(
|
||||
@@ -32,7 +32,7 @@ class Me extends Base
|
||||
|
||||
public function getMyActivityStream()
|
||||
{
|
||||
$project_ids = $this->projectPermission->getActiveMemberProjectIds($this->userSession->getId());
|
||||
$project_ids = $this->projectPermission->getActiveProjectIds($this->userSession->getId());
|
||||
return $this->projectActivity->getProjects($project_ids, 100);
|
||||
}
|
||||
|
||||
@@ -50,7 +50,7 @@ class Me extends Base
|
||||
|
||||
public function getMyProjectsList()
|
||||
{
|
||||
return $this->projectPermission->getMemberProjects($this->userSession->getId());
|
||||
return $this->projectUserRole->getProjectsByUser($this->userSession->getId());
|
||||
}
|
||||
|
||||
public function getMyOverdueTasks()
|
||||
@@ -60,7 +60,7 @@ class Me extends Base
|
||||
|
||||
public function getMyProjects()
|
||||
{
|
||||
$project_ids = $this->projectPermission->getActiveMemberProjectIds($this->userSession->getId());
|
||||
$project_ids = $this->projectPermission->getActiveProjectIds($this->userSession->getId());
|
||||
$projects = $this->project->getAllByIds($project_ids);
|
||||
|
||||
return $this->formatProjects($projects);
|
||||
|
||||
@@ -2,6 +2,8 @@
|
||||
|
||||
namespace Kanboard\Api;
|
||||
|
||||
use Kanboard\Core\Security\Role;
|
||||
|
||||
/**
|
||||
* ProjectPermission API controller
|
||||
*
|
||||
@@ -12,16 +14,16 @@ class ProjectPermission extends \Kanboard\Core\Base
|
||||
{
|
||||
public function getMembers($project_id)
|
||||
{
|
||||
return $this->projectPermission->getMembers($project_id);
|
||||
return $this->projectUserRole->getAllUsers($project_id);
|
||||
}
|
||||
|
||||
public function revokeUser($project_id, $user_id)
|
||||
{
|
||||
return $this->projectPermission->revokeMember($project_id, $user_id);
|
||||
return $this->projectUserRole->removeUser($project_id, $user_id);
|
||||
}
|
||||
|
||||
public function allowUser($project_id, $user_id)
|
||||
{
|
||||
return $this->projectPermission->addMember($project_id, $user_id);
|
||||
return $this->projectUserRole->addUser($project_id, $user_id, Role::PROJECT_MEMBER);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -3,6 +3,10 @@
|
||||
namespace Kanboard\Api;
|
||||
|
||||
use Kanboard\Auth\Ldap;
|
||||
use Kanboard\Core\Security\Role;
|
||||
use Kanboard\Core\Ldap\Client as LdapClient;
|
||||
use Kanboard\Core\Ldap\ClientException as LdapException;
|
||||
use Kanboard\Core\Ldap\User as LdapUser;
|
||||
|
||||
/**
|
||||
* User API controller
|
||||
@@ -27,7 +31,7 @@ class User extends \Kanboard\Core\Base
|
||||
return $this->user->remove($user_id);
|
||||
}
|
||||
|
||||
public function createUser($username, $password, $name = '', $email = '', $is_admin = 0, $is_project_admin = 0)
|
||||
public function createUser($username, $password, $name = '', $email = '', $role = Role::APP_USER)
|
||||
{
|
||||
$values = array(
|
||||
'username' => $username,
|
||||
@@ -35,44 +39,53 @@ class User extends \Kanboard\Core\Base
|
||||
'confirmation' => $password,
|
||||
'name' => $name,
|
||||
'email' => $email,
|
||||
'is_admin' => $is_admin,
|
||||
'is_project_admin' => $is_project_admin,
|
||||
'role' => $role,
|
||||
);
|
||||
|
||||
list($valid, ) = $this->user->validateCreation($values);
|
||||
return $valid ? $this->user->create($values) : false;
|
||||
}
|
||||
|
||||
public function createLdapUser($username = '', $email = '', $is_admin = 0, $is_project_admin = 0)
|
||||
public function createLdapUser($username)
|
||||
{
|
||||
$ldap = new Ldap($this->container);
|
||||
$user = $ldap->lookup($username, $email);
|
||||
try {
|
||||
|
||||
if (! $user) {
|
||||
$ldap = LdapClient::connect();
|
||||
$user = LdapUser::getUser($ldap, sprintf(LDAP_USER_FILTER, $username));
|
||||
|
||||
if ($user === null) {
|
||||
$this->logger->info('User not found in LDAP server');
|
||||
return false;
|
||||
}
|
||||
|
||||
if ($user->getUsername() === '') {
|
||||
throw new LogicException('Username not found in LDAP profile, check the parameter LDAP_USER_ATTRIBUTE_USERNAME');
|
||||
}
|
||||
|
||||
$values = array(
|
||||
'username' => $user->getUsername(),
|
||||
'name' => $user->getName(),
|
||||
'email' => $user->getEmail(),
|
||||
'role' => $user->getRole(),
|
||||
'is_ldap_user' => 1,
|
||||
);
|
||||
|
||||
return $this->user->create($values);
|
||||
|
||||
} catch (LdapException $e) {
|
||||
$this->logger->error($e->getMessage());
|
||||
return false;
|
||||
}
|
||||
|
||||
$values = array(
|
||||
'username' => $user['username'],
|
||||
'name' => $user['name'],
|
||||
'email' => $user['email'],
|
||||
'is_ldap_user' => 1,
|
||||
'is_admin' => $is_admin,
|
||||
'is_project_admin' => $is_project_admin,
|
||||
);
|
||||
|
||||
return $this->user->create($values);
|
||||
}
|
||||
|
||||
public function updateUser($id, $username = null, $name = null, $email = null, $is_admin = null, $is_project_admin = null)
|
||||
public function updateUser($id, $username = null, $name = null, $email = null, $role = null)
|
||||
{
|
||||
$values = array(
|
||||
'id' => $id,
|
||||
'username' => $username,
|
||||
'name' => $name,
|
||||
'email' => $email,
|
||||
'is_admin' => $is_admin,
|
||||
'is_project_admin' => $is_project_admin,
|
||||
'role' => $role,
|
||||
);
|
||||
|
||||
foreach ($values as $key => $value) {
|
||||
|
||||
Reference in New Issue
Block a user