Group filter for #5133

2024-11-21 16:38:36 -06:00 · 2021-10-02 14:33:14 +02:00 · 2021-10-02 14:33:14 +02:00 · cc67583278
commit cc67583278
parent a14568c796
4 changed files with 46 additions and 1 deletions
--- a/.env.example
+++ b/.env.example
@ -185,6 +185,16 @@ LDAP_PASSWORD=super_secret

 LDAP_AUTH_FIELD=uid

+#
+# If you wish to only authenticate users from a specific group, use the
+# group filter. Leave empty or remove if not in use.
+#
+# Example: cn=Administrators,dc=local,dc=com
+#
+# The group filter will only be applied after the user is authenticated.
+#
+LDAP_GROUP_FILTER=
+
 #
 # Remote user guard settings
 #
--- a/app/Ldap/Rules/UserDefinedRule.php
+++ b/app/Ldap/Rules/UserDefinedRule.php
@ -0,0 +1,30 @@
+<?php
+
+namespace FireflyIII\Ldap\Rules;
+
+use LdapRecord\Laravel\Auth\Rule;
+use LdapRecord\Models\ActiveDirectory\Group;
+
+/**
+ * Class UserDefinedRule
+ */
+class UserDefinedRule extends Rule
+{
+    /**
+     * Check if the rule passes validation.
+     *
+     * @return bool
+     */
+    public function isValid()
+    {
+        // LDAP_GROUP_FILTER
+        $groupFilter = config('ldap.group_filter');
+        if (null !== $groupFilter && '' !== (string)$groupFilter) {
+            $administrators = Group::find('cn=Administrators,dc=local,dc=com');
+
+            return $this->user->groups()->recursive()->exists($administrators);
+        }
+
+        return true;
+    }
+}
--- a/config/auth.php
+++ b/config/auth.php
@ -22,6 +22,7 @@
 declare(strict_types=1);

 use FireflyIII\Ldap\AttributeHandler;
+use FireflyIII\Ldap\Rules\UserDefinedRule;

 return [
    /*
@ -109,7 +110,9 @@ return [
            'driver'   => 'ldap',
            //'model'    => LdapRecord\Models\ActiveDirectory\User::class,
            'model'    => LdapRecord\Models\OpenLDAP\User::class,
-            'rules'    => [],
+            'rules'    => [
+                UserDefinedRule::class
+            ],
            'database' => [
                'model'           => FireflyIII\User::class,
                'sync_passwords'  => false,
--- a/config/ldap.php
+++ b/config/ldap.php
@ -37,6 +37,8 @@ return [

    'default' => env('LDAP_CONNECTION', 'default'),

+    'group_filter' => env('LDAP_GROUP_FILTER'),
+
    /*
    |--------------------------------------------------------------------------
    | LDAP Connections