X-Git-Url: http://wagnertech.de/gitweb/gitweb.cgi/mfinanz.git/blobdiff_plain/109b7f304eb81fa34622d4bdfdda0d9c09dbc570..1268bf670c06f5a66ad78a75e41ad6c15061d9bc:/SL/Auth.pm diff --git a/SL/Auth.pm b/SL/Auth.pm index 9f52a37e1..6be693382 100644 --- a/SL/Auth.pm +++ b/SL/Auth.pm @@ -5,7 +5,7 @@ use DBI; use Digest::MD5 qw(md5_hex); use IO::File; use Time::HiRes qw(gettimeofday); -use List::MoreUtils qw(uniq); +use List::MoreUtils qw(any uniq); use YAML; use Regexp::IPv6 qw($IPv6_re); @@ -72,7 +72,7 @@ sub reset { delete $self->{column_information}; } - $self->{authenticator}->reset; + $_->reset for @{ $self->{authenticators} }; $self->client(undef); } @@ -118,7 +118,10 @@ sub mini_error { my ($self, @msg) = @_; if ($ENV{HTTP_USER_AGENT}) { - print Form->create_http_response(content_type => 'text/html'); + # $::form might not be initialized yet at this point — therefore + # we cannot use "create_http_response" yet. + my $cgi = CGI->new(''); + print $cgi->header('-type' => 'text/html', '-charset' => 'UTF-8'); print "
", join ('
', @msg), "
"; } else { print STDERR "Error: @msg\n"; @@ -140,19 +143,33 @@ sub _read_auth_config { } else { $self->{DB_config} = $::lx_office_conf{'authentication/database'}; - $self->{LDAP_config} = $::lx_office_conf{'authentication/ldap'}; } - if ($self->{module} eq 'DB') { - $self->{authenticator} = SL::Auth::DB->new($self); + $self->{authenticators} = []; + $self->{module} ||= 'DB'; + $self->{module} =~ s{^ +| +$}{}g; - } elsif ($self->{module} eq 'LDAP') { - $self->{authenticator} = SL::Auth::LDAP->new($self); - } + foreach my $module (split m{ +}, $self->{module}) { + my $config_name; + ($module, $config_name) = split m{:}, $module, 2; + $config_name ||= $module eq 'DB' ? 'database' : lc($module); + my $config = $::lx_office_conf{'authentication/' . $config_name}; - if (!$self->{authenticator}) { - my $locale = Locale->new('en'); - $self->mini_error($locale->text('No or an unknown authenticantion module specified in "config/kivitendo.conf".')); + if (!$config) { + my $locale = Locale->new('en'); + $self->mini_error($locale->text('Missing configuration section "authentication/#1" in "config/kivitendo.conf".', $config_name)); + } + + if ($module eq 'DB') { + push @{ $self->{authenticators} }, SL::Auth::DB->new($self); + + } elsif ($module eq 'LDAP') { + push @{ $self->{authenticators} }, SL::Auth::LDAP->new($config); + + } else { + my $locale = Locale->new('en'); + $self->mini_error($locale->text('Unknown authenticantion module #1 specified in "config/kivitendo.conf".', $module)); + } } my $cfg = $self->{DB_config}; @@ -167,7 +184,7 @@ sub _read_auth_config { $self->mini_error($locale->text('config/kivitendo.conf: Missing parameters in "authentication/database". Required parameters are "host", "db" and "user".')); } - $self->{authenticator}->verify_config(); + $_->verify_config for @{ $self->{authenticators} }; $self->{session_timeout} *= 1; $self->{session_timeout} = 8 * 60 if (!$self->{session_timeout}); @@ -227,7 +244,14 @@ sub authenticate { return ERR_PASSWORD; } - my $result = $login ? $self->{authenticator}->authenticate($login, $password) : ERR_USER; + my $result = ERR_USER; + if ($login) { + foreach my $authenticator (@{ $self->{authenticators} }) { + $result = $authenticator->authenticate($login, $password); + last if $result == OK; + } + } + $self->set_session_value(SESSION_KEY_USER_AUTH() => $result, login => $login, client_id => $self->client->{id}); return $result; } @@ -412,15 +436,22 @@ sub save_user { sub can_change_password { my $self = shift; - return $self->{authenticator}->can_change_password(); + return any { $_->can_change_password } @{ $self->{authenticators} }; } sub change_password { my ($self, $login, $new_password) = @_; - my $result = $self->{authenticator}->change_password($login, $new_password); + my $overall_result = OK; - return $result; + foreach my $authenticator (@{ $self->{authenticators} }) { + next unless $authenticator->can_change_password; + + my $result = $authenticator->change_password($login, $new_password); + $overall_result = $result if $result != OK; + } + + return $overall_result; } sub read_all_users { @@ -848,7 +879,7 @@ sub get_session_value { ($self->{SESSION}{$key} //= SL::Auth::SessionValue->new(auth => $self, key => $key))->get } -sub create_unique_sesion_value { +sub create_unique_session_value { my ($self, $value, %params) = @_; $self->{SESSION} ||= { }; @@ -881,7 +912,7 @@ sub save_form_in_session { $data->{$key} = $form->{$key} if !ref($form->{$key}) || $non_scalars; } - return $self->create_unique_sesion_value($data, %params); + return $self->create_unique_session_value($data, %params); } sub restore_form_from_session { @@ -1095,6 +1126,8 @@ sub evaluate_rights_ary { my $negate = 0; foreach my $el (@{$ary}) { + next unless defined $el; + if (ref $el eq "ARRAY") { my $val = evaluate_rights_ary($el); $val = !$val if $negate; @@ -1196,6 +1229,15 @@ sub check_right { return $granted; } +sub deny_access { + my ($self) = @_; + + $::dispatcher->reply_with_json_error(error => 'access') if $::request->type eq 'json'; + + delete $::form->{title}; + $::form->show_generic_error($::locale->text("You do not have the permissions to access this function.")); +} + sub assert { my ($self, $right, $dont_abort) = @_; @@ -1204,8 +1246,7 @@ sub assert { } if (!$dont_abort) { - delete $::form->{title}; - $::form->show_generic_error($::locale->text("You do not have the permissions to access this function.")); + $self->deny_access; } return 0; @@ -1291,7 +1332,7 @@ The values can be any Perl structure. They are stored as YAML dumps. Retrieve a value from the session. Returns C if the value doesn't exist. -=item C +=item C Create a unique key in the session and store C<$value> there. @@ -1307,7 +1348,7 @@ setters nor the deleter access the database. =item C Stores the content of C<$params{form}> (default: C<$::form>) in the -session using L. +session using L. If C<$params{non_scalars}> is trueish then non-scalar values will be stored as well. Default is to only store scalar values.