Hi :)
I've just discovered lam, seems to be great for my need : i've
configured several server instance pointing to the same LDAP server, in
order to lock users into their nested branch (like a jail).
That way, users from an instance can't put the mess in other branches :)
* server instance A, to manage only ou=a,ou=mycompagny,ou=fr
* server instance B, to manage only ou=b,ou=mycompagny,ou=fr
* etc.
Users can log in their instance if their user/pwd is correctly set in
uid=%USER%,ou=people,ou=a,ou=mycompagny,ou=fr
but.... in templates/account/edit.php, there's no check about the dn
asked to be edited : editing the URL let people edit objects that aren't
in the subtree to which they belong !
I suggest adding something like this at line 57 :
// Logged user DN
$userData = $_SESSION['ldap']->decrypt_login();
$loggedUserDNSuffix=extractDNSuffix($userData[0]);
//DN to edit ; note DN GET parameter is given between quotes, see
userlink.php
$editUserDNSuffix=extractDNSuffix(str_replace("'", '', $_GET['DN']));
if ("$editUserDNSuffix" != "$loggedUserDNSuffix") {
logNewMessage(LOG_ERR, "User logged ($userData[0]) tried to access
other account DN Suffix: " . $editUserDNSuffix);
StatusMessage("ERROR","Edit forbidden","You can only edit user that
share the same DN than yours", NULL, false);
die();
}
What do you think about this ?
--
Stéphane
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Lam-public mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lam-public
