Hi Stef, to correctly avoid this you need to setup ACLs on server side. The DN suffixes in LAM are more to limit visibility (users may also use other tools to access LDAP). But I will add your fix to the next release. Thanks for the patch. :)
Best regards
Roland
On 25.06.2014 19:14, Stef wrote:
>
>
> Hi :)
>
> I've just discovered lam, seems to be great for my need : i've
> configured several server instance pointing to the same LDAP server, in
> order to lock users into their nested branch (like a jail).
> That way, users from an instance can't put the mess in other branches :)
>
>
> * server instance A, to manage only ou=a,ou=mycompagny,ou=fr
> * server instance B, to manage only ou=b,ou=mycompagny,ou=fr
> * etc.
>
> Users can log in their instance if their user/pwd is correctly set in
> uid=%USER%,ou=people,ou=a,ou=mycompagny,ou=fr
>
> but.... in templates/account/edit.php, there's no check about the dn
> asked to be edited : editing the URL let people edit objects that aren't
> in the subtree to which they belong !
>
> I suggest adding something like this at line 57 :
>
> // Logged user DN
> $userData = $_SESSION['ldap']->decrypt_login();
> $loggedUserDNSuffix=extractDNSuffix($userData[0]);
>
> //DN to edit ; note DN GET parameter is given between quotes, see
> userlink.php
> $editUserDNSuffix=extractDNSuffix(str_replace("'", '', $_GET['DN']));
>
> if ("$editUserDNSuffix" != "$loggedUserDNSuffix") {
> logNewMessage(LOG_ERR, "User logged ($userData[0]) tried to access
> other account DN Suffix: " . $editUserDNSuffix);
> StatusMessage("ERROR","Edit forbidden","You can only edit user that
> share the same DN than yours", NULL, false);
> die();
> }
>
> What do you think about this ?
>
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
>
>
>
> _______________________________________________
> Lam-public mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/lam-public
>
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Lam-public mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lam-public
