Hi Roland :)
Thanks for your feedbacks.
I'm glad to read you'll add this patch :)
Finally, I wrote this to work in all (I think) cases :
> //DN to edit ; note DN GET parameter is given between quotes, see userlink.php
> $editUserDNSuffix = "";
> if ( !empty($_GET['DN']) ) {
> $editUserDNSuffix = str_replace("'", '', $_GET['DN']);
> } else {
> if ( !empty($_POST['accountContainerSuffix']) ) {
> $editUserDNSuffix = $_POST['accountContainerSuffix'];
> }
> }
>
> if (!isSameDC($loggedUserDNSuffix, $editUserDNSuffix)) {
> logNewMessage(LOG_ERR, "User logged ($userData[0]) tried to access other
> account DN Suffix: " . $editUserDNSuffix);
> StatusMessage("ERROR","Edit forbidden","You can only edit user that share the
> same O/DN than yours", NULL, false);
> die();
> }
and in lib/account.inc :
> /**
> * Helper function to check if root DC are equals
> *
> * @param string $a first argument to compare
> * @param string $b second argument to compare
> * @return integer true if equal, false if different
> */
> function isSameDC(&$a, &$b) {
> $retVal = false;
> $odc_a="";
> $odc_b="";
> // split DNs
> // aims to be uid=user,ou=unit,o=entity,dc=root ; needs to be much more parsed
> $array_a = explode(",", strtolower($a));
> $array_b = explode(",", strtolower($b));
>
> // needs a function here for both $a & $b
> foreach ($array_a as $value) {
> $node=explode("=", $value);
> if ($node[0] == "dc"||$node[0] == "o") {
> $odc_a .= ",".$value;
> }
> }
>
> foreach ($array_b as $value) {
> $node=explode("=", $value);
> if ($node[0] == "dc"||$node[0] == "o") {
> $odc_b.=",".$value;
> }
> }
> return ($odc_a==$odc_b);
> }
Best regards,
stef
Le 2014-07-04 17:10, Roland Gruber a écrit :
> Hi Stef,
>
> to correctly avoid this you need to setup ACLs on server side. The DN
> suffixes in LAM are more to limit visibility (users may also use other
> tools to access LDAP).
> But I will add your fix to the next release. Thanks for the patch. :)
>
> Best regards
>
> Roland
>
> On 25.06.2014 19:14, Stef wrote:
>
>> Hi :) I've just discovered lam, seems to be great for my need : i've
>> configured several server instance pointing to the same LDAP server, in
>> order to lock users into their nested branch (like a jail). That way, users
>> from an instance can't put the mess in other branches :) * server instance
>> A, to manage only ou=a,ou=mycompagny,ou=fr * server instance B, to manage
>> only ou=b,ou=mycompagny,ou=fr * etc. Users can log in their instance if
>> their user/pwd is correctly set in
>> uid=%USER%,ou=people,ou=a,ou=mycompagny,ou=fr but.... in
>> templates/account/edit.php, there's no check about the dn asked to be edited
>> : editing the URL let people edit objects that aren't in the subtree to
>> which they belong ! I suggest adding something like this at line 57 : //
>> Logged user DN $userData = $_SESSION['ldap']->decrypt_login();
>> $loggedUserDNSuffix=extractDNSuffix($userData[0]); //DN to edit ; note DN
>> GET parameter is given between quotes, see userlink.php
>> $editUserDNSuffix=extractDNSuffix(str_replace("'",
'', $_GET['DN'])); if ("$editUserDNSuffix" != "$loggedUserDNSuffix") {
logNewMessage(LOG_ERR, "User logged ($userData[0]) tried to access other
account DN Suffix: " . $editUserDNSuffix); StatusMessage("ERROR","Edit
forbidden","You can only edit user that share the same DN than yours", NULL,
false); die(); } What do you think about this ?
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse Turn
processes into business applications with Bonita BPM Community Edition Quickly
connect people, data, and systems into organized workflows Winner of BOSSIE,
CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft [1]
_______________________________________________ Lam-public mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lam-public [2]
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft [1]
>
> _______________________________________________
> Lam-public mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/lam-public [2]
--
Stéphane
Links:
------
[1] http://p.sf.net/sfu/Bonitasoft
[2] https://lists.sourceforge.net/lists/listinfo/lam-public
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Lam-public mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lam-public
