liquid_feedback_frontend
diff model/member.lua @ 1071:58f48a8a202a
Imported and merged LDAP patch
| author | bsw |
|---|---|
| date | Fri Jul 18 21:42:59 2014 +0200 (2014-07-18) |
| parents | 701a5cf6b067 |
| children | aefef1556d55 |
line diff
1.1 --- a/model/member.lua Thu Jul 17 23:38:35 2014 +0200 1.2 +++ b/model/member.lua Fri Jul 18 21:42:59 2014 +0200 1.3 @@ -273,6 +273,17 @@ 1.4 self.get_db_conn().query("LOCK TABLE " .. self:get_qualified_table() .. " IN ROW SHARE MODE") 1.5 end 1.6 1.7 + 1.8 +function Member:get_all_by_authority(authority) 1.9 + 1.10 + local members = Member:new_selector() 1.11 + :add_where{ "authority = ?", authority } 1.12 + :add_field("authority_data->'uid' as authority_data_uid") 1.13 + :exec() 1.14 + 1.15 + return members 1.16 +end 1.17 + 1.18 function Member.object:set_password(password) 1.19 trace.disable() 1.20 1.21 @@ -372,17 +383,144 @@ 1.22 end 1.23 1.24 function Member:by_login_and_password(login, password) 1.25 - local selector = self:new_selector() 1.26 - selector:add_field({ "now() > COALESCE(last_delegation_check, activated) + ?::interval", config.check_delegations_interval_hard }, "needs_delegation_check_hard") 1.27 - selector:add_where{'"login" = ?', login } 1.28 - selector:add_where('NOT "locked"') 1.29 - selector:optional_object_mode() 1.30 - local member = selector:exec() 1.31 - if member and member:check_password(password) then 1.32 - return member 1.33 - else 1.34 - return nil 1.35 + 1.36 + local function prepare_login_selector() 1.37 + local selector = self:new_selector() 1.38 + selector:add_field({ "now() > COALESCE(last_delegation_check, activated) + ?::interval", config.check_delegations_interval_hard }, "needs_delegation_check_hard") 1.39 + selector:add_where('NOT "locked"') 1.40 + selector:optional_object_mode() 1.41 + return selector 1.42 + end 1.43 + 1.44 + local function do_local_login() 1.45 + local selector = prepare_login_selector() 1.46 + selector:add_where{'"login" = ?', login } 1.47 + local member = selector:exec() 1.48 + if member and member:check_password(password) then 1.49 + return member 1.50 + else 1.51 + return nil 1.52 + end 1.53 end 1.54 + 1.55 + if config.ldap.member then 1.56 + 1.57 + -- Let's check the users credentials against the LDAP 1.58 + local ldap_entry, ldap_err = ldap.check_credentials(login, password) 1.59 + 1.60 + -- Is the user already registered as member? 1.61 + local uid 1.62 + local selector = prepare_login_selector() 1.63 + 1.64 + -- Get login name from LDAP entry 1.65 + if ldap_entry then 1.66 + uid = config.ldap.member.uid_map(ldap_entry) 1.67 + selector:add_where{'"authority" = ? AND "authority_data"->\'uid\' = ?', "ldap", uid } 1.68 + 1.69 + -- or build it from the login 1.70 + else 1.71 + login = config.ldap.member.login_normalizer(login) 1.72 + selector:add_where{'"authority" = ? AND "authority_data"->\'login\' = ?', "ldap", login } 1.73 + end 1.74 + 1.75 + local member = selector:exec() 1.76 + -- The member is already registered 1.77 + if member then 1.78 + 1.79 + -- The credentials entered by the user are invalid 1.80 + if ldap_err == "invalid_credentials" then 1.81 + 1.82 + -- Check if the user tried a cached password (which is invalid now) 1.83 + if config.ldap.member.cache_passwords and member:check_password(password) then 1.84 + member.password = nil 1.85 + member:save() 1.86 + end 1.87 + 1.88 + -- Try a regular login 1.89 + return do_local_login() 1.90 + 1.91 + end 1.92 + 1.93 + -- The credentials were accepted by the LDAP server and no error occured 1.94 + if ldap_entry and not ldap_err then 1.95 + 1.96 + -- Cache the password (if feature enabled) 1.97 + if config.ldap.member.cache_passwords and not member:check_password(password) then 1.98 + member:set_password(password) 1.99 + end 1.100 + 1.101 + -- update the member attributes and privileges from LDAP 1.102 + local ldap_conn, ldap_err, err, err2 = ldap.update_member_attr(member, nil, uid) 1.103 + if not err then 1.104 + local err = member:try_save() 1.105 + if err then 1.106 + return nil, "member_save_error", err 1.107 + end 1.108 + local succes, err, err2 = ldap.update_member_privileges(member, ldap_entry) 1.109 + if err then 1.110 + return nil, "update_member_privileges_error", err, err2 1.111 + end 1.112 + return member 1.113 + end 1.114 + 1.115 + end 1.116 + 1.117 + -- Some kind of LDAP error happened, if cached password are enabled, 1.118 + -- check user credentials against the cache 1.119 + if config.ldap.member.cache_passwords and member:check_password(password) then 1.120 + 1.121 + -- return the successfully logged in member 1.122 + return member 1.123 + 1.124 + end 1.125 + 1.126 + -- The member is not registered 1.127 + elseif config.ldap.member.registration and ldap_entry and not ldap_err then 1.128 + -- Automatic registration ("auto") 1.129 + if config.ldap.member.registration == "auto" then 1.130 + member = Member:new() 1.131 + member.authority = "ldap" 1.132 + local ldap_login 1.133 + if config.ldap.member.cache_passwords then 1.134 + if config.ldap.member.login_normalizer then 1.135 + ldap_login = config.ldap.member.login_normalizer(login) 1.136 + else 1.137 + ldap_login = login 1.138 + end 1.139 + end 1.140 + -- TODO change this when SQL layers supports hstore 1.141 + member.authority_data = encode.pg_hstore{ 1.142 + uid = uid, 1.143 + login = ldap_login 1.144 + } 1.145 + member.activated = "now" 1.146 + member.last_activity = "now" 1.147 + if config.ldap.member.cache_passwords then 1.148 + member:set_password(password) 1.149 + end 1.150 + local ldap_conn, ldap_err, err, err2 = ldap.update_member_attr(member, nil, uid) 1.151 + if not err then 1.152 + local err = member:try_save() 1.153 + if err then 1.154 + return nil, "member_save_error", err 1.155 + end 1.156 + local success, err, err2 = ldap.update_member_privileges(member, ldap_entry) 1.157 + if err then 1.158 + return nil, "update_member_privileges_error", err, err2 1.159 + end 1.160 + return member 1.161 + end 1.162 + 1.163 + -- No automatic registration 1.164 + else 1.165 + return nil, "ldap_credentials_valid_but_no_member", uid 1.166 + end 1.167 + end 1.168 + 1.169 + end 1.170 + 1.171 + return do_local_login() 1.172 + 1.173 end 1.174 1.175 function Member:by_login(login)