DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2025-01-12 06:17:28 -08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/snipe/snipe-it

Browse source
This commit is contained in:
snipe 2022-02-07 18:27:59 -08:00
parent b3a0f86431 1a31231569
commit 474f24e40e
4 changed files with 53 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
app/Console/Commands/LdapSync.php
View file

@ -49,7 +49,7 @@ class LdapSync extends Command
$ldap_result_last_name = Setting::getSettings()->ldap_lname_field;
$ldap_result_first_name = Setting::getSettings()->ldap_fname_field;
$ldap_result_active_flag = Setting::getSettings()->ldap_active_flag_field;
$ldap_result_active_flag = Setting::getSettings()->ldap_active_flag;
$ldap_result_emp_num = Setting::getSettings()->ldap_emp_num;
$ldap_result_email = Setting::getSettings()->ldap_email;
$ldap_result_phone = Setting::getSettings()->ldap_phone_field;
@ -170,7 +170,6 @@ class LdapSync extends Command
$pass = bcrypt($tmp_pass);
for ($i = 0; $i < $results["count"]; $i++) {
if (empty($ldap_result_active_flag) || $results[$i][$ldap_result_active_flag][0] == "TRUE") {
$item = array();
$item["username"] = isset($results[$i][$ldap_result_username][0]) ? $results[$i][$ldap_result_username][0] : "";
@ -192,6 +191,7 @@ class LdapSync extends Command
$user = User::where('username', $item["username"])->first();
if ($user) {
// Updating an existing user.
$item["createorupdate"] = 'updated';
@ -199,7 +199,7 @@ class LdapSync extends Command
// Creating a new user.
$user = new User;
$user->password = $pass;
$user->activated = 0;
$user->activated = 1; // newly created users can log in by default, unless AD's UAC is in use, or an active flag is set (below)
$item["createorupdate"] = 'created';
}
@ -213,8 +213,19 @@ class LdapSync extends Command
$user->country = $item["country"];
$user->department_id = $department->id;
// Sync activated state for Active Directory.
if ( array_key_exists('useraccountcontrol', $results[$i]) ) {
if ( !empty($ldap_result_active_flag)) { // IF we have an 'active' flag set....
// ....then *most* things that are truthy will activate the user. Anything falsey will deactivate them.
// (Specifically, we don't handle a value of '0.0' correctly)
$raw_value = @$results[$i][$ldap_result_active_flag][0];
$filter_var = filter_var($raw_value, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
$boolean_cast = (bool)$raw_value;
$user->activated = $filter_var ?? $boolean_cast; // if filter_var() was true or false, use that. If it's null, use the $boolean_cast
} elseif ( array_key_exists('useraccountcontrol', $results[$i]) ) {
// ....otherwise, (ie if no 'active' LDAP flag is defined), IF the UAC setting exists,
// ....then use the UAC setting on the account to determine can-log-in vs. cannot-log-in
/* The following is _probably_ the correct logic, but we can't use it because
some users may have been dependent upon the previous behavior, and this
could cause additional access to be available to users they don't want
@ -245,12 +256,9 @@ class LdapSync extends Command
'1049088',// 0x100200 NORMAL_ACCOUNT, NOT_DELEGATED
];
$user->activated = ( in_array($results[$i]['useraccountcontrol'][0], $enabled_accounts) ) ? 1 : 0;
}
// If we're not using AD, and there isn't an activated flag set, activate all users
elseif (empty($ldap_result_active_flag)) {
$user->activated = 1;
}
} /* implied 'else' here - leave the $user->activated flag alone. Newly-created accounts will be active.
already-existing accounts will be however the administrator has set them */
if ($item['ldap_location_override'] == true) {
$user->location_id = $item['location_id'];
@ -280,7 +288,6 @@ class LdapSync extends Command
}
array_push($summary, $item);
}
}

5
app/Providers/AppServiceProvider.php
View file

@ -47,9 +47,8 @@ class AppServiceProvider extends ServiceProvider
// TODO - isn't it somehow 'gauche' to check the environment directly; shouldn't we be using config() somehow?
if ( ! env('APP_ALLOW_INSECURE_HOSTS')) { // unless you set APP_ALLOW_INSECURE_HOSTS, you should PROHIBIT forging domain parts of URL via Host: headers
$url_parts = parse_url(config('app.url'));
if ($url_parts && array_key_exists('scheme', $url_parts) && array_key_exists('host', $url_parts)) {
$root_url = $url_parts['scheme'].'://'.$url_parts['host'].(isset($url_parts['port']) ? ':'.$url_parts['port'] : '');
\URL::forceRootUrl($root_url);
if ($url_parts && array_key_exists('scheme', $url_parts) && array_key_exists('host', $url_parts)) { // check for the *required* parts of a bare-minimum URL
\URL::forceRootUrl(config('app.url'));
} else {
\Log::error("Your APP_URL in your .env is misconfigured - it is: ".config('app.url').". Many things will work strangely unless you fix it.");
}

2
database/migrations/2015_11_08_222305_add_ldap_fields_to_settings.php
View file

@ -23,7 +23,7 @@ class AddLdapFieldsToSettings extends Migration {
$table->string('ldap_username_field')->nullable()->default('samaccountname');
$table->string('ldap_lname_field')->nullable()->default('sn');
$table->string('ldap_fname_field')->nullable()->default('givenname');
$table->string('ldap_auth_filter_query')->nullable()->default('uid=samaccountname');
$table->string('ldap_auth_filter_query')->nullable()->default('uid=');
$table->integer('ldap_version')->nullable()->default(3);
$table->string('ldap_active_flag')->nullable()->default(NULL);
$table->string('ldap_emp_num')->nullable()->default(NULL);

32
database/migrations/2022_02_03_214958_blank_out_ldap_active_flag.php Normal file
View file

@ -0,0 +1,32 @@
<?php
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
use App\Models\Setting;
class BlankOutLdapActiveFlag extends Migration
{
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
if ($s = Setting::getSettings()) {
$s->ldap_active_flag = '';
$s->save();
}
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
//
}
}