mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-10-05 09:32:08 +02:00
new setup config denying (default) or allowing user names identical to system users (ldap only)
This commit is contained in:
Ralf Becker
parent
7489a9cfb4
commit
b40f14a95e
@ -7,13 +7,13 @@
|
||||
* @package admin
|
||||
* @copyright (c) 2007 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
|
||||
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
|
||||
* @version $Id$
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
/**
|
||||
* admin command: edit/add a user
|
||||
*/
|
||||
class admin_cmd_edit_user extends admin_cmd_change_pw
|
||||
class admin_cmd_edit_user extends admin_cmd_change_pw
|
||||
{
|
||||
/**
|
||||
* Constructor
|
||||
@ -37,7 +37,7 @@ class admin_cmd_edit_user extends admin_cmd_change_pw
|
||||
|
||||
/**
|
||||
* change the password of a given user
|
||||
*
|
||||
*
|
||||
* @param boolean $check_only=false only run the checks (and throw the exceptions), but not the command itself
|
||||
* @return string success message
|
||||
* @throws egw_exception_no_admin
|
||||
@ -62,11 +62,18 @@ class admin_cmd_edit_user extends admin_cmd_change_pw
|
||||
{
|
||||
throw new egw_exception_wrong_userinput(lang('You must enter a loginid'),9);
|
||||
}
|
||||
// Check if an account already exists as system user, and if it does deny creation
|
||||
if ($GLOBALS['egw_info']['server']['account_repository'] == 'ldap' &&
|
||||
!$GLOBALS['egw_info']['server']['ldap_allow_systemusernames'] &&
|
||||
function_exists('posix_getpwnam') && posix_getpwnam($data['account_lid']))
|
||||
{
|
||||
throw new egw_exception_wrong_userinput(lang('There already is a system-user with this name. User\'s should not have the same name as a systemuser'),99);
|
||||
}
|
||||
if (!$data['account_lastname'] && (!$this->account || !is_null($data['account_lastname'])))
|
||||
{
|
||||
throw new egw_exception_wrong_userinput(lang('You must enter a lastname'),9);
|
||||
}
|
||||
if (!is_null($data['account_lid']) && ($id = admin_cmd::$accounts->name2id($data['account_lid'],'account_lid','u')) &&
|
||||
if (!is_null($data['account_lid']) && ($id = admin_cmd::$accounts->name2id($data['account_lid'],'account_lid','u')) &&
|
||||
$id !== $data['account_id'])
|
||||
{
|
||||
throw new egw_exception_wrong_userinput(lang('That loginid has already been taken'),999);
|
||||
@ -77,10 +84,10 @@ class admin_cmd_edit_user extends admin_cmd_change_pw
|
||||
}
|
||||
$data['account_expires'] = $expires = self::_parse_expired($data['account_expires'],(boolean)$this->account);
|
||||
$data['account_status'] = is_null($expires) ? null : ($expires == -1 || $expires > time() ? 'A' : '');
|
||||
|
||||
|
||||
$data['changepassword'] = admin_cmd::parse_boolean($data['changepassword'],$this->account ? null : true);
|
||||
$data['anonymous'] = admin_cmd::parse_boolean($data['anonymous'],$this->account ? null : false);
|
||||
|
||||
|
||||
if (!$data['account_primary_group'] && $this->account)
|
||||
{
|
||||
$data['account_primary_group'] = null; // dont change
|
||||
@ -106,7 +113,7 @@ class admin_cmd_edit_user extends admin_cmd_change_pw
|
||||
$data['account_groups'] = admin_cmd::parse_accounts($data['account_groups'],false);
|
||||
}
|
||||
if ($check_only) return true;
|
||||
|
||||
|
||||
if ($this->account)
|
||||
{
|
||||
if (!($old = admin_cmd::$accounts->read($data['account_id'])))
|
||||
@ -161,7 +168,7 @@ class admin_cmd_edit_user extends admin_cmd_change_pw
|
||||
$GLOBALS['egw']->hooks->process($GLOBALS['hook_values']+array(
|
||||
'location' => $this->account ? 'editaccount' : 'addaccount'
|
||||
),False,True); // called for every app now, not only enabled ones)
|
||||
|
||||
|
||||
return lang("Account %1 %2",$this->account ? $this->account : $data['account_lid'],
|
||||
$this->account ? lang('updated') : lang("created with id #%1",$data['account_id']));
|
||||
}
|
||||
@ -176,7 +183,7 @@ class admin_cmd_edit_user extends admin_cmd_change_pw
|
||||
return lang('%1 user %2',$this->account ? lang('Edit') : lang('Add'),
|
||||
admin_cmd::display_account($this->account ? $this->account : $this->set['account_lid']));
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* parse the expired string and return the expired date as timestamp
|
||||
*
|
||||
@ -190,7 +197,7 @@ class admin_cmd_edit_user extends admin_cmd_change_pw
|
||||
switch($str)
|
||||
{
|
||||
case '':
|
||||
if ($existing) return null;
|
||||
if ($existing) return null;
|
||||
// fall through --> default for new accounts is never
|
||||
case 'never':
|
||||
return -1;
|
||||
|
||||
@ -352,16 +352,14 @@
|
||||
$error[$totalerrors] = lang('The groups must include the primary group');
|
||||
$totalerrors++;
|
||||
}
|
||||
// if accounts stored in ldap, there is a chance that users are systemusers as well.
|
||||
// check if an account already exists there, and if it does deny creation (increase the totalerrors counter
|
||||
// and the message thereof
|
||||
if($GLOBALS['egw_info']['server']['account_repository'] == 'ldap')
|
||||
// Check if an account already exists as system user, and if it does deny creation
|
||||
// (increase the totalerrors counter and the message thereof)
|
||||
if ($GLOBALS['egw_info']['server']['account_repository'] == 'ldap' &&
|
||||
!$GLOBALS['egw_info']['server']['ldap_allow_systemusernames'] &&
|
||||
function_exists('posix_getpwnam') && posix_getpwnam($_userData['account_lid']))
|
||||
{
|
||||
if (function_exists('posix_getpwnam') && posix_getpwnam($_userData['account_lid']))
|
||||
{
|
||||
$error[$totalerrors] = lang('There already is a system-user with this name. User\'s should not have the same name as a systemuser');
|
||||
$totalerrors++;
|
||||
}
|
||||
$error[$totalerrors] = lang('There already is a system-user with this name. User\'s should not have the same name as a systemuser');
|
||||
$totalerrors++;
|
||||
}
|
||||
if($_userData['old_loginid'] != $_userData['account_lid'])
|
||||
{
|
||||
|
||||
@ -1051,44 +1051,3 @@ class accounts
|
||||
return $data;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Enable this only, if your system users are automatically eGroupWare users.
|
||||
* This is NOT the case for most installations and silently rejecting all this names causes a lot of trouble.
|
||||
|
||||
$GLOBALS['egw_info']['server']['global_denied_users'] = array(
|
||||
'root' => True, 'bin' => True, 'daemon' => True,
|
||||
'adm' => True, 'lp' => True, 'sync' => True,
|
||||
'shutdown' => True, 'halt' => True, 'ldap' => True,
|
||||
'mail' => True, 'news' => True, 'uucp' => True,
|
||||
'operator' => True, 'games' => True, 'gopher' => True,
|
||||
'nobody' => True, 'xfs' => True, 'pgsql' => True,
|
||||
'mysql' => True, 'postgres' => True, 'oracle' => True,
|
||||
'ftp' => True, 'gdm' => True, 'named' => True,
|
||||
'alias' => True, 'web' => True, 'sweep' => True,
|
||||
'cvs' => True, 'qmaild' => True, 'qmaill' => True,
|
||||
'qmaillog' => True, 'qmailp' => True, 'qmailq' => True,
|
||||
'qmailr' => True, 'qmails' => True, 'rpc' => True,
|
||||
'rpcuser' => True, 'amanda' => True, 'apache' => True,
|
||||
'pvm' => True, 'squid' => True, 'ident' => True,
|
||||
'nscd' => True, 'mailnull' => True, 'cyrus' => True,
|
||||
'backup' => True
|
||||
);
|
||||
|
||||
$GLOBALS['egw_info']['server']['global_denied_groups'] = array(
|
||||
'root' => True, 'bin' => True, 'daemon' => True,
|
||||
'sys' => True, 'adm' => True, 'tty' => True,
|
||||
'disk' => True, 'lp' => True, 'mem' => True,
|
||||
'kmem' => True, 'wheel' => True, 'mail' => True,
|
||||
'uucp' => True, 'man' => True, 'games' => True,
|
||||
'dip' => True, 'ftp' => True, 'nobody' => True,
|
||||
'floppy' => True, 'xfs' => True, 'console' => True,
|
||||
'utmp' => True, 'pppusers' => True, 'popusers' => True,
|
||||
'slipusers' => True, 'slocate' => True, 'mysql' => True,
|
||||
'dnstools' => True, 'web' => True, 'named' => True,
|
||||
'dba' => True, 'oinstall' => True, 'oracle' => True,
|
||||
'gdm' => True, 'sweep' => True, 'cvs' => True,
|
||||
'postgres' => True, 'qmail' => True, 'nofiles' => True,
|
||||
'ldap' => True, 'backup' => True
|
||||
);
|
||||
*/
|
||||
@ -317,6 +317,13 @@ class accounts_ldap
|
||||
$to_write['mail'] = array_values(array_unique($mail));
|
||||
}
|
||||
$data['account_type'] = 'u';
|
||||
|
||||
// Check if an account already exists as system user, and if it does deny creation
|
||||
if (!$GLOBALS['egw_info']['server']['ldap_allow_systemusernames'] &&
|
||||
function_exists('posix_getpwnam') && posix_getpwnam($data['account_lid']))
|
||||
{
|
||||
throw new egw_exception_wrong_userinput(lang('There already is a system-user with this name. User\'s should not have the same name as a systemuser'));
|
||||
}
|
||||
}
|
||||
|
||||
// remove memberuid when adding a group
|
||||
@ -951,7 +958,7 @@ class accounts_ldap
|
||||
*/
|
||||
function members($gid)
|
||||
{
|
||||
if (!is_numeric($gid))
|
||||
if (!is_numeric($gid))
|
||||
{
|
||||
// try to recover
|
||||
$gid = $this->name2id($gid,'account_lid','g');
|
||||
|
||||
@ -74,7 +74,7 @@
|
||||
</select>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
<tr class="row_on">
|
||||
<td>{lang_Complete_path_to_aspell_program}:</td>
|
||||
<td>
|
||||
@ -467,7 +467,17 @@
|
||||
<td><input name="newsettings[ldap_account_shell]" value="{value_ldap_account_shell}" /></td>
|
||||
</tr>
|
||||
|
||||
<tr class="row_on" valign="top">
|
||||
<tr class="row_on">
|
||||
<td>{lang_Allow_usernames_identical_to_system_users?}:</td>
|
||||
<td>
|
||||
<select name="newsettings[ldap_allow_systemusernames]">
|
||||
<option value="">{lang_No}</option>
|
||||
<option value="True"{selected_ldap_allow_systemusernames_True}>{lang_Yes}</option>
|
||||
</select>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
<tr class="row_off" valign="top">
|
||||
<td>
|
||||
<a href="account_migration.php"><b>{lang_Migration_between_eGroupWare_account_repositories}:</b></a>
|
||||
</td>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user