Merge branch 'seeddms-5.1.x' into seeddms-6.0.x

conf/settings.xml.template

@@ -120,6 +120,7 @@
        - restricted: Restricted access: only allow users to log in if they have an entry in the local database (irrespective of successful authentication with LDAP).
        - enableUserImage: enable users images
        - disableSelfEdit: if true user cannot edit his own profile
+       - disableChangePassword: if true user cannot change the password
        - passwordStrength: minimum strength of password, set to 0 to disable
        - passwordStrengthAlgorithm: algorithm used to calculate password strenght (simple or advanced)
        - passwordExpiration: number of days after password expires
@@ -137,6 +138,7 @@
       restricted = "true"
       enableUserImage = "false"
       disableSelfEdit = "false"
+      disableChangePassword = "false"
       passwordStrength = "0"
       passwordStrengthAlgorithm = "simple"
       passwordExpiration = "0"
@@ -168,6 +170,7 @@
           bindDN = ""
           bindPw = ""
           filter = ""
+          groupField = ""
         />
         <!-- ***** CONNECTOR Microsoft Active Directory  *****
            - enable: enable/disable connector
@@ -189,6 +192,8 @@
           accountDomainName = "example.com"
           bindDN = ""
           bindPw = ""
+          filter = ""
+          groupField = ""
         />
       </connectors>
     </authentication>

inc/inc.ClassAuthenticationService.php

@@ -63,6 +63,19 @@ class SeedDMS_AuthenticationService {
 		return $this->errors;
 	} /* }}} */
 
+	/**
+	 * Run each authentication service
+	 *
+	 * This method calls authenticate() of each authentication service and
+	 * evaluates the returned value.
+	 * If the authentication method returns false (some internal error which
+	 * prevented to check authentication at all), this method will return
+	 * false imediately, in case of null (no valid authentication) the next
+	 * service will be tried and in all other cases the value will be returned.
+	 *
+	 * @param string $username name of user
+	 * @param string $password password of user
+	 */
 	public function authenticate($username, $password) { /* {{{ */
 		$user = null;
 		foreach($this->services as $name => $service) {

inc/inc.ClassLdapAuthentication.php

@@ -110,6 +110,9 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 
 		if (!is_bool($ds)) {
 			/* Check if ldap base dn is set, and use ldap server if it is */
+			/* $tmpDN will be set to a 'wild' guess how the user's dn might
+			 * look like if searching for that user didn't return a dn.
+			 */
 			if (isset($settings->_ldapBaseDN)) {
 				$ldapSearchAttribut = "uid=";
 				$tmpDN = "uid=".$username.",".$settings->_ldapBaseDN;
@@ -164,7 +167,14 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 			}
 
 			/* If the previous bind failed, try it with the users creditionals
-			 * by simply setting $dn to a default string
+			 * by simply setting $dn to a guessed dn (see above)
+			 * FIXME: This is probably a bad idea because users filtered out
+			 * may still be able to authenticate, because $tmpDN could be a
+			 * valid DN. Example: if baseDN is 'dc=seeddms,dc=org' and the
+			 * user 'test' logs in, then $tmpDN will be 'uid=test,dc=seeddms,dc=org'
+			 * If that user was filtered out, because filter was set to '(mail=*)'
+			 * and the user doesn't have a mail address, then $dn will not be
+			 * set and $tmpDN will be used instead, allowing a successfull bind.
 			 */
 			if (is_bool($dn)) {
 				$dn = $tmpDN;

inc/inc.ClassSettings.php

@@ -49,6 +49,8 @@ class Settings { /* {{{ */
 	var $_enable2FactorAuthentication = false;
 	// Allow users to reset their password
 	var $_enablePasswordForgotten = false;
+	// Do not allow users to change password
+	var $_disableChangePassword = false;
 	// Minimum password strength (0 - x, 0 means no check)
 	var $_passwordStrength = 0;
 	// Password strength algorithm (simple, advanced)
@@ -678,6 +680,7 @@ class Settings { /* {{{ */
 			$this->_restricted = Settings::boolVal($tab["restricted"]);
 			$this->_enableUserImage = Settings::boolVal($tab["enableUserImage"]);
 			$this->_disableSelfEdit = Settings::boolVal($tab["disableSelfEdit"]);
+			$this->_disableChangePassword = Settings::boolVal($tab["disableChangePassword"]);
 		}
 
 		// XML Path: /configuration/system/authentication/connectors/connector
@@ -1069,6 +1072,7 @@ class Settings { /* {{{ */
     $this->setXMLAttributValue($node, "restricted", $this->_restricted);
     $this->setXMLAttributValue($node, "enableUserImage", $this->_enableUserImage);
     $this->setXMLAttributValue($node, "disableSelfEdit", $this->_disableSelfEdit);
+    $this->setXMLAttributValue($node, "disableChangePassword", $this->_disableChangePassword);
 
 		// XML Path: /configuration/system/authentication/connectors
 		foreach($this->_usersConnectors as $keyConn => $paramConn)

op/op.Settings.php

@@ -201,6 +201,7 @@ if ($action == "saveSettings")
   setBoolValue("restricted");
   setBoolValue("enableUserImage");
   setBoolValue("disableSelfEdit");
+  setBoolValue("disableChangePassword");
   setBoolValue("enablePasswordForgotten");
 	setIntValue("passwordStrength");
 	setStrValue("passwordStrengthAlgorithm");

out/out.EditUserData.php

@@ -48,6 +48,7 @@ if($view) {
 	$view->setParam('enablelanguageselector', $settings->_enableLanguageSelector);
 	$view->setParam('enablethemeselector', $settings->_enableThemeSelector);
 	$view->setParam('passwordstrength', $settings->_passwordStrength);
+	$view->setParam('disablechangepassword', $settings->_disableChangePassword);
 	$view->setParam('httproot', $settings->_httpRoot);
 	$view->setParam('accessobject', $accessop);
 	$view($_GET);

views/bootstrap/class.EditUserData.php

@@ -75,6 +75,7 @@ $(document).ready( function() {
 		$enablelanguageselector = $this->params['enablelanguageselector'];
 		$enablethemeselector = $this->params['enablethemeselector'];
 		$passwordstrength = $this->params['passwordstrength'];
+		$disablechangepassword = $this->params['disablechangepassword'];
 		$httproot = $this->params['httproot'];
 
 		$this->htmlAddHeader('<script type="text/javascript" src="../views/'.$this->theme.'/vendors/jquery-validation/jquery.validate.js"></script>'."\n", 'js');
@@ -102,6 +103,7 @@ $(document).ready( function() {
 				'required'=>true
 			)
 		);
+		if(!$disablechangepassword) {
 		$this->formField(
 			getMLText("new_password"),
 			'<input class="form-control pwd" type="password" rel="strengthbar" id="pwd" name="pwd" size="30">'
@@ -122,6 +124,7 @@ $(document).ready( function() {
 				'autocomplete'=>'off',
 			)
 		);
+		}
 		$this->formField(
 			getMLText("name"),
 			array(

views/bootstrap/class.Settings.php

@@ -457,6 +457,7 @@ if(($kkk = $this->callHook('getFullSearchEngine')) && is_array($kkk))
 <?php $this->showConfigCheckbox('settings_restricted', 'restricted'); ?>
 <?php $this->showConfigCheckbox('settings_enableUserImage', 'enableUserImage'); ?>
 <?php $this->showConfigCheckbox('settings_disableSelfEdit', 'disableSelfEdit'); ?>
+<?php $this->showConfigCheckbox('settings_disableChangePassword', 'disableChangePassword'); ?>
 <?php $this->showConfigCheckbox('settings_enablePasswordForgotten', 'enablePasswordForgotten'); ?>
 <?php $this->showConfigText('settings_passwordStrength', 'passwordStrength'); ?>
 <?php $this->showConfigOption('settings_passwordStrengthAlgorithm', 'passwordStrengthAlgorithm', array('simple'=>'settings_passwordStrengthAlgorithm_valsimple', 'advanced'=>'settings_passwordStrengthAlgorithm_valadvanced'), false, true); ?>