Commit 1b1a594e authored by Bertrand Gauthier's avatar Bertrand Gauthier
Browse files

Nouvelle technique pour usurper une identité.

parent 058ae8f8
......@@ -122,6 +122,7 @@ return [
['controller' => 'UnicaenApp\Controller\Application', 'action' => 'informatique-et-libertes', 'roles' => []],
['controller' => 'UnicaenApp\Controller\Application', 'action' => 'refresh-session', 'roles' => []],
['controller' => 'UnicaenAuth\Controller\Utilisateur', 'action' => 'selectionner-profil', 'roles' => []],
['controller' => 'UnicaenAuth\Controller\Utilisateur', 'action' => 'usurper-identite', 'roles' => []],
['controller' => 'UnicaenAuth\Controller\Auth', 'action' => 'shibboleth', 'roles' => []],
],
......
......@@ -2,7 +2,13 @@
namespace UnicaenAuth\Controller;
use UnicaenAuth\Entity\Db\UserInterface;
use UnicaenAuth\Entity\Ldap\People;
use UnicaenAuth\Entity\Shibboleth\ShibUser;
use UnicaenAuth\Options\ModuleOptions;
use Zend\Authentication\AuthenticationService;
use Zend\Http\Request;
use Zend\Http\Response;
use Zend\Mvc\Controller\AbstractActionController;
/**
......@@ -12,6 +18,62 @@ use Zend\Mvc\Controller\AbstractActionController;
*/
class UtilisateurController extends AbstractActionController
{
/**
* Usurpe l'identité d'un autre utilisateur.
*
* @return Response
*/
public function usurperIdentiteAction()
{
$request = $this->getRequest();
if (! $request instanceof Request) {
exit(1);
}
$redirection = $this->redirect()->toRoute('home');
$newIdentity = $request->getQuery('identity', $request->getPost('identity'));
if (! $newIdentity) {
return $redirection;
}
/** @var AuthenticationService $authenticationService */
$authenticationService = $this->getServiceLocator()->get(AuthenticationService::class);
/** @var ModuleOptions $options */
$options = $this->getServiceLocator()->get('unicaen-auth_module_options');
$currentIdentity = $authenticationService->getIdentity();
if (! $currentIdentity) {
return $redirection;
}
if (! is_array($currentIdentity)) {
return $redirection;
}
if (isset($currentIdentity['shib'])) {
/** @var ShibUser $currentIdentity */
$currentIdentity = $currentIdentity['shib'];
} elseif (isset($currentIdentity['ldap'])) {
/** @var People $currentIdentity */
$currentIdentity = $currentIdentity['ldap'];
} elseif (isset($currentIdentity['db'])) {
/** @var UserInterface $currentIdentity */
$currentIdentity = $currentIdentity['db'];
} else {
return $redirection;
}
$currentIdentity = $currentIdentity->getUsername();
if (! in_array($currentIdentity, $options->getUsurpationAllowedUsernames())) {
return $redirection;
}
$authenticationService->getStorage()->write($newIdentity);
return $redirection;
}
/**
* Traite les requêtes AJAX POST de sélection d'un profil utilisateur.
* La sélection est mémorisé en session par le service AuthUserContext.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment