diff --git a/config/module.config.php b/config/module.config.php
index b015ae6ff8c3e1e9babb0b2f034142249d61281e..0bad6991bf0183bf6c54711b74309f4f1af448a6 100644
--- a/config/module.config.php
+++ b/config/module.config.php
@@ -122,6 +122,7 @@ return [
['controller' => 'UnicaenApp\Controller\Application', 'action' => 'informatique-et-libertes', 'roles' => []],
['controller' => 'UnicaenApp\Controller\Application', 'action' => 'refresh-session', 'roles' => []],
['controller' => 'UnicaenAuth\Controller\Utilisateur', 'action' => 'selectionner-profil', 'roles' => []],
+ ['controller' => 'UnicaenAuth\Controller\Utilisateur', 'action' => 'usurper-identite', 'roles' => []],
['controller' => 'UnicaenAuth\Controller\Auth', 'action' => 'shibboleth', 'roles' => []],
],
diff --git a/src/UnicaenAuth/Controller/UtilisateurController.php b/src/UnicaenAuth/Controller/UtilisateurController.php
index e8b1b01e70f8b5933d7ddd9f35f3e6b39b98b13f..707cbae58285b9e207e2122e89de398ad9249c84 100644
--- a/src/UnicaenAuth/Controller/UtilisateurController.php
+++ b/src/UnicaenAuth/Controller/UtilisateurController.php
@@ -2,7 +2,13 @@
namespace UnicaenAuth\Controller;
+use UnicaenAuth\Entity\Db\UserInterface;
+use UnicaenAuth\Entity\Ldap\People;
+use UnicaenAuth\Entity\Shibboleth\ShibUser;
+use UnicaenAuth\Options\ModuleOptions;
+use Zend\Authentication\AuthenticationService;
use Zend\Http\Request;
+use Zend\Http\Response;
use Zend\Mvc\Controller\AbstractActionController;
/**
@@ -12,6 +18,62 @@ use Zend\Mvc\Controller\AbstractActionController;
*/
class UtilisateurController extends AbstractActionController
{
+ /**
+ * Usurpe l'identité d'un autre utilisateur.
+ *
+ * @return Response
+ */
+ public function usurperIdentiteAction()
+ {
+ $request = $this->getRequest();
+ if (! $request instanceof Request) {
+ exit(1);
+ }
+
+ $redirection = $this->redirect()->toRoute('home');
+
+ $newIdentity = $request->getQuery('identity', $request->getPost('identity'));
+ if (! $newIdentity) {
+ return $redirection;
+ }
+
+ /** @var AuthenticationService $authenticationService */
+ $authenticationService = $this->getServiceLocator()->get(AuthenticationService::class);
+
+ /** @var ModuleOptions $options */
+ $options = $this->getServiceLocator()->get('unicaen-auth_module_options');
+
+ $currentIdentity = $authenticationService->getIdentity();
+ if (! $currentIdentity) {
+ return $redirection;
+ }
+ if (! is_array($currentIdentity)) {
+ return $redirection;
+ }
+
+ if (isset($currentIdentity['shib'])) {
+ /** @var ShibUser $currentIdentity */
+ $currentIdentity = $currentIdentity['shib'];
+ } elseif (isset($currentIdentity['ldap'])) {
+ /** @var People $currentIdentity */
+ $currentIdentity = $currentIdentity['ldap'];
+ } elseif (isset($currentIdentity['db'])) {
+ /** @var UserInterface $currentIdentity */
+ $currentIdentity = $currentIdentity['db'];
+ } else {
+ return $redirection;
+ }
+
+ $currentIdentity = $currentIdentity->getUsername();
+ if (! in_array($currentIdentity, $options->getUsurpationAllowedUsernames())) {
+ return $redirection;
+ }
+
+ $authenticationService->getStorage()->write($newIdentity);
+
+ return $redirection;
+ }
+
/**
* Traite les requêtes AJAX POST de sélection d'un profil utilisateur.
* La sélection est mémorisé en session par le service AuthUserContext.