- [CAS allowed LDAP groups](https://github.com/wekan/meteor-accounts-cas/pull/4).

Thanks to ppoulard ! Please test. Related #2356
2025-04-22 04:57:07 -04:00 · 2019-05-22 20:15:24 +03:00 · 2019-05-22 20:15:24 +03:00 · d194cc7a5a
commit d194cc7a5a
parent 0834f6ed1e
2 changed files with 35 additions and 7 deletions
--- a/packages/meteor-accounts-cas/cas_client.js
+++ b/packages/meteor-accounts-cas/cas_client.js
@ -81,7 +81,12 @@ Meteor.loginWithCas = function(options, callback) {
            // check auth on server.
            Accounts.callLoginMethod({
                methodArguments: [{ cas: { credentialToken: credentialToken } }],
-                userCallback: callback
+                userCallback: err => {
+                    // Fix redirect bug after login successfully
+                    if (!err) {
+                        window.location.href = '/';
+                    }
+                }
            });
        }
    }, 100);
--- a/packages/meteor-accounts-cas/cas_server.js
+++ b/packages/meteor-accounts-cas/cas_server.js
@ -71,14 +71,37 @@ class CAS {
                callback({message: 'Empty response.'});
              }
              if (result['cas:serviceResponse']['cas:authenticationSuccess']) {
-                var userData = {
+                const userData = {
                  id: result['cas:serviceResponse']['cas:authenticationSuccess'][0]['cas:user'][0].toLowerCase(),
-                }
-                const attributes = result['cas:serviceResponse']['cas:authenticationSuccess'][0]['cas:attributes'][0];
-                for (var fieldName in attributes) {
-                  userData[fieldName] = attributes[fieldName][0];
                };
-                callback(undefined, true, userData);
+                const attributes = result['cas:serviceResponse']['cas:authenticationSuccess'][0]['cas:attributes'][0];
+
+                // Check allowed ldap groups if exist (array only)
+                // example cas settings : "allowedLdapGroups" : ["wekan", "admin"],
+                let findedGroup = false;
+                const allowedLdapGroups = Meteor.settings.cas.allowedLdapGroups || false;
+                for (const fieldName in attributes) {
+                  if (allowedLdapGroups && fieldName === 'cas:memberOf') {
+                    for (const groups in attributes[fieldName]) {
+                      const str = attributes[fieldName][groups];
+                      if (!Array.isArray(allowedLdapGroups)) {
+                        callback({message: 'Settings "allowedLdapGroups" must be an array'});
+                      }
+                      for (const allowedLdapGroup in allowedLdapGroups) {
+                        if (str.search(`cn=${allowedLdapGroups[allowedLdapGroup]}`) >= 0) {
+                          findedGroup = true;
+                        }
+                      }
+                    }
+                  }
+                  userData[fieldName] = attributes[fieldName][0];
+                }
+
+                if (allowedLdapGroups && !findedGroup) {
+                  callback({message: 'Group not finded.'}, false);
+                } else {
+                  callback(undefined, true, userData);
+                }
              } else {
                callback(undefined, false);
              }