User Group relationship

SourDough

I installed the WB-2.6.7 (linked above) with the patch already applied, and tried browsing to http://locahost/wb/ldap_config.php and all I get is a blank page.  I'm running this on USB Webserver v7.0 with the default settings.  I tried changing display_errors = On in the php.ini, and I still received a blank page browsing to the ldap_config.php file. 

Can you check and see what your error reporting is set to in your php.ini?  Perhaps turn display_errors = Off, as this is the best setting for a secure setup. 

Also, what is on line 4 of your ldap_config.php, or could you post a sanitized version of your ldap_config.php. 

And finally, despite this problem, is your WB authenticating to ldap successfully? 

Nick

FrankH

Both suggestions above do not work, the user still receives the name of the install directory in the error report, which he should not get. The only thing what changed was the line number.
Ochs und Esel in ihrem Lauf
halt ich leider auch nicht auf

SourDough

I haven't looked at the code, but I think what you are looking for is the inclusion of the following code:

// Must include code to stop this file being access directly
if(defined('WB_PATH') == false) { exit("Cannot access this file directly"); }

Nick

vyni

Hi,
I don´t understand anything of this all....

But there are a lot of files within WB with a code like this:
// prevent this file from being accessed directly in the browser (would set all entries in DB settings table to '')
if(!isset($_POST['default_language']) || $_POST['default_language'] == '') die(header('Location: index.php')); 


MAybe this does the job?

FrankH

The ldap patch requires a file in the wb root directory.
I wondered what happens when a user calls this file directly.

On my test system, he gets an answer like
Parse error: syntax error, unexpected T_VARIABLE in E:\xampplite-win32-1.6.7\xampplite\htdocs\ldap_config.php on line 4

This means it reveals the name of the install directory to the user, which is a Bad Thing from a Security point of view. Is there a way to change this?
Ochs und Esel in ihrem Lauf
halt ich leider auch nicht auf

tavitar

Hi John,

Sorry, it will only authenticate against one LDAP server. Although, i don't think it'd be too difficult to check against multiple by changing /account/login_ldap.php.

The patch itself contains the changes as text (in gnu diff format). I've also uploaded a version of website baker with patches already applied if that helps (you could use http://winmerge.org or similar to view changes): http://wb-mods.lism.catholic.edu.au/media/WebsiteBaker-2.6.7-ldap.tar.gz

Regards,
David

pcwacht

@Tavitar
The LDAP validation, can it be used against several ldaps, or maybe connect to a ldap and import that one overwriting previous importations?
Reason, I work at school (holland)
We have different schools in one group, each school runs its own windows domain
Importing or validating against several domains (ldaps) would come in handy for an intranet

And
Could you post the changed files for the user in multiple groups so I (we) can have a look at it?
Think it is a must feature for wb 2.7

Thanks in advance,
John

tavitar

Hi,

I've made a patch for 2.7.6 which enables users to be members of multiple groups.

http://wb-mods.lism.catholic.edu.au/pages/patches.php

Let me know if you need help for have suggestions.

Regards,
David

nickopotamus

I'd also be very interested in this - especially if there are any work arounds...

tomhung

This is sort of a Request.  It will prob have to wait till WB3 but i'll ask for it anyway.

I would like to see a many to many relationship between users and groups.  currently you can only allow a user to be in one group.  I have seen many situations where it we need the flexibility to have users in different / multiple groups.  just a thought for the Core Developers!

G

PS.  Almost every time i build a 1-M relationship in a app the user thinks up a situation where they would need a M-M relationship.  I know its not trivial to make these changes.  This has forced me to ask "can there EVER be a need for the M-M?" if so go ahead and model the data so it can have a M-M.