Add restricted user filter to LDAP authentication (#10600)

* Add restricted user filter to LDAP authentification * Fix unit test cases
2025-10-29 10:57:44 +09:00 · 2020-03-05 08:30:33 +02:00
parent be544e8e6a
commit 37c3db7be6
12 changed files with 146 additions and 52 deletions
--- a/models/login_source.go
+++ b/models/login_source.go
@@ -475,13 +475,23 @@ func LoginViaLDAP(user *User, login, password string, source *LoginSource) (*Use
 				return nil, err
 			}
 		}
-		if user != nil &&
-			!user.ProhibitLogin && len(source.LDAP().AdminFilter) > 0 && user.IsAdmin != sr.IsAdmin {
-			// Change existing admin flag only if AdminFilter option is set
-			user.IsAdmin = sr.IsAdmin
-			err = UpdateUserCols(user, "is_admin")
-			if err != nil {
-				return nil, err
+		if user != nil && !user.ProhibitLogin {
+			cols := make([]string, 0)
+			if len(source.LDAP().AdminFilter) > 0 && user.IsAdmin != sr.IsAdmin {
+				// Change existing admin flag only if AdminFilter option is set
+				user.IsAdmin = sr.IsAdmin
+				cols = append(cols, "is_admin")
+			}
+			if !user.IsAdmin && len(source.LDAP().RestrictedFilter) > 0 && user.IsRestricted != sr.IsRestricted {
+				// Change existing restricted flag only if RestrictedFilter option is set
+				user.IsRestricted = sr.IsRestricted
+				cols = append(cols, "is_restricted")
+			}
+			if len(cols) > 0 {
+				err = UpdateUserCols(user, cols...)
+				if err != nil {
+					return nil, err
+				}
 			}
 		}
 	}
@@ -504,15 +514,16 @@ func LoginViaLDAP(user *User, login, password string, source *LoginSource) (*Use
 	}

 	user = &User{
-		LowerName:   strings.ToLower(sr.Username),
-		Name:        sr.Username,
-		FullName:    composeFullName(sr.Name, sr.Surname, sr.Username),
-		Email:       sr.Mail,
-		LoginType:   source.Type,
-		LoginSource: source.ID,
-		LoginName:   login,
-		IsActive:    true,
-		IsAdmin:     sr.IsAdmin,
+		LowerName:    strings.ToLower(sr.Username),
+		Name:         sr.Username,
+		FullName:     composeFullName(sr.Name, sr.Surname, sr.Username),
+		Email:        sr.Mail,
+		LoginType:    source.Type,
+		LoginSource:  source.ID,
+		LoginName:    login,
+		IsActive:     true,
+		IsAdmin:      sr.IsAdmin,
+		IsRestricted: sr.IsRestricted,
 	}

 	err := CreateUser(user)