Skip to content
Snippets Groups Projects
Commit 09a4489b authored by Dick Visser's avatar Dick Visser
Browse files

New array syntax, fix missing brackets

parent 1107b3f1
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
modules/authorize/docs/authorize.md
+ 40
37
View file @ 09a4489b
...@@ -2,9 +2,9 @@ authorize Module ...@@ -2,9 +2,9 @@ authorize Module
================ ================
<!-- <!--
This file is written in Markdown syntax. This file is written in Markdown syntax.
For more information about how to use the Markdown syntax, read here: For more information about how to use the Markdown syntax, read here:
http://daringfireball.net/projects/markdown/syntax http://daringfireball.net/projects/markdown/syntax
--> -->
* Author: Ernesto Revilla <erny@yaco.es>, Yaco Sistemas, Ryan Panning * Author: Ernesto Revilla <erny@yaco.es>, Yaco Sistemas, Ryan Panning
...@@ -20,9 +20,9 @@ This module provides a user authorization filter based on attribute matching for ...@@ -20,9 +20,9 @@ This module provides a user authorization filter based on attribute matching for
`authorize:Authorize` `authorize:Authorize`
--------------------- ---------------------
There are two configuration options that can be defined; deny and regex. All other filter configuration options are considered attribute matching rules. There are three configuration options that can be defined: `deny`, `regex`, and `reject_msg`. All other filter configuration options are considered attribute matching rules.
The users not authorized will be shown a 403 Forbidden page. Unauthorized will be shown a 403 Forbidden page.
### Deny ### ### Deny ###
The default action of the filter is to authorize only if an attribute match is found (default allow). When set to TRUE, this option reverses that rule and authorizes the user unless an attribute match is found (default deny), causing an unauthorized action. The default action of the filter is to authorize only if an attribute match is found (default allow). When set to TRUE, this option reverses that rule and authorizes the user unless an attribute match is found (default deny), causing an unauthorized action.
...@@ -52,44 +52,47 @@ Note: If regex is enabled, you must use the preg_match format, i.e. you have to ...@@ -52,44 +52,47 @@ Note: If regex is enabled, you must use the preg_match format, i.e. you have to
### Examples ### ### Examples ###
To use this filter configure it in `config/config.php`: To use this filter configure it in `config/config.php`:
'authproc.sp' => array( 'authproc.sp' => [
60 => array( 60 => [
'class' => 'authorize:Authorize', 'class' => 'authorize:Authorize',
'uid' => array( 'uid' => array(
'/.*@example.com/', '/.*@example.com/',
'/(user1|user2|user3)@example.edu/', '/(user1|user2|user3)@example.edu/',
), ],
'schacUserStatus' => '@urn:mace:terena.org:userStatus:' . 'schacUserStatus' => '@urn:mace:terena.org:userStatus:' .
'example.org:service:active.*@', 'example.org:service:active.*@',
) ]
]
An alternate way of using this filter is to deny certain users. Or even use multiple filters to create a simple ACL, by first allowing a group of users but then denying a "black list" of users. An alternate way of using this filter is to deny certain users. Or even use multiple filters to create a simple ACL, by first allowing a group of users but then denying a "black list" of users.
'authproc.sp' => array( 'authproc.sp' => [
60 => array( 60 => array[
'class' => 'authorize:Authorize', 'class' => 'authorize:Authorize',
'deny' => TRUE, 'deny' => TRUE,
'uid' => array( 'uid' => [
'/.*@students.example.edu/', '/.*@students.example.edu/',
'/(stu1|stu2|stu3)@example.edu/', '/(stu1|stu2|stu3)@example.edu/',
) ]
) ]
]
The regex pattern matching can be turned off, allowing for exact attribute matching rules. This can be helpful in cases where you know what the value should be. An example of this is with the memberOf attribute or using the ldap:AttributeAddUsersGroups filter with the group attribute. The regex pattern matching can be turned off, allowing for exact attribute matching rules. This can be helpful in cases where you know what the value should be. An example of this is with the memberOf attribute or using the ldap:AttributeAddUsersGroups filter with the group attribute.
Additionally, some helpful instructions are shown. Additionally, some helpful instructions are shown.
'authproc.sp' => array( 'authproc.sp' => [
60 => array( 60 => [
'class' => 'authorize:Authorize', 'class' => 'authorize:Authorize',
'regex' => FALSE, 'regex' => FALSE,
'group' => array( 'group' => array(
'CN=SimpleSAML Students,CN=Users,DC=example,DC=edu', 'CN=SimpleSAML Students,CN=Users,DC=example,DC=edu',
'CN=All Teachers,OU=Staff,DC=example,DC=edu', 'CN=All Teachers,OU=Staff,DC=example,DC=edu',
), ],
'reject_msg' => array( 'reject_msg' => [
'en' => 'This service is only available to students and teachers. Please contact <a href="mailto:support@example.edu">support</a>.', 'en' => 'This service is only available to students and teachers. Please contact <a href="mailto:support@example.edu">support</a>.',
'nl' => 'Deze dienst is alleen beschikbaar voor studenten en docenten. Neem contact op met <a href="mailto:support@example.edu">support</a>.', 'nl' => 'Deze dienst is alleen beschikbaar voor studenten en docenten. Neem contact op met <a href="mailto:support@example.edu">support</a>.',
) ]
) ]
]
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment