[horde] [cvs] commit: framework/Auth package.xml framework/Auth/Auth ipmap.php

[Chuck Hagenbuch]

Quoting Vilius ?umskas <vilius at lnk.lt>:


> I actually have a question about this, or maybe it is more general
> question about how composite driver works.
>
> Basically I have a situation where I want to specify different
> permissions for the intranet and extranet users. For example I want to
> allow NOT logged in users from intranet to view Agora forums, but
> extranet users should not see anything. But when both intranet and
> extranet users login they should have permission to view and post
> everywhere.
>
> As far as I understood this is impossible with current composite driver
> (even if ipmap driver would have been implemented), because
> _horde_login_screen function returns onlye *one* of the drivers based on some
> condition and does not perform "chained" authentication I need.

Right.

> For now I've hacked Horde permission system like this
> in Perms/datatree.php file in getPermissions function:
>
> if (empty($user)) {
>    if (substr($_SERVER['REMOTE_ADDR'], 0, 7) == '<myinneriprange>' ||
>        $_SERVER['REMOTE_ADDR'] == '<mydmzaddress>') {
>        return $permission->getGuestPermissions();
>    } else {
>        return false;
>    }
> }
>
> But I wonder is there any other more convenient way to do this? What other
> sysadmins with similar intranet/extranet installations do?

It would be _much_ safer in terms of upgrades to just put something like:

if (Auth::getAuth() || <<internal ip>>) {
     // registry stanza for agora goes here
}

in config/registry.php.

The fact that our config files are PHP allows a _lot_ of flexibility.

-chuck