From 07898de0524e8d796164f588802c11770e542c42 Mon Sep 17 00:00:00 2001
From: Djamil Legato <djamil@trilby.media>
Date: Thu, 10 May 2018 19:14:40 -0700
Subject: [PATCH] Added support for groups and map to grav access level

---
 blueprints.yaml | 16 ++++++++++++++++
 login-ldap.php  | 24 ++++++++++++++++++++----
 2 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/blueprints.yaml b/blueprints.yaml
index bb2e930..25625f4 100644
--- a/blueprints.yaml
+++ b/blueprints.yaml
@@ -215,6 +215,22 @@ form:
                     type: array
                     required: true
 
+                default_access_levels.access.groups:
+                  classes: frontmatter
+                  type: editor
+                  label: Groups Access Level
+                  autofocus: true
+                  default: "admin:\r\n    admin:\r\n      login: true\r\n      super: true\r\n    site:\r\n      login: true\r\nuser:\r\n  site:\r\n    login: true"
+                  codemirror:
+                    mode: 'yaml'
+                    indentUnit: 2
+                    autofocus: true
+                    indentWithTabs: false
+                    lineNumbers: true
+                    styleActiveLine: true
+                    gutters: ['CodeMirror-lint-markers']
+                    lint: true
+
         tab_2:
           type: tab
           title: Instructions
diff --git a/login-ldap.php b/login-ldap.php
index 50ed2b7..b871b4b 100644
--- a/login-ldap.php
+++ b/login-ldap.php
@@ -7,6 +7,7 @@ use Grav\Plugin\Login\Events\UserLoginEvent;
 use Grav\Plugin\Login\Login;
 use Symfony\Component\Ldap\Ldap;
 use Symfony\Component\Ldap\Exception\ConnectionException;
+use Symfony\Component\Yaml\Yaml;
 
 /**
  * Class LoginLDAPPlugin
@@ -123,6 +124,7 @@ class LoginLDAPPlugin extends Plugin
             // Set defaults with only thing we know... username provided
             $grav_user['login'] = $credentials['username'];
             $grav_user['fullname'] = $credentials['username'];
+            $user_groups = [];
 
             // If search_dn is set we can try to get information from LDAP
             if ($search_dn) {
@@ -157,10 +159,13 @@ class LoginLDAPPlugin extends Plugin
                     $query = $ldap->query($group_dn, 'gidnumber=' . $this->getLDAPMappedItem('gidNumber', $ldap_data));
                     $groups = array_merge($groups, $query->execute()->toArray());
 
-                    if ($this->config->get('plugins.login-ldap.store_ldap_data', false)) {
-                        foreach ($groups as $group) {
-                            $attributes = $group->getAttributes();
-                            $userdata['ldap']['groups'][] = array_shift($attributes['cn']);
+                    foreach ($groups as $group) {
+                        $attributes = $group->getAttributes();
+                        $user_group = array_shift($attributes['cn']);
+                        $user_groups[] = $user_group;
+
+                        if ($this->config->get('plugins.login-ldap.store_ldap_data', false)) {
+                            $userdata['ldap']['groups'][] = $user_group;
                         }
                     }
                 }
@@ -190,6 +195,17 @@ class LoginLDAPPlugin extends Plugin
                 }
             }
 
+            // Give Admin Access
+            $admin_access = $this->config->get('plugins.login-ldap.default_access_levels.access.groups');
+            if ($admin_access && count($user_groups) && strlen($admin_access) > 0) {
+                $groups_access = Yaml::parse($admin_access);
+                foreach ($groups_access as $key => $group_access) {
+                    if (in_array($key, $user_groups)) {
+                        $grav_user->merge(['access' => $group_access]);
+                    }
+                }
+            }
+
             // Optional save
             if ($this->config->get('plugins.login-ldap.save_grav_user', false)) {
                 $grav_user->save();