From: Dagfinn Ilmari Mannsåker <ilmari@ilmari.org>
Date: Thu, 19 Feb 2015 19:34:40 +0000 (+0000)
Subject: Use the stored user credentials to look up roles
X-Git-Tag: v1.015~5
X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=5a9aba6e13855eefe942190745802604cf8b72b0;hp=18d41a8f2fa6fcc3957535176d9cbc4715bd3f84;p=catagits%2FCatalyst-Authentication-Store-LDAP.git

Use the stored user credentials to look up roles
---

diff --git a/Changes b/Changes
index aa3e1e0..92b11c8 100644
--- a/Changes
+++ b/Changes
@@ -1,4 +1,5 @@
   - Escape special characters in user/role names
+  - Use the stored user credentials to look up roles
 
 1.014 26 April 2013
   - Don't fall back to unauthenticated bind when authenticating
diff --git a/lib/Catalyst/Authentication/Store/LDAP/Backend.pm b/lib/Catalyst/Authentication/Store/LDAP/Backend.pm
index 8e69c59..403b63c 100644
--- a/lib/Catalyst/Authentication/Store/LDAP/Backend.pm
+++ b/lib/Catalyst/Authentication/Store/LDAP/Backend.pm
@@ -378,7 +378,8 @@ sub lookup_roles {
     if ( $self->use_roles == 0 || $self->use_roles =~ /^false$/i ) {
         return undef;
     }
-    $ldap ||= $self->ldap_bind;
+    $ldap ||= $self->role_search_as_user
+        ? $userobj->ldap_connection : $self->ldap_bind;
     my @searchopts;
     if ( defined( $self->role_basedn ) ) {
         push( @searchopts, 'base' => $self->role_basedn );
diff --git a/lib/Catalyst/Authentication/Store/LDAP/User.pm b/lib/Catalyst/Authentication/Store/LDAP/User.pm
index ec3fa25..cafeab4 100644
--- a/lib/Catalyst/Authentication/Store/LDAP/User.pm
+++ b/lib/Catalyst/Authentication/Store/LDAP/User.pm
@@ -144,12 +144,6 @@ sub check_password {
         = $self->store->ldap_bind( undef, $self->ldap_entry->dn, $password,
         'forauth' );
     if ( defined($ldap) ) {
-        if ($self->store->role_search_as_user) {
-            # FIXME - This can be removed and made to use the code below..
-            # Have to do the role lookup _now_, as this is the only time
-            # that we have the user's password/ldap bind..
-            $self->roles($ldap);
-        }
         # Stash a closure which can be used to retrieve the connection in the users context later.
         $_ldap_connection_passwords{refaddr($self)} = $password;
         return 1;
@@ -167,8 +161,7 @@ Returns the results of L<Catalyst::Authentication::Store::LDAP::Backend>'s "look
 
 sub roles {
     my $self = shift;
-    my $ldap = shift;
-    $self->{_roles} ||= [$self->store->lookup_roles($self, $ldap)];
+    $self->{_roles} ||= [$self->store->lookup_roles($self)];
     return @{$self->{_roles}};
 }
 
diff --git a/t/10-roles-mock.t b/t/10-roles-mock.t
index 49a7d18..d4a4a43 100644
--- a/t/10-roles-mock.t
+++ b/t/10-roles-mock.t
@@ -104,7 +104,12 @@ is_deeply(\@binds, [
         'ou=foobar',
         'password',
         'password'
-    ], # Rebind to confirm user _and_ lookup roles;
+    ], # Rebind to confirm user
+    [
+        'ou=foobar',
+        'password',
+        'password'
+    ], # Rebind with user credentials to find roles
     [ undef ], # Second user search
 ], 'Binds as expected');