...
Code Block |
---|
<?php include 'grouper.php'; session_start(); //get this from SSO $username = $_SERVER['REMOTE_USER']; //not sure why this wouldnt be there if (empty($username)) { echo "username not detected"; exit( 1 ); } //only allow backdoor for certain people, allow backdoor of ?backdoorUser=netid, TODO remove this when tested :) if ($username == 'abc1' || $username == 'abc2' || $username == 'abc3') { if (!empty($_GET["backdoorUser"])) { $username = $_GET["backdoorUser"]; } } //there is nothing emploitable in this comment, though in prod it should be removed since less information is more secure echo "<!-- \n"; //cache this in session so we dont hammer ldap if (!isset($_SESSION['username']) || ($_SESSION['username'] != $username) ) { echo "checking grouper...\n"; $_SESSION['username'] = $username; $_SESSION['facultyOrStaff'] = ldapGroupHasMember("site:apps:secureWebApp:facultyStaff", $username); $_SESSION['facultyOrStaffOrStudent'] = ldapGroupHasMember("site:apps:secureWebApp:facultyStaffStudents", $username); $_SESSION['orgOrAdHoc'] = ldapGroupHasMember("site:apps:secureWebApp:orgAndAdHoc", $username); $_SESSION['username'] = $username; } else { echo "not checking grouper, using cache...\n"; } echo "username: " . substr($username, 0, 1) . "...\n"; echo "facultyOrStaff: " . $_SESSION['facultyOrStaff'] . "\n"; echo "facultyOrStaffOrStudent: " . $_SESSION['facultyOrStaffOrStudent'] . "\n"; echo "orgOrAdHoc: " . $_SESSION['orgOrAdHoc'] . "\n"; echo "-->"; ?> |
...