Similar to ticket #2783, I also work for a large institution and have problems with people from other departments creating bookings when they should only be able to view,.
Users are authenticated via Shibboleth, and the I've specified usernames in config.inc.php with $auth{'admin'] and $auth['user']
it seems everyone authenticated as a remote_user is being assigned level 2 instead of level 0, making all my "user" definitions irrelevant and allowing open access to bookings that should be limited to specified people in that department, not all of whom should be admins. So for a calendar that should have two admins and about 15 regular users, it turns out there are hundreds of people able to book time.
Is there a way to manage the permissions in MRBS, without having to add the limitations to Apache for each department's calendar?
What code are you using for Shibboleth authentication? And I take it that #2783 was a typo, as that ticket number hasn't been reached yet.
Yes, 2783 was a typo for https://sourceforge.net/p/mrbs/support-requests/2763/ :(
I'm using the code recommended in the documentation,
I've also tried
$auth['type'] = 'config';
and adding
unset($auth["user"]);
without having any discernible effect
MRBS does not support authentication against a Shibboleth system: it needs some code enhancements. There was a patch provided at https://sourceforge.net/p/mrbs/patches/52/ but I don't know whether it still works.
But irrespective of whether remote_user is being provided by shibboleth or a different external sign-on method, isn't there something I can do to say "all authenticated users are allowed to view, but only these can book" below the level of admin?
What happens in standard MRBS is that all authenticated users are assigned level 1 and admins are assigned level 2. You'd need to modify MRBS to achieve what you want to do. If you set
and then add the attached file to lib/MRBS/Auth then it may do what you are looking for (though I haven't tested it). Users that can book are defined in the config file setting
$auth['user']
. However it may not be exactly what you want as both authenticated and unauthenticated remote users are assigned level 0 and will be able to view bookings. But perhaps you have a way of preventing unauthenticated users accessing MRBS in the first place.That did the trick!
Thank you.