Meeting Room Booking System / Support Requests / #2771 Finer-grained permissions for remote_user (Shibboleth)

#2771 Finer-grained permissions for remote_user (Shibboleth)

Status: open

Owner: nobody

Labels: None

Priority: 1

Updated: 2023-06-12

Created: 2023-06-08

Creator: Anonymous

Private: No

Similar to ticket #2783, I also work for a large institution and have problems with people from other departments creating bookings when they should only be able to view,.

Users are authenticated via Shibboleth, and the I've specified usernames in config.inc.php with $auth{'admin'] and $auth['user']

it seems everyone authenticated as a remote_user is being assigned level 2 instead of level 0, making all my "user" definitions irrelevant and allowing open access to bookings that should be limited to specified people in that department, not all of whom should be admins. So for a calendar that should have two admins and about 15 regular users, it turns out there are hundreds of people able to book time.

Is there a way to manage the permissions in MRBS, without having to add the limitations to Apache for each department's calendar?

Discussion

Campbell Morrison - 2023-06-09

What code are you using for Shibboleth authentication? And I take it that #2783 was a typo, as that ticket number hasn't been reached yet.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2023-06-09

Yes, 2783 was a typo for https://sourceforge.net/p/mrbs/support-requests/2763/ :(

I'm using the code recommended in the documentation,

$auth['session'] = "remote_user"; $auth['type'] = 'none';

I've also tried
$auth['type'] = 'config';
and adding
unset($auth["user"]);
without having any discernible effect
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Campbell Morrison - 2023-06-09

MRBS does not support authentication against a Shibboleth system: it needs some code enhancements. There was a patch provided at https://sourceforge.net/p/mrbs/patches/52/ but I don't know whether it still works.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2023-06-09

But irrespective of whether remote_user is being provided by shibboleth or a different external sign-on method, isn't there something I can do to say "all authenticated users are allowed to view, but only these can book" below the level of admin?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Campbell Morrison - 2023-06-10

What happens in standard MRBS is that all authenticated users are assigned level 1 and admins are assigned level 2. You'd need to modify MRBS to achieve what you want to do. If you set

$auth['session'] = "remote_user"; $auth['type'] = 'custom';

and then add the attached file to lib/MRBS/Auth then it may do what you are looking for (though I haven't tested it). Users that can book are defined in the config file setting $auth['user']. However it may not be exactly what you want as both authenticated and unauthenticated remote users are assigned level 0 and will be able to view bookings. But perhaps you have a way of preventing unauthenticated users accessing MRBS in the first place.

AuthCustom.php
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2023-06-12

That did the trick!

Thank you.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link: