diff --git a/application/Espo/Core/Utils/Authentication/Espo.php b/application/Espo/Core/Utils/Authentication/Espo.php index 5161dd05a6..661a6dd9e7 100644 --- a/application/Espo/Core/Utils/Authentication/Espo.php +++ b/application/Espo/Core/Utils/Authentication/Espo.php @@ -46,7 +46,8 @@ class Espo extends Base $user = $this->getEntityManager()->getRepository('User')->findOne([ 'whereClause' => [ 'userName' => $username, - 'password' => $hash + 'password' => $hash, + 'type!=' => ['api', 'system'] ] ]); diff --git a/application/Espo/Core/Utils/Authentication/LDAP.php b/application/Espo/Core/Utils/Authentication/LDAP.php index 30e7751a95..32abb83853 100644 --- a/application/Espo/Core/Utils/Authentication/LDAP.php +++ b/application/Espo/Core/Utils/Authentication/LDAP.php @@ -172,14 +172,14 @@ class LDAP extends Espo } } - $user = $this->getEntityManager()->getRepository('User')->findOne(array( - 'whereClause' => array( + $user = $this->getEntityManager()->getRepository('User')->findOne([ + 'whereClause' => [ 'userName' => $username, - ), - )); + 'type!=' => ['api', 'system'] + ] + ]); - $isCreateUser = $this->getUtils()->getOption('createEspoUser'); - if (!isset($user) && $isCreateUser) { + if (!isset($user) && $this->getUtils()->getOption('createEspoUser')) { $userData = $ldapClient->getEntry($userDn); $user = $this->createUser($userData, $isPortal); } diff --git a/application/Espo/Repositories/User.php b/application/Espo/Repositories/User.php index 1c69f72dc2..3071193539 100644 --- a/application/Espo/Repositories/User.php +++ b/application/Espo/Repositories/User.php @@ -44,6 +44,10 @@ class User extends \Espo\Core\ORM\Repositories\RDB } } + if ($entity->has('type') && !$entity->get('type')) { + $entity->set('type', 'regular'); + } + $entity->clear('isAdmin'); $entity->clear('isPortalUser'); $entity->clear('isSuperAdmin'); diff --git a/application/Espo/Services/User.php b/application/Espo/Services/User.php index bb7491d563..8904863d3a 100644 --- a/application/Espo/Services/User.php +++ b/application/Espo/Services/User.php @@ -98,6 +98,8 @@ class User extends Record ] ]; + protected $allowedUserTypeList = ['regular', 'admin', 'portal', 'api']; + protected function getMailSender() { return $this->getContainer()->get('mailSender'); @@ -390,7 +392,10 @@ class User extends Record protected function beforeCreateEntity(Entity $entity, $data) { - if ($this->getConfig()->get('userLimit') && !$this->getUser()->isSuperAdmin() && !$entity->isPortal()) { + if ( + $this->getConfig()->get('userLimit') && !$this->getUser()->isSuperAdmin() && + !$entity->isPortal() && !$entity->isApi() + ) { $userCount = $this->getInternalUserCount(); if ($userCount >= $this->getConfig()->get('userLimit')) { throw new Forbidden('User limit '.$this->getConfig()->get('userLimit').' is reached.'); @@ -412,15 +417,27 @@ class User extends Record $entity->set('secretKey', $secretKey); } } + + if (!$entity->isSuperAdmin()) { + if ( + $entity->get('type') && + !in_array($entity->get('type'), $this->allowedUserTypeList) + ) { + throw new Forbidden(); + } + } } protected function beforeUpdateEntity(Entity $entity, $data) { if ($this->getConfig()->get('userLimit') && !$this->getUser()->isSuperAdmin()) { if ( - ($entity->get('isActive') && $entity->isAttributeChanged('isActive') && !$entity->isPortal()) + ( + $entity->get('isActive') && $entity->isAttributeChanged('isActive') && + !$entity->isPortal() && !$entity->isApi() + ) || - (!$entity->isPortal() && $entity->isAttributeChanged('type')) + (!$entity->isPortal() && !$entity->isApi() && $entity->isAttributeChanged('type')) ) { $userCount = $this->getInternalUserCount(); if ($userCount >= $this->getConfig()->get('userLimit')) { @@ -447,6 +464,16 @@ class User extends Record $entity->set('secretKey', $secretKey); } } + + if (!$entity->isSuperAdmin()) { + if ( + $entity->isAttributeChanged('type') && + $entity->get('type') && + !in_array($entity->get('type'), $this->allowedUserTypeList) + ) { + throw new Forbidden(); + } + } } protected function sendPassword(Entity $user, $password)