Deny soft deleted users from authenticating

stevebauman · stevebauman · commit 057b5fdc83fe · 2016-09-29T10:30:22.000-04:00
- Closes #181
diff --git a/src/AdldapAuthUserProvider.php b/src/AdldapAuthUserProvider.php
@@ -56,6 +56,11 @@ public function retrieveByCredentials(array $credentials)
             // Construct / retrieve the eloquent model from our Adldap user.
             $model = $this->getModelFromAdldap($user, $password);
 
+            if (method_exists($model, 'trashed') && $model->trashed()) {
+                // We won't allow deleted users to authenticate.
+                return;
+            }
+
             // Perform other authenticated tasks.
             $this->handleAuthenticatedWithCredentials($user, $model);
 
@@ -74,9 +79,9 @@ public function retrieveByCredentials(array $credentials)
      */
     public function validateCredentials(Authenticatable $user, array $credentials)
     {
-        // Check if we already have an authenticated AD user.
+        // Check if we have an authenticated AD user.
         if ($this->user instanceof User) {
-            // We'll save the model in case of changes.
+            // We'll save the authenticated model in case of changes.
             $this->saveModel($user);
 
             return true;
diff --git a/src/Commands/Import.php b/src/Commands/Import.php
@@ -116,7 +116,7 @@ public function isLogging()
     }
 
     /**
-     * Returns the limitation filter for importing users.
+     * Returns the limitation filter for the user query.
      *
      * @return string
      */
diff --git a/src/Traits/ImportsUsers.php b/src/Traits/ImportsUsers.php
@@ -24,6 +24,30 @@ abstract public function createModel();
      * @return \Illuminate\Database\Eloquent\Model
      */
     protected function getModelFromAdldap(User $user, $password = null)
+    {
+        $model = $this->findOrCreateModelFromAdldap($user);
+
+        // Sync the users password (if enabled). If no password is
+        // given, we'll pass in a random 16 character string.
+        $model = $this->syncModelPassword($model, $password ?: str_random());
+
+        // Synchronize other active directory attributes on the model.
+        $model = $this->syncModelFromAdldap($user, $model);
+
+        // Bind the Adldap model to the eloquent model (if enabled).
+        $model = ($this->getBindUserToModel() ? $this->bindAdldapToModel($user, $model) : $model);
+
+        return $model;
+    }
+
+    /**
+     * Finds an Eloquent model from the specified Adldap user.
+     *
+     * @param \Adldap\Models\User $user
+     *
+     * @return \Illuminate\Database\Eloquent\Model
+     */
+    protected function findOrCreateModelFromAdldap(User $user)
     {
         // Get the model key.
         $attributes = $this->getUsernameAttribute();
@@ -34,29 +58,18 @@ protected function getModelFromAdldap(User $user, $password = null)
         // Get the username from the AD model.
         $username = $user->{$attributes[$key]};
 
-        // Make sure we retrieve the first username
-        // result if it's an array.
+        // Make sure we retrieve the first username result if it's an array.
         $username = (is_array($username) ? array_get($username, 0) : $username);
 
-        // Try to retrieve the model from the model key and AD username.
-        $model = $this->createModel()->newQuery()->where([$key => $username])->first();
+        // Try to find the local database user record.
+        $model = $this->newEloquentQuery($key, $username)->first();
 
-        // Create the model instance of it isn't found.
+        // Create a new model instance of it isn't found.
         $model = ($model instanceof Model ? $model : $this->createModel());
 
         // Set the username in case of changes in active directory.
         $model->{$key} = $username;
 
-        // Sync the users password (if enabled). If no password is
-        // given, we'll assign a random 16 character string.
-        $model = $this->syncModelPassword($model, $password ?: str_random());
-
-        // Synchronize other active directory attributes on the model.
-        $model = $this->syncModelFromAdldap($user, $model);
-
-        // Bind the Adldap model to the eloquent model (if enabled).
-        $model = ($this->getBindUserToModel() ? $this->bindAdldapToModel($user, $model) : $model);
-
         return $model;
     }
 
@@ -213,6 +226,28 @@ protected function newAdldapUserQuery($provider = null, $filter = null)
         return $query->select($this->getSelectAttributes());
     }
 
+    /**
+     * Returns a new Eloquent user query.
+     *
+     * @param string $key
+     * @param string $username
+     *
+     * @return \Illuminate\Database\Eloquent\Builder
+     */
+    protected function newEloquentQuery($key, $username)
+    {
+        $model = $this->createModel();
+
+        if (method_exists($model, 'trashed')) {
+            // If the trashed method exists on our User model, then we must be
+            // using soft deletes. We need to make sure we include these
+            // results so we don't create duplicate user records.
+            $model = $model->withTrashed();
+        }
+
+        return $model->where([$key => $username]);
+    }
+
     /**
      * Returns Adldap's current attribute schema.
      *

Original file line number	Diff line number	Diff line change
`@@ -116,7 +116,7 @@ public function isLogging()`
`116`	`116`	`}`
`117`	`117`
`118`	`118`	`/**`
`119`		`- * Returns the limitation filter for importing users.`
	`119`	`+ * Returns the limitation filter for the user query.`
`120`	`120`	`*`
`121`	`121`	`* @return string`
`122`	`122`	`*/`