From e427184310312a5360ff38a887077189c1f83233 Mon Sep 17 00:00:00 2001
From: Nathan Coad <nathan@thecoads.com>
Date: Tue, 2 Apr 2024 15:11:24 +1100
Subject: [PATCH] test logic fix for ldap users not in an ldap group

---
 models/user.go | 31 +++++++++++++++++++++++--------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/models/user.go b/models/user.go
index 6f525c1..769e814 100644
--- a/models/user.go
+++ b/models/user.go
@@ -19,6 +19,7 @@ type User struct {
 	LdapUser  bool      `db:"LdapUser" json:"ldapUser"`
 	Admin     bool      `db:"Admin"`
 	LastLogin time.Time `db:"LastLogin" json:"lastLogin"`
+	LdapGroup bool      `db:"LdapGroup"`
 }
 
 type UserRole struct {
@@ -122,7 +123,13 @@ func LoginCheck(username string, password string) (string, error) {
 
 	// Query database for matching user object
 	// Use IFNULL to handle situation where a user might not be a member of a group
-	err = db.QueryRowx("SELECT UserId, IFNULL(GroupId, 0) GroupId, UserName, Password, LdapUser, Admin FROM Users WHERE Username=?", username).StructScan(&u)
+
+	// TODO join on groups table so we can get the value in LdapGroup column
+
+	err = db.QueryRowx(`
+		SELECT users.UserId,  IFNULL(users.GroupId, 0) GroupId, UserName, Password, LdapUser, users.Admin, groups.LdapGroup FROM Users 
+		INNER JOIN groups ON users.GroupId = groups.GroupId
+		WHERE Username=?`, username).StructScan(&u)
 
 	if err != nil {
 		if err == sql.ErrNoRows {
@@ -186,14 +193,22 @@ func LoginCheck(username string, password string) (string, error) {
 			} else {
 				log.Printf("LoginCheck successfully verified LDAP user\n")
 
-				// confirm that current LDAP group membership matches a group
-				err := UserLdapGroupVerify(username, password)
+				// check if user's group membership is an ldap group or not
+				log.Printf("User id '%d' is a member of group '%d' which has ldapGroup status '%v'\n", u.UserId, u.GroupId, u.LdapGroup)
 
-				if err != nil {
-					// No valid group membership
-					errString := fmt.Sprintf("ldap group membership check unsuccessful : '%s'\n", err)
-					log.Printf("LoginCheck %s\n", errString)
-					return "", errors.New(errString)
+				// If user's group membership is an ldap group, then run UserLdapGroupVerify as we were doing before
+				if u.LdapGroup {
+					// confirm that current LDAP group membership matches a group
+					err := UserLdapGroupVerify(username, password)
+
+					if err != nil {
+						// No valid group membership
+						errString := fmt.Sprintf("ldap group membership check unsuccessful : '%s'\n", err)
+						log.Printf("LoginCheck %s\n", errString)
+						return "", errors.New(errString)
+					}
+				} else { // If user's group membership is not an ldap group, then we are fine and the login attempt was successful
+					log.Printf("No need to check ldap group membership since user is not a member of an ldap group\n")
 				}
 			}
 		} else {