- [CAS allowed LDAP groups](https://github.com/wekan/meteor-accounts-cas/pull/4).

Thanks to ppoulard !

Please test.

Related #2356

2 files changed, 34 insertions, 6 deletions

diff --git a/packages/meteor-accounts-cas/cas_client.js b/packages/meteor-accounts-cas/cas_client.js
index bd94be6b..ca9288ae 100644
--- a/packages/meteor-accounts-cas/cas_client.js
+++ b/packages/meteor-accounts-cas/cas_client.js
@@ -81,7 +81,12 @@ Meteor.loginWithCas = function(options, callback) {
             // check auth on server.
             Accounts.callLoginMethod({
                 methodArguments: [{ cas: { credentialToken: credentialToken } }],
-                userCallback: callback
+                userCallback: err => {
+                    // Fix redirect bug after login successfully
+                    if (!err) {
+                        window.location.href = '/';
+                    }
+                }
             });
         }
     }, 100);
diff --git a/packages/meteor-accounts-cas/cas_server.js b/packages/meteor-accounts-cas/cas_server.js
index 15c1b174..2e8edef2 100644
--- a/packages/meteor-accounts-cas/cas_server.js
+++ b/packages/meteor-accounts-cas/cas_server.js
@@ -71,14 +71,37 @@ class CAS {
                 callback({message: 'Empty response.'});
               }
               if (result['cas:serviceResponse']['cas:authenticationSuccess']) {
-                var userData = {
+                const userData = {
                   id: result['cas:serviceResponse']['cas:authenticationSuccess'][0]['cas:user'][0].toLowerCase(),
-                }
+                };
                 const attributes = result['cas:serviceResponse']['cas:authenticationSuccess'][0]['cas:attributes'][0];
-                for (var fieldName in attributes) {
+
+                // Check allowed ldap groups if exist (array only)
+                // example cas settings : "allowedLdapGroups" : ["wekan", "admin"],
+                let findedGroup = false;
+                const allowedLdapGroups = Meteor.settings.cas.allowedLdapGroups || false;
+                for (const fieldName in attributes) {
+                  if (allowedLdapGroups && fieldName === 'cas:memberOf') {
+                    for (const groups in attributes[fieldName]) {
+                      const str = attributes[fieldName][groups];
+                      if (!Array.isArray(allowedLdapGroups)) {
+                        callback({message: 'Settings "allowedLdapGroups" must be an array'});
+                      }
+                      for (const allowedLdapGroup in allowedLdapGroups) {
+                        if (str.search(`cn=${allowedLdapGroups[allowedLdapGroup]}`) >= 0) {
+                          findedGroup = true;
+                        }
+                      }
+                    }
+                  }
                   userData[fieldName] = attributes[fieldName][0];
-                };
-                callback(undefined, true, userData);
+                }
+
+                if (allowedLdapGroups && !findedGroup) {
+                  callback({message: 'Group not finded.'}, false);
+                } else {
+                  callback(undefined, true, userData);
+                }
               } else {
                 callback(undefined, false);
               }