fix(auth): enforce LDAP login identity match

This commit is contained in:
Crane.z
2026-07-08 16:13:06 +08:00
committed by 老广
parent d645f50a86
commit dfe1f11c92

View File

@@ -99,8 +99,28 @@ class LDAPBaseBackend(LDAPBackend):
return None
user = self.authenticate_ldap_user(ldap_user, password)
logger.info('Authenticate user: {}'.format(user))
if not user:
return None
if not self._is_same_login_user(username, user):
return None
return user if self.user_can_authenticate(user) else None
def _is_same_login_user(self, submitted_username, user):
query_field = self.settings.USER_QUERY_FIELD or self.get_user_model().USERNAME_FIELD
submitted = self._normalize_login_identity(submitted_username)
authenticated = self._normalize_login_identity(getattr(user, query_field, None))
if not submitted or not authenticated:
return False
if submitted != authenticated:
return False
return True
@staticmethod
def _normalize_login_identity(value):
if value is None:
return ''
return str(value).strip().casefold()
def pre_check(self, username, password):
if not self.is_enabled():
error = 'Not enabled auth ldap'