diff --git a/app/config/default.php b/app/config/default.php
index 5484a113f..f8c6806e3 100755
--- a/app/config/default.php
+++ b/app/config/default.php
@@ -90,6 +90,7 @@
'ldapPassword' => '',
'oauthGoogleId' => '',
'oauthGoogleSecret' => '',
+ 'oauthAppsDomains' => '',
'oauthGoogleAdmins' => '',
),
diff --git a/app/lang/en/admin.php b/app/lang/en/admin.php
index 97b577f96..e80406402 100755
--- a/app/lang/en/admin.php
+++ b/app/lang/en/admin.php
@@ -212,6 +212,8 @@
"client_id" => "Client ID",
"client_secret" => "Client secret",
"client_secret_exp" => "You can generate client ID and secret key at the",
+ "apps_domains" => "Apps Domains",
+ "apps_domains_exp" => "Restrict oAuth logins to these Google Apps domains",
"admin_emails" => "Admin emails",
"admin_emails_exp" => "Users with these email addresses will be granted admin access. Please enter one email ".
"address per line.",
diff --git a/app/lib/auth/StickyNotesOAuthUserProvider.php b/app/lib/auth/StickyNotesOAuthUserProvider.php
index 9eb165a5e..c560c6514 100755
--- a/app/lib/auth/StickyNotesOAuthUserProvider.php
+++ b/app/lib/auth/StickyNotesOAuthUserProvider.php
@@ -138,7 +138,7 @@ public function retrieveByCredentials(array $credentials)
// Instantiate the Google service using the credentials, http client and storage mechanism for the token
$service = new ServiceFactory();
- $google = $service->createService('google', $credentials, $storage, array('userinfo_email', 'groups_provisioning'));
+ $google = $service->createService('google', $credentials, $storage, array('userinfo_email'));
// Google responded with a code
if (Input::has('code'))
@@ -154,6 +154,21 @@ public function retrieveByCredentials(array $credentials)
{
if ($result['verified_email'])
{
+ // We extract the username from the email address of the user
+ list ($username, $domain) = explode('@', $result['email'], 2);
+
+ // Check to make sure that the user is in the list of authorized Google apps domains,
+ // if the apps domains variable is not empty
+ if (trim($this->auth->oauthAppsDomains) != false)
+ {
+ $appsDomains = preg_split("/[\s,]+/", $this->auth->oauthAppsDomains, -1, PREG_SPLIT_NO_EMPTY);
+ if(!in_array($domain, $appsDomains))
+ {
+ App::abort(401);
+ return NULL;
+ }
+ }
+
// First we will add each credential element to the query as a where clause.
// Then we can execute the query and, if we found a user, return it in a
// Eloquent User "model" that will be utilized by the Guard instances.
@@ -168,18 +183,15 @@ public function retrieveByCredentials(array $credentials)
$user = $query->count() > 0 ? $query->first() : $this->createModel();
// Determine if user is an admin
- $googleAdmins = explode("\n", $this->auth->oauthGoogleAdmins);
-
+ $googleAdmins = preg_split("/[\s,]+/", $this->auth->oauthGoogleAdmins, -1, PREG_SPLIT_NO_EMPTY);
$isAdmin = in_array($result['email'], $googleAdmins);
- // We extract the username from the email address of the user
- $parts = explode('@', $result['email']);
-
// Insert/Update user info
- $user->username = $parts[0];
+ $user->username = $username;
$user->password = '';
$user->salt = '';
$user->email = $result['email'];
+ $user->dispname = $result['name'];
$user->type = 'oauth';
$user->active = 1;
$user->admin = $isAdmin;
diff --git a/app/views/skins/bootstrap/admin/auth.blade.php b/app/views/skins/bootstrap/admin/auth.blade.php
index b495455e8..249ae2c56 100755
--- a/app/views/skins/bootstrap/admin/auth.blade.php
+++ b/app/views/skins/bootstrap/admin/auth.blade.php
@@ -359,6 +359,26 @@
+
+
{{
Form::label('oauth_google_admins', Lang::get('admin.admin_emails'), array(
diff --git a/app/views/skins/neverland/admin/auth.blade.php b/app/views/skins/neverland/admin/auth.blade.php
index 96db9cd79..78429563a 100755
--- a/app/views/skins/neverland/admin/auth.blade.php
+++ b/app/views/skins/neverland/admin/auth.blade.php
@@ -358,6 +358,26 @@
+
+
{{
Form::label('oauth_google_admins', Lang::get('admin.admin_emails'), array(