From a7ef41920a6933bf27df1ea72bf97bad5d9c0507 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 7 Feb 2017 19:48:36 +0100
Subject: [PATCH] (captive portal) add group enforcement, closes
 https://github.com/opnsense/core/issues/1377

---
 .../OPNsense/CaptivePortal/Api/AccessController.php         | 5 +++++
 .../controllers/OPNsense/CaptivePortal/forms/dialogZone.xml | 6 ++++++
 .../mvc/app/models/OPNsense/CaptivePortal/CaptivePortal.xml | 3 +++
 3 files changed, 14 insertions(+)

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/AccessController.php b/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/AccessController.php
index 1bb1553c3..f3eae1474 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/AccessController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/AccessController.php
@@ -148,6 +148,11 @@ class AccessController extends ApiControllerBase
                                 $this->request->getPost("password", "string")
                             );
 
+                            // check group when group enforcement is set
+                            if ($isAuthenticated && (string)$cpZone->authEnforceGroup != "") {
+                                $isAuthenticated = $authServer->groupAllowed($userName, $cpZone->authEnforceGroup);
+                            }
+
                             if ($isAuthenticated) {
                                 // stop trying, when authenticated
                                 break;
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/forms/dialogZone.xml b/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/forms/dialogZone.xml
index 684466f58..fe1829f4a 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/forms/dialogZone.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/forms/dialogZone.xml
@@ -26,6 +26,12 @@
         <style>tokenize</style>
         <help><![CDATA[Select authentication methods to use, leave empty for no authentication needed.]]></help>
     </field>
+    <field>
+        <id>zone.authEnforceGroup</id>
+        <label>Enforce local group</label>
+        <type>dropdown</type>
+        <help><![CDATA[Restrict access to users in the selected (local)group.]]></help>
+    </field>
     <field>
         <id>zone.idletimeout</id>
         <label>Idle timeout (minutes)</label>
diff --git a/src/opnsense/mvc/app/models/OPNsense/CaptivePortal/CaptivePortal.xml b/src/opnsense/mvc/app/models/OPNsense/CaptivePortal/CaptivePortal.xml
index 595117cdb..ae400c21a 100644
--- a/src/opnsense/mvc/app/models/OPNsense/CaptivePortal/CaptivePortal.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/CaptivePortal/CaptivePortal.xml
@@ -31,6 +31,9 @@
                     <multiple>Y</multiple>
                     <default>Local Database</default>
                 </authservers>
+                <authEnforceGroup type="AuthGroupField">
+                    <Required>N</Required>
+                </authEnforceGroup>
                 <idletimeout type="IntegerField">
                     <Required>Y</Required>
                     <Default>0</Default>