From 9c2ea5b8ff6f55f32def772b1e62ff4d710f9863 Mon Sep 17 00:00:00 2001
From: theitaliandeveloper <theitaliandeveloper@proton.me>
Date: Fri, 14 Nov 2025 11:44:52 +0100
Subject: [PATCH] Login Keycloak solo per utenti autorizzati

---
 docker/php/config.php    |  3 +++
 htdocs/admin/login.php   | 39 +++++++++++++++++++++++++++++++++++----
 htdocs/config/config.php |  3 +++
 3 files changed, 41 insertions(+), 4 deletions(-)

diff --git a/docker/php/config.php b/docker/php/config.php
index 059d377..47ce5ae 100644
--- a/docker/php/config.php
+++ b/docker/php/config.php
@@ -43,5 +43,8 @@ if (AUTH_TYPE === 'keycloak') {
     if (!defined('KEYCLOAK_CLIENT_SECRET')) {
         define('KEYCLOAK_CLIENT_SECRET',''); // Client Secret per Keycloak (ad esempio abcdefghijklm)
     }
+    if (!defined('KEYCLOAK_ALLOWED_USERS')) {
+        define('KEYCLOAK_ALLOWED_USERS',[]); // Contiene i nomi utente degli utenti autorizzati ad accedere all'amministrazione
+    }
 }
 ?>
\ No newline at end of file
diff --git a/htdocs/admin/login.php b/htdocs/admin/login.php
index 551d8ea..d4beef3 100644
--- a/htdocs/admin/login.php
+++ b/htdocs/admin/login.php
@@ -72,10 +72,41 @@ else if (AUTH_TYPE === 'keycloak') {
   $oidc->setRedirectURL('https://' . APP_DOMAIN . '/admin/login.php');
   $oidc->authenticate();
   $userinfo = $oidc->getVerifiedClaims();
-  $_SESSION['admin'] = $userinfo->preferred_username;
-  $_SESSION['auth_type'] = 'keycloak';
-  header("Location: index.php");
-  exit;
+  if (in_array($userinfo->preferred_username, KEYCLOAK_ALLOWED_USERS, true) || empty(KEYCLOAK_ALLOWED_USERS)) {
+    $_SESSION['admin'] = $userinfo->preferred_username;
+    $_SESSION['auth_type'] = 'keycloak';
+    header("Location: index.php");
+    exit;
+  } else {
+    http_response_code(403);
+    echo <<<HTML
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Login Admin</title>
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <link rel="stylesheet" href="style.css">
+</head>
+<body>
+
+  <div class="navbar">
+    <div class="logo">Admin Dashboard</div>
+    <div class="links">
+      <a href="/">Torna al sito</a>
+    </div>
+  </div>
+
+  <!-- Container login -->
+  <div class="login-container">
+    <h1>Login Admin</h1>
+<br><div class='error'>Non sei autorizzato ad accedere a questa parte del sito.</div>
+</div>
+<p style="text-align: center;">Copyright (C) 2025 EmmeV. - Released under <a href="https://git.vichingo455.freeddns.org/emmev-code/orario/src/branch/stable/LICENSE.txt" target="_blank">GNU AGPL 3.0 License</a>.</p>
+</body>
+</html>
+HTML;
+    exit;
+  }
   } catch (Exception $e) {
     http_response_code(500);
       echo <<<HTML
diff --git a/htdocs/config/config.php b/htdocs/config/config.php
index c6fba37..af5ea9e 100644
--- a/htdocs/config/config.php
+++ b/htdocs/config/config.php
@@ -43,5 +43,8 @@ if (AUTH_TYPE === 'keycloak') {
     if (!defined('KEYCLOAK_CLIENT_SECRET')) {
         define('KEYCLOAK_CLIENT_SECRET',''); // Client Secret per Keycloak (ad esempio abcdefghijklm)
     }
+    if (!defined('KEYCLOAK_ALLOWED_USERS')) {
+        define('KEYCLOAK_ALLOWED_USERS',[]); // Contiene i nomi utente degli utenti autorizzati ad accedere all'amministrazione
+    }
 }
 ?>
\ No newline at end of file