Add account validation and rid/group change functions

1 files changed, 157 insertions, 0 deletions

diff --git a/authfas.module b/authfas.module
index 1d774e8..e59698d 100644
--- a/authfas.module
+++ b/authfas.module
@@ -236,6 +236,163 @@ function authfas_user_admin_role_submit($form, &$form_state) {
   } // End insert/update
 }
 
+/**
+ * Implementation of hook_form_alter().
+ *
+ * Change the normal form login form behaviour.
+ */
+function authfas_form_user_login_alter(&$form, $form_state) {
+  unset($form['links']);
+  $form['#validate'] = array(
+    'user_login_name_validate',
+    'authfas_login_validate',
+    'user_login_final_validate');
+}
+
+function authfas_form_user_login_block_alter(&$form, $form_state) {
+  return authfas_form_user_login_alter($form, $form_state);
+}
+
+function authfas_remap_roles($username, $fasgroups) {
+  /**
+   * This function is called after the user is registered but before
+   * the final session creation happens.
+   */
+  global $user;
+  drupal_set_message('$user->roles: '.serialize($user->roles));
+  foreach ($fasgroups as $fasgroup) {
+    $newfasgroups[] = $fasgroup['name'];
+  }
+  $fasgroups = $newfasgroups;
+  // Retrieve ridmap from the DB and append required FAS group
+  $result = db_query('SELECT rid, fasgroup FROM {authfas_ridmap}');
+  while ($row = db_fetch_array($result)) {
+    $ridmap[] = array('rid' => intval($row['rid']), 'fasgroup' => $row['fasgroup']);
+  }
+  /**
+   * User is already in $authuser_fasgroup. If we decide later to
+   * implement a special external authentication rid, we'll need to
+   * include the standard "authenticated user" rid here in $ridmap.
+   */
+  foreach ($ridmap as $ridmapentry) {
+    // For all the rid<->fasgroup mappings that Drupal knows about...
+    drupal_set_message('Processing rid '.$ridmapentry['rid'].', fasgroup '.$ridmapentry['fasgroup']);
+    if (in_array($ridmapentry['fasgroup'], $fasgroups)) {
+      // If the user's in the fasgroup...
+      drupal_set_message('User '.$username.' is in fasgroup '.$ridmapentry['fasgroup']);
+      if (!in_array($ridmapentry['rid'], array_keys($user->roles))) {
+        // But the rid isn't in the user's Drupal roles...
+        drupal_set_message('Rid '.$ridmapentry['rid'].' is not in roles for '.$username);
+        // ...make it so!
+        db_query("INSERT INTO {users_roles} (uid, rid) VALUES ('%s', '%s')", $user->uid, $ridmapentry['rid']);
+      }
+    } else { // If the user's *NOT* in the fasgroup...
+      drupal_set_message('User '.$username.' is not in fasgroup '.$ridmapentry['fasgroup']);
+      if (in_array($ridmapentry['rid'], array_keys($user->roles))) {
+        // But the rid *IS* in the user's Drupal roles...
+        drupal_set_message('Rid '.$ridmapentry['rid'].' is in roles for '.$username);
+        // ...make it not so!
+        db_query("DELETE FROM {users_roles} WHERE uid=%d AND rid=%d", $user->uid, $ridmapentry['rid']);
+      }
+    }
+  } // End of going through the ridmap
+
+}
+
+/**
+ * Validate login for FAS user
+ */
+function authfas_login_validate($form, &$form_state) {
+  $username = strtolower($form_state['values']['name']);
+  $fasurl = variable_get('authfas_fasurl', '');
+  $authuser_fasgroup = variable_get('authfas_authuser_fasgroup', '');
+
+  if ((!$fasurl) or (!$authuser_fasgroup)) {
+    form_set_error(t('AuthFAS settings are incorrect or invalid. Please visit the <a href="@settings">module settings</a> or consult the administrator of this system for assistance.', array('@settings' => url('admin/settings/authfas'))));
+    return FALSE;
+  }
+  $response = authfas_fas_login($username, $form_state['values']['pass'], 'https://'.$fasurl.'/json/person_by_username?username='.$username.'&tg_format=json', 'Accept: application/json;');
+  if ($response['success']) {
+    $authenticated = FALSE; // Until proven otherwise
+    $fasgroups = $response['person']['approved_memberships'];
+
+    // You'd better be in the authenticated user FAS group!
+    foreach ($fasgroups as $group) {
+      if ($group['name'] == $authuser_fasgroup) {
+        $authenticated = TRUE;
+      }
+    }
+    if (!$authenticated) return FALSE;
+
+    user_external_login_register($username, 'authfas');
+    // Now $user exists, if I'm right...
+    authfas_remap_roles($username, $fasgroups);
+    user_authenticate_finalize($form_state['values']);
+
+  } else {
+    // If not in FAS, try to authenticate normally through Drupal
+    user_login_authenticate_validate($form, &$form_state);
+  }
+}
+
+
+/**
+ * Implementation of hook_user().
+ */
+function authfas_user($op, &$edit, &$account, $category = null) {
+  $fasmaildomain = variable_get('authfas_maildomain', '');
+  switch($op) {
+    case('insert'):
+      /**
+       * Called during the registration process, after new user is
+       * added to {users} but before roles are written to
+       * {users_roles} table
+       */
+      if (empty($account->mail)) {
+        db_query("UPDATE {users} SET mail = '%s' WHERE uid = %d", $account->name.'@'.$fasmaildomain, $account->uid);
+      }
+
+      /**
+       * FIXME: We might want to do something here to add a special
+       * 'FAS authenticated' role to the new FAS user.  That might
+       * make other comparisons simpler.
+       */
+      break;
+
+    case('update'): // Called before database record (or $account) is updated
+      /**
+       * Forbidden to change email address if it's based on FAS
+       * username. If you're not admin, and your account has been set
+       * up with a FAS maildomain, your change is reverted.
+       */
+      if (($user->uid != 1) and ($account->mail == $account->name.'@'.$fasmaildomain)) {
+        if (strcmp($account->mail, $edit['mail'])) {
+          unset($edit['mail']);
+          drupal_set_message(t('Sorry, FAS users cannot change their e-mail address.'), 'error');
+        }
+        // Also forbidden to change passwords in the Drupal instance
+        if ($edit['pass'] != '') {
+          unset($edit['pass']);
+          drupal_set_message(t('Please use FAS to change your password.'), 'error');
+        }
+      }
+      break;
+  }
+}
+
+/*
+ * Helper functions that you will need to implement
+ */
+function externalUserExists($username)
+{
+  return true;
+}
+
+function externalUserValidPassword($username, $password)
+{
+  return true;
+}
+
 // Local variables:
 // mode:php
 // tab-width:2