diff options
author | Paul W. Frields <stickster@gmail.com> | 2010-07-18 22:04:52 -0400 |
---|---|---|
committer | Paul W. Frields <stickster@gmail.com> | 2010-07-18 22:04:52 -0400 |
commit | 61cfeade2a3c3ccf87556dd400b66adf565e0e69 (patch) | |
tree | e088f0654846f1f4e150c11179ebe8a2f9a59539 | |
parent | 722aa942cbc0d58d88b46bd2d0d8dbeeb53f39ff (diff) | |
download | drupal-authfas-6x-61cfeade2a3c3ccf87556dd400b66adf565e0e69.tar.gz drupal-authfas-6x-61cfeade2a3c3ccf87556dd400b66adf565e0e69.tar.xz drupal-authfas-6x-61cfeade2a3c3ccf87556dd400b66adf565e0e69.zip |
Add account validation and rid/group change functions
-rw-r--r-- | authfas.module | 157 |
1 files changed, 157 insertions, 0 deletions
diff --git a/authfas.module b/authfas.module index 1d774e8..e59698d 100644 --- a/authfas.module +++ b/authfas.module @@ -236,6 +236,163 @@ function authfas_user_admin_role_submit($form, &$form_state) { } // End insert/update } +/** + * Implementation of hook_form_alter(). + * + * Change the normal form login form behaviour. + */ +function authfas_form_user_login_alter(&$form, $form_state) { + unset($form['links']); + $form['#validate'] = array( + 'user_login_name_validate', + 'authfas_login_validate', + 'user_login_final_validate'); +} + +function authfas_form_user_login_block_alter(&$form, $form_state) { + return authfas_form_user_login_alter($form, $form_state); +} + +function authfas_remap_roles($username, $fasgroups) { + /** + * This function is called after the user is registered but before + * the final session creation happens. + */ + global $user; + drupal_set_message('$user->roles: '.serialize($user->roles)); + foreach ($fasgroups as $fasgroup) { + $newfasgroups[] = $fasgroup['name']; + } + $fasgroups = $newfasgroups; + // Retrieve ridmap from the DB and append required FAS group + $result = db_query('SELECT rid, fasgroup FROM {authfas_ridmap}'); + while ($row = db_fetch_array($result)) { + $ridmap[] = array('rid' => intval($row['rid']), 'fasgroup' => $row['fasgroup']); + } + /** + * User is already in $authuser_fasgroup. If we decide later to + * implement a special external authentication rid, we'll need to + * include the standard "authenticated user" rid here in $ridmap. + */ + foreach ($ridmap as $ridmapentry) { + // For all the rid<->fasgroup mappings that Drupal knows about... + drupal_set_message('Processing rid '.$ridmapentry['rid'].', fasgroup '.$ridmapentry['fasgroup']); + if (in_array($ridmapentry['fasgroup'], $fasgroups)) { + // If the user's in the fasgroup... + drupal_set_message('User '.$username.' is in fasgroup '.$ridmapentry['fasgroup']); + if (!in_array($ridmapentry['rid'], array_keys($user->roles))) { + // But the rid isn't in the user's Drupal roles... + drupal_set_message('Rid '.$ridmapentry['rid'].' is not in roles for '.$username); + // ...make it so! + db_query("INSERT INTO {users_roles} (uid, rid) VALUES ('%s', '%s')", $user->uid, $ridmapentry['rid']); + } + } else { // If the user's *NOT* in the fasgroup... + drupal_set_message('User '.$username.' is not in fasgroup '.$ridmapentry['fasgroup']); + if (in_array($ridmapentry['rid'], array_keys($user->roles))) { + // But the rid *IS* in the user's Drupal roles... + drupal_set_message('Rid '.$ridmapentry['rid'].' is in roles for '.$username); + // ...make it not so! + db_query("DELETE FROM {users_roles} WHERE uid=%d AND rid=%d", $user->uid, $ridmapentry['rid']); + } + } + } // End of going through the ridmap + +} + +/** + * Validate login for FAS user + */ +function authfas_login_validate($form, &$form_state) { + $username = strtolower($form_state['values']['name']); + $fasurl = variable_get('authfas_fasurl', ''); + $authuser_fasgroup = variable_get('authfas_authuser_fasgroup', ''); + + if ((!$fasurl) or (!$authuser_fasgroup)) { + form_set_error(t('AuthFAS settings are incorrect or invalid. Please visit the <a href="@settings">module settings</a> or consult the administrator of this system for assistance.', array('@settings' => url('admin/settings/authfas')))); + return FALSE; + } + $response = authfas_fas_login($username, $form_state['values']['pass'], 'https://'.$fasurl.'/json/person_by_username?username='.$username.'&tg_format=json', 'Accept: application/json;'); + if ($response['success']) { + $authenticated = FALSE; // Until proven otherwise + $fasgroups = $response['person']['approved_memberships']; + + // You'd better be in the authenticated user FAS group! + foreach ($fasgroups as $group) { + if ($group['name'] == $authuser_fasgroup) { + $authenticated = TRUE; + } + } + if (!$authenticated) return FALSE; + + user_external_login_register($username, 'authfas'); + // Now $user exists, if I'm right... + authfas_remap_roles($username, $fasgroups); + user_authenticate_finalize($form_state['values']); + + } else { + // If not in FAS, try to authenticate normally through Drupal + user_login_authenticate_validate($form, &$form_state); + } +} + + +/** + * Implementation of hook_user(). + */ +function authfas_user($op, &$edit, &$account, $category = null) { + $fasmaildomain = variable_get('authfas_maildomain', ''); + switch($op) { + case('insert'): + /** + * Called during the registration process, after new user is + * added to {users} but before roles are written to + * {users_roles} table + */ + if (empty($account->mail)) { + db_query("UPDATE {users} SET mail = '%s' WHERE uid = %d", $account->name.'@'.$fasmaildomain, $account->uid); + } + + /** + * FIXME: We might want to do something here to add a special + * 'FAS authenticated' role to the new FAS user. That might + * make other comparisons simpler. + */ + break; + + case('update'): // Called before database record (or $account) is updated + /** + * Forbidden to change email address if it's based on FAS + * username. If you're not admin, and your account has been set + * up with a FAS maildomain, your change is reverted. + */ + if (($user->uid != 1) and ($account->mail == $account->name.'@'.$fasmaildomain)) { + if (strcmp($account->mail, $edit['mail'])) { + unset($edit['mail']); + drupal_set_message(t('Sorry, FAS users cannot change their e-mail address.'), 'error'); + } + // Also forbidden to change passwords in the Drupal instance + if ($edit['pass'] != '') { + unset($edit['pass']); + drupal_set_message(t('Please use FAS to change your password.'), 'error'); + } + } + break; + } +} + +/* + * Helper functions that you will need to implement + */ +function externalUserExists($username) +{ + return true; +} + +function externalUserValidPassword($username, $password) +{ + return true; +} + // Local variables: // mode:php // tab-width:2 |