You are here

function hook_cas_user_alter in CAS 7

Same name and namespace in other branches
  1. 6.3 cas.api.php \hook_cas_user_alter()

Modify CAS user properties before the user is logged in.

Allows modules to alter the CAS username and account creation permissions after the CAS username is returned from phpCAS::getUser().

Modules implementing this hook may wish to alter 'name' if the CAS server returns user names which contain excess information or are not directly machine readable. This name is used to lookup existing local Drupal CAS accounts via the {cas_user} mapping table. If the user does not exist locally, and automatic registration is enabled, this name will be also be as the local Drupal user account name that's created.

The 'login' parameter controls whether the user is able to login. By default this will be set to TRUE, but modules may set this flag to FALSE to deny the user login access. For example, one might want to only allow login access to members of a certain LDAP group. This verification is in addition to the standard feature which lets you block users.

The 'register' parameter controls whether an account should be created if the user does not already have a Drupal account. Defaults to the value of "Should Drupal user accounts be automatically created?" in the CAS module settings. This setting is ignored if 'login' is set to FALSE.

If multiple modules implement this hook, the values set by the last module to execute this hook will be used. Therefore, it is good practice to only set the 'login' and 'register' flags to FALSE, rather than the output of a function. This prevents accidentally allowing a user to login when another module had already denied access.

Parameters

$cas_user: An associative array, with the following keys:

  • 'name': The CAS machine-readable user name.
  • 'login': If TRUE, the user will be allowed to login to an existing Drupal account.
  • 'register': If TRUE, the user will be allowed to register a Drupal account if one does not already exist. If 'login' is FALSE, this setting will be ignored.
  • 'attributes': If phpCAS is new enough to support getAttributes and the CAS server supports SAML attributes, this consists of an associative array of attribute names and values; otherwise it is an empty array.
2 invocations of hook_cas_user_alter()
cas_login_check in ./cas.module
Checks to see if the user needs to be logged in.
cas_user_load_by_name in ./cas.module
Fetch a user object by CAS name.

File

./cas.api.php, line 50
Documentation for CAS API.

Code

function hook_cas_user_alter(&$cas_user) {

  // Alter the CAS username. The CAS server returned a compound name like
  //   it:johndoe:10.10.1.2:200805064255
  // and so we extract the actual user name of 'johndoe'.
  $parts = explode(':', $cas_user['name'], 3);
  $cas_user['name'] = $parts[1];

  // Allow logins only for users in a certain LDAP group.
  if (!_ldap_is_member_group($cas_user['name'], 'admins')) {
    $cas_user['login'] = FALSE;
  }

  // Allow registrations only for a certain class of users.
  if (!_ldap_user_has_home_directory($cas_user['name'])) {
    $cas_user['register'] = FALSE;
  }
}