function cas_login_check in CAS 5
Same name and namespace in other branches
- 5.4 cas.module \cas_login_check()
- 5.3 cas.module \cas_login_check()
- 6.3 cas.module \cas_login_check()
- 6 cas.module \cas_login_check()
- 6.2 cas.module \cas_login_check()
- 7 cas.module \cas_login_check()
Implementation of hook_init Traps a page load to see if authentication is required.
1 call to cas_login_check()
- cas_menu in ./
cas.module - Implements hook_menu.
File
- ./
cas.module, line 66
Code
function cas_login_check() {
global $user, $account;
if ($user->uid) {
//do nothing because user is already logged into Drupal
}
elseif (_cas_force_login()) {
$cas_user_register = variable_get('cas_user_register', 1);
$cas_authmap = variable_get('cas_authmap', 0);
$all_roles = user_roles();
$cas_roles = array();
foreach ($all_roles as $key => $value) {
if (array_key_exists($key, variable_get('cas_auto_assigned_role', array(
DRUPAL_AUTHENTICATED_RID,
)))) {
$cas_roles[$key] = $key;
}
}
// phpCAS::setDebug();
$server_version = (string) variable_get('cas_version', '2.0');
$server_cas_server = (string) variable_get('cas_server', '');
$server_port = (int) variable_get('cas_port', '443');
$server_uri = (string) variable_get('cas_uri', '');
$cas_domain = (string) variable_get('cas_domain', '');
$cas_cert_verify = (string) variable_get('cas_cert_verify', CAS_NO_VERIFY);
$cas_cert = (string) variable_get('cas_cert', '');
// Drupal takes care of its own session
$start_session = (bool) FALSE;
cas_save_page();
phpCAS::client($server_version, $server_cas_server, $server_port, $server_uri, $start_session);
// force CAS authentication
// Determine if CA option is set. This is only avialable in version 0.6 or greater, so we need to test
// to make sure its callable.
if (is_callable(array(
phpCAS,
'setNoCasServerValidation',
))) {
switch ($cas_cert_verify) {
case CAS_NO_VERIFY:
phpCAS::setNoCasServerValidation();
break;
case CAS_VERIFY:
phpCAS::setCasServerCert($cas_cert);
break;
case CAS_CA_VERIFY:
phpCAS::setCasServerCACert($cas_cert);
break;
}
}
// using function check for backward compatibility of the cas libraries.
// Newer versions of the cas client use authenticateIfNeeded,
// but older versions use forceAuthentication
if (is_callable(array(
phpCAS,
'authenticateIfNeeded',
))) {
phpCAS::authenticateIfNeeded();
}
else {
phpCAS::forceAuthentication();
}
$cas_name = phpCAS::getUser();
/*
* Invoke hook_auth_transform($op, &$username)
*
* Allow other modules to change the login name
* eg. if phpCAS::getUser() returns a string like it:johndoe:10.10.1.2:200805064255
* eg. if your cas users in Drupal need to be johndoe@cas
*
* Note: this transformation needs to happen before we check for blocked users.
*/
cas_invoke_auth_transform($cas_name);
/*
* Invoke hook_auth_filter($op, &$username)
*
* Allow other modules to filter out some cas logins
* eg. if you want to use cas authentication but only allow SOME people in
* eg. if you want to filter out people without LDAP home directories
*/
if (($allow = cas_invoke_auth_filter($cas_name)) === FALSE) {
drupal_set_message("The user account {$cas_name} is not available on this site.", "error");
return;
}
if (user_is_blocked($cas_name)) {
// blocked in user administration
drupal_set_message("The username {$cas_name} has been blocked.", "error");
return;
}
else {
if (drupal_is_denied('user', $cas_name)) {
// denied by access controls
drupal_set_message("The name {$cas_name} is a reserved username.", "error");
return;
}
}
// try to log into Drupal
if ($cas_authmap) {
// users are coming from Drupal; no need to use the external_load and the authmap
$user = user_load(array(
"name" => $cas_name,
));
}
else {
// users are external; use authmap table for associating external users
$user = user_external_load($cas_name);
if (!$user->uid && variable_get('cas_hijack_user', 0)) {
$user = user_load(array(
"name" => $cas_name,
));
if ($user->uid) {
user_set_authmaps($user, array(
'authname_cas' => $cas_name,
));
}
}
}
// If we don't have a user register them.
if (!$user->uid) {
if ($cas_user_register == 1) {
$user_default = array(
"name" => $cas_name,
"pass" => user_password(),
"init" => db_escape_string($cas_name),
"status" => 1,
"roles" => $cas_roles,
);
if (!$cas_authmap) {
$user_default['authname_cas'] = $cas_name;
}
if ($cas_domain) {
$user_default['mail'] = $cas_name . '@' . $cas_domain;
}
// Become user 1 to be able to save profile information
$admin = array(
'uid' => 1,
);
$user = user_load($admin);
// now save the user and become the new user.
$user = user_save("", $user_default);
watchdog("user", t('new user: %n (CAS)', array(
'%n' => $user->name,
)), WATCHDOG_NOTICE, l(t("edit user"), "admin/user/edit/{$user->uid}"));
if ($user->uid && $user->uid > 0 && $cas_authmap) {
module_invoke_all('user', 'login', null, $user);
unset($_SESSION['cas_goto']);
watchdog('user', t('Session opened for %name.', array(
'%name' => $user->name,
)));
drupal_goto("user/" . $user->uid . "/edit");
}
// Set a session variable to denote this the initial login
$_SESSION['cas_first_login'] = true;
}
}
// final check to make sure we have a good user
if ($user->uid && $user->uid > 0) {
/*
** LDAPAuth interfacing - BEGIN
*/
if (variable_get('cas_useldap_groups', '')) {
if ($ldap_config_name = _get_ldap_config_name($user->name)) {
_ldapauth_init($ldap_config_name);
include_once 'modules/ldap_integration/ldapgroups.module';
$user->ldap_authentified = true;
ldapgroups_user_login($user);
}
}
/*
** LDAPAuth interfacing - END
*/
// update the roles and reset the password
$roles = $user->roles;
foreach ($cas_roles as $role) {
$roles[$role] = $role;
}
$user_up = array(
"pass" => user_password(),
"roles" => $roles,
);
$user = user_save($user, $user_up);
module_invoke_all('user', 'login', null, $user);
drupal_set_message(t(variable_get('cas_login_message', 'Logged in via CAS as %cas_username.'), array(
'%cas_username' => $user->name,
)));
watchdog('user', t('Session opened for %name.', array(
'%name' => $user->name,
)));
// We can't count on the menu because we're changing login states.
cas_login_page();
}
else {
session_destroy();
$user = drupal_anonymous_user();
}
}
// End if user is already logged in else
}