function cas_login_check in CAS 5.4
Same name and namespace in other branches
- 5 cas.module \cas_login_check()
- 5.3 cas.module \cas_login_check()
- 6.3 cas.module \cas_login_check()
- 6 cas.module \cas_login_check()
- 6.2 cas.module \cas_login_check()
- 7 cas.module \cas_login_check()
Checks to see if the user needs to be logged in
1 call to cas_login_check()
- cas_menu in ./
cas.module - Implements hook_menu.
File
- ./
cas.module, line 71
Code
function cas_login_check() {
global $user, $account;
if ($user->uid) {
//Don't Login because we already are
return;
}
// Determine whether we should check for long
$cas_check_first = _cas_allow_check_for_login();
$cas_force_login = _cas_force_login();
if ($cas_force_login || $cas_check_first) {
// Variable set
$cas_user_register = variable_get('cas_user_register', 1);
$cas_authmap = variable_get('cas_authmap', 0);
$server_version = (string) variable_get('cas_version', '2.0');
$server_cas_server = (string) variable_get('cas_server', 'sso-cas.univ-rennes1.fr');
$server_port = (int) variable_get('cas_port', '443');
$server_uri = (string) variable_get('cas_uri', '');
$cas_domain = (string) variable_get('cas_domain', '');
$cas_cert_verify = (string) variable_get('cas_cert_verify', CAS_NO_VERIFY);
$cas_cert = (string) variable_get('cas_cert', '');
$all_roles = user_roles();
$cas_roles = array();
foreach ($all_roles as $key => $value) {
if (array_key_exists($key, variable_get('cas_auto_assigned_role', array(
DRUPAL_AUTHENTICATED_RID,
)))) {
$cas_roles[$key] = $key;
}
}
if (($debugFile = variable_get("cas_debugfile", "")) != "") {
phpCAS::setDebug($debugFile);
}
// Drupal takes care of its own session
$start_session = (bool) FALSE;
cas_save_page();
$cas_service_ticket = $_GET['ticket'];
// We use this later for CAS 3 logoutRequests
if (variable_get("cas_proxy", 0)) {
phpCAS::proxy($server_version, $server_cas_server, $server_port, $server_uri, $start_session);
$casPGTStoragePath = variable_get("cas_pgtpath", "");
if ($casPGTStoragePath != "") {
$casPGTFormat = variable_get("cas_pgtformat", "plain");
phpCAS::setPGTStorageFile($casPGTFormat, $casPGTStoragePath);
}
}
else {
phpCAS::client($server_version, $server_cas_server, $server_port, $server_uri, $start_session);
}
// force CAS authentication
// Determine if CA option is set. This is only avialable in version 0.6 or greater, so we need to test
// to make sure its callable.
if (is_callable(array(
phpCAS,
'setNoCasServerValidation',
))) {
switch ($cas_cert_verify) {
case CAS_NO_VERIFY:
phpCAS::setNoCasServerValidation();
break;
case CAS_VERIFY:
phpCAS::setCasServerCert($cas_cert);
break;
case CAS_CA_VERIFY:
phpCAS::setCasServerCACert($cas_cert);
break;
}
}
// We're going to try phpCAS auth test
if (!$cas_force_login) {
$logged_in = phpCAS::checkAuthentication();
// Set the login tested cookie
setcookie('cas_login_checked', 'true');
// We're done cause we're not logged in.
if (!$logged_in) {
return;
}
}
else {
// using function check for backward compatibility of the cas libraries.
// Newer versions of the cas client use authenticateIfNeeded,
// but older versions use forceAuthentication
if (is_callable(array(
phpCAS,
'authenticateIfNeeded',
))) {
phpCAS::authenticateIfNeeded();
}
else {
phpCAS::forceAuthentication();
}
}
$cas_name = phpCAS::getUser();
/*
* Invoke hook_auth_transform($op, &$username)
*
* Allow other modules to change the login name
* eg. if phpCAS::getUser() returns a string like it:johndoe:10.10.1.2:200805064255
* eg. if your cas users in Drupal need to be johndoe@cas
*
* Note: this transformation needs to happen before we check for blocked users.
*/
cas_invoke_auth_transform($cas_name);
/*
* Invoke hook_auth_filter($op, &$username)
*
* Allow other modules to filter out some cas logins
* eg. if you want to use cas authentication but only allow SOME people in
* eg. if you want to filter out people without LDAP home directories
*/
if (($allow = cas_invoke_auth_filter($cas_name)) === FALSE) {
drupal_set_message("The user account {$cas_name} is not available on this site.", "error");
return;
}
// blocked user check
if ($cas_authmap && user_is_blocked($cas_name)) {
// blocked in user administration
drupal_set_message("The username {$cas_name} has been blocked.", "error");
return;
}
// this is because users can change their name.
if (!$cas_authmap && _cas_external_user_is_blocked($cas_name)) {
// blocked in user administration
drupal_set_message("The username {$cas_name} has been blocked.", "error");
return;
}
if (drupal_is_denied('user', $cas_name)) {
// denied by access controls
drupal_set_message("The name {$cas_name} is a reserved username.", "error");
return;
}
// try to log into Drupal
if ($cas_authmap) {
// users are coming from Drupal; no need to use the external_load and the authmap
$user = user_load(array(
"name" => $cas_name,
));
}
else {
// users are external; use authmap table for associating external users
$user = user_external_load($cas_name);
if (!$user->uid && variable_get('cas_hijack_user', 0)) {
$user = user_load(array(
"name" => $cas_name,
));
if ($user->uid) {
user_set_authmaps($user, array(
'authname_cas' => $cas_name,
));
}
}
}
// If we don't have a user register them.
if (!$user->uid) {
if ($cas_user_register == 1) {
$user_default = array(
"name" => $cas_name,
"pass" => user_password(),
"init" => db_escape_string($cas_name),
"status" => 1,
"roles" => $cas_roles,
);
if (!$cas_authmap) {
$user_default['authname_cas'] = $cas_name;
}
if ($cas_domain) {
$user_default['mail'] = $cas_name . '@' . $cas_domain;
}
// Become user 1 to be able to save profile information
session_save_session(FALSE);
$admin = array(
'uid' => 1,
);
$user = user_load($admin);
// now save the user and become the new user.
$user = user_save("", $user_default);
session_save_session(TRUE);
watchdog("user", 'new user: %n (CAS)', array(
'%n' => $user->name,
), WATCHDOG_NOTICE, l(t("edit user"), "admin/user/edit/{$user->uid}"));
if ($user->uid && $user->uid > 0 && $cas_authmap) {
module_invoke_all('user', 'login', NULL, $user);
unset($_SESSION['cas_goto']);
watchdog('user', 'Session opened for %name.', array(
'%name' => $user->name,
));
drupal_goto("user/" . $user->uid . "/edit");
}
// Set a session variable to denote this the initial login
$_SESSION['cas_first_login'] = TRUE;
}
}
// final check to make sure we have a good user
if ($user->uid && $user->uid > 0) {
/*
** LDAPAuth interfacing - BEGIN
*/
if (variable_get('cas_useldap_groups', '')) {
if ($ldap_config_name = _get_ldap_config_name($user->name)) {
_ldapauth_init($ldap_config_name);
include_once 'modules/ldap_integration/ldapgroups.module';
$user->ldap_authentified = TRUE;
ldapgroups_user_login($user);
}
}
/*
** LDAPAuth interfacing - END
*/
/*
** CAS Sigle Sign Out - BEGIN
*/
if (variable_get('cas_signout', FALSE)) {
_cas_single_sign_out_save_token($user, $cas_service_ticket);
}
/*
* CAS Single Sign Out - END
*/
// update the roles and reset the password
$roles = $user->roles;
foreach ($cas_roles as $role) {
$roles[$role] = $role;
}
/* Removing password cause it cases problems with phpcas. */
$user_up = array(
// "pass" => user_password(),
"roles" => $roles,
);
$user = user_save($user, $user_up);
$edit = array();
if (module_exists('persistent_login') && $_SESSION['cas_remember']) {
$edit['persistent_login'] = 1;
}
module_invoke_all('user', 'login', $edit, $user);
drupal_set_message(t(variable_get('cas_login_message', 'Logged in via CAS as %cas_username.'), array(
'%cas_username' => $user->name,
)));
if ($edit['persistent_login'] == 1) {
drupal_set_message(t('You will remain logged in on this computer even after you close your browser.'));
}
watchdog('user', 'Session opened for %name.', array(
'%name' => $user->name,
));
// We can't count on the menu because we're changing login states.
cas_login_page();
}
else {
session_destroy();
$user = drupal_anonymous_user();
}
}
// End if user is already logged in else
}