You are here

Home » API reference » Secure Site 6 » securesite.module

function securesite_boot in Secure Site 6

Same name and namespace in other branches
  1. 6.2 securesite.module \securesite_boot()
  2. 7.2 securesite.module \securesite_boot()

Implementation of hook_boot()

This is where Secure Site does most of its processing

Note: When a user is logged in, but doesn't have the 'access secured pages' permission, they get a normal Access Denied message

File

./securesite.module, line 76
Secure Site contrib module

Code

function securesite_boot() {
  global $user, $base_path;
  $securesite_enabled = variable_get('securesite_enabled', SECURESITE_DISABLED);
  $guest_name = variable_get('securesite_guest_name', '');
  $guest_pass = variable_get('securesite_guest_pass', '');

  // Step #1: Process conditions that bypass Secure Site authentication
  if (!$securesite_enabled || $securesite_enabled == SECURESITE_AUTH_ALT || php_sapi_name() == 'cli' || request_uri() == $base_path . 'cron.php' || $user->uid == 1 || !empty($guest_name) && (isset($_SESSION['securesite_guest']) ? $_SESSION['securesite_guest'] : '')) {
    return;
  }

  // Do a full bootstrap since Secure Site uses many functions throughout Core,
  // such as path.inc and user.module functions, t(), and theme()
  drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);

  // This has to be after a full bootstrap
  if (_securesite_filter_check(isset($_GET['q']) ? $_GET['q'] : '') || $user->uid && user_access('access secured pages')) {

    // User is logged in and has privileges to access secured pages
    return;
  }

  // Prevent a login/logout loop by redirecting off the logout page
  if (strpos(request_uri(), $base_path . 'logout') === 0) {
    drupal_goto('<front>');
  }

  // Step #2: Process password resets
  if (strpos(request_uri(), $base_path . 'user/reset/') === 0) {
    $args = explode('/', $_GET['q']);

    // The password reset function doesn't work well if it doesn't have all the
    // required parameters or if the UID parameter isn't valid
    if (count($args) >= 5 && user_load(array(
      'uid' => $args[2],
      'status' => 1,
    ))) {

      // Sanity-checking complete, now let user_pass_reset() and the menu
      // system handle it
      return;
    }
    else {
      drupal_set_message(t('You have tried to use an invalid one-time login link. Please request a new one using the form below.'), 'error');
    }
  }

  // Step #3: Set up variables
  if ($securesite_enabled == SECURESITE_FORM && !empty($_POST['edit'])) {
    $edit = $_POST['edit'];
  }
  elseif ($securesite_enabled == SECURESITE_AUTH) {

    // PHP in CGI mode work-arounds.  Sometimes, "REDIRECT_" prefixes $_SERVER
    // variables.  See http://www.php.net/reserved.variables
    if (!empty($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) && empty($_SERVER['HTTP_AUTHORIZATION'])) {
      $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
    }

    // Auth variables set via Rewrite rules need to be decoded
    // See http://www.php.net/manual/en/features.http-auth.php#76708
    if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
      list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
    }

    // Process username and password normally.  The correct $_SERVER variables
    // are now set if PHP is run in CGI mode
    if (isset($_SERVER['PHP_AUTH_USER'])) {
      $edit['name'] = $_SERVER['PHP_AUTH_USER'];
    }
    if (isset($_SERVER['PHP_AUTH_PW'])) {
      $edit['pass'] = $_SERVER['PHP_AUTH_PW'];
    }
  }

  // Step #4: If needed, ask user for credentials
  if ((empty($edit['name']) || empty($edit['pass'])) && $user->uid == 0) {
    _securesite_user_auth();
  }

  // Step #5: Check if user is a guest and log them in if they are
  if (!empty($guest_name) && !empty($guest_pass) && $guest_name == $edit['name'] && $guest_pass == $edit['pass']) {

    // Mark this session to prevent re-login (note: guests can't logout)
    $_SESSION['securesite_guest'] = TRUE;
    $_SESSION['securesite_login'] = TRUE;

    // Redirect to prevent some caching problems
    drupal_goto($_GET['q']);
  }
  unset($_SESSION['securesite_guest']);

  // If not a guest, make sure to clear the guest session
  // Step #6: Check user's credentials
  // The LDAP auth module can't use the regular external user login system, so
  // we have to call its login function directly
  if (function_exists('_ldapauth_user_authenticate')) {
    $account = _ldapauth_user_authenticate($edit['name'], $edit['pass']);
  }
  else {
    $account = user_authenticate(array(
      'name' => $edit['name'],
      'pass' => $edit['pass'],
    ));
  }

  // Step #7: Process login attempt
  if ((isset($account->uid) ? $account->uid : FALSE) && user_access('access secured pages', $account)) {

    // Mark the session so Secure Site will be triggered on logout
    $_SESSION['securesite_login'] = TRUE;

    // Redirect to prevent some caching problems
    drupal_goto($_GET['q']);
  }
  else {

    // Login failed
    if (!empty($edit['name'])) {
      watchdog('user', 'Login attempt failed for %user.', array(
        '%user' => $edit['name'],
      ));
    }
    else {
      watchdog('user', 'Login attempt failed for <em>anonymous</em> user.', array(
        '%user' => $edit['name'],
      ));
    }
    _securesite_user_auth();
  }
}