function securesite_init in Secure Site 5
Implementation of hook_init()
This is where Secure Site does most of its processing
Note: When a user is logged in, but doesn't have the 'access secured pages' permission, they get a normal Access Denied message
File
- ./
securesite.module, line 194 - Secure Site contrib module
Code
function securesite_init() {
global $user, $base_path;
$securesite_enabled = variable_get('securesite_enabled', SECURESITE_DISABLED);
$guest_name = variable_get('securesite_guest_name', '');
$guest_pass = variable_get('securesite_guest_pass', '');
// Step #1: Process conditions that bypass Secure Site authentication
if (!$securesite_enabled || $securesite_enabled == SECURESITE_AUTH_ALT || php_sapi_name() == 'cli' || request_uri() == $base_path . 'cron.php' || $user->uid == 1 || $user->uid && user_access('access secured pages') || !empty($guest_name) && (isset($_SESSION['securesite_guest']) ? $_SESSION['securesite_guest'] : '')) {
return;
}
// Do a partial bootstrap when caching is enabled since Secure Site uses
// stuff in path.inc for the following bypass check
if (variable_get('cache', CACHE_DISABLED) != CACHE_DISABLED) {
drupal_bootstrap(DRUPAL_BOOTSTRAP_PATH);
}
// User accessing a page in the bypass list. This has to be after a partial
// bootstrap so path.inc functions are available and $_GET['q'] is set.
if (_securesite_filter_check(isset($_GET['q']) ? $_GET['q'] : '')) {
return;
}
// Prevent a login/logout loop by redirecting off the logout page
if (strpos(request_uri(), $base_path . 'logout') === 0) {
drupal_goto('<front>');
}
// Finish bootstrap since Secure Site uses many functions throughout Core,
// such as user.module functions, t(), and theme()
if (variable_get('cache', CACHE_DISABLED) != CACHE_DISABLED) {
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
}
// Step #2: Process password resets
if (strpos($_GET['q'], 'user/reset/') === 0 || module_exists('i18n') && i18n_selection_mode() != 'off' && strpos($_GET['q'], i18n_selection_mode('params') . '/user/reset/') === 0) {
$args = explode('/', $_GET['q']);
if (module_exists('i18n') && i18n_selection_mode() != 'off' && i18n_selection_mode('params') != '') {
// Remove the language argument.
array_shift($args);
}
// The password reset function doesn't work well if it doesn't have all the
// required parameters or if the UID parameter isn't valid
if (count($args) >= 5 && user_load(array(
'uid' => $args[2],
'status' => 1,
))) {
user_pass_reset($args[2], $args[3], $args[4], 'login');
}
else {
drupal_set_message(t('You have tried to use an invalid one-time login link. Please request a new one using the form below.'), 'error');
}
}
// Step #3: Set up variables
if ($securesite_enabled == SECURESITE_FORM && !empty($_POST)) {
$edit = $_POST['edit'];
}
elseif ($securesite_enabled == SECURESITE_AUTH) {
// PHP in CGI mode work-arounds. Sometimes, "REDIRECT_" prefixes $_SERVER
// variables. See http://www.php.net/reserved.variables
if (!empty($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) && empty($_SERVER['HTTP_AUTHORIZATION'])) {
$_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
}
// Auth variables set via Rewrite rules need to be decoded
// See http://www.php.net/manual/en/features.http-auth.php#76708
if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
}
// Process username and password normally. The correct $_SERVER variables
// are now set if PHP is run in CGI mode
if (isset($_SERVER['PHP_AUTH_USER'])) {
$edit['name'] = $_SERVER['PHP_AUTH_USER'];
}
if (isset($_SERVER['PHP_AUTH_PW'])) {
$edit['pass'] = $_SERVER['PHP_AUTH_PW'];
}
}
// Step #4: If needed, ask user for credentials
if ((empty($edit['name']) || empty($edit['pass'])) && $user->uid == 0) {
_securesite_user_auth();
}
// Step #5: Check if user is a guest and log them in if they are
if (!empty($guest_name) && !empty($guest_pass) && $guest_name == $edit['name'] && $guest_pass == $edit['pass']) {
// Mark this session to prevent re-login (note: guests can't logout)
$_SESSION['securesite_guest'] = TRUE;
$_SESSION['securesite_login'] = TRUE;
// Redirect to prevent some caching problems
drupal_goto($_GET['q']);
}
unset($_SESSION['securesite_guest']);
// If not a guest, make sure to clear the guest session
// Step #6: Check user's credentials
// The LDAP auth module can't use the regular external user login system, so
// we have to call its login function directly
if (function_exists('_ldapauth_user_authenticate')) {
$account = _ldapauth_user_authenticate($edit['name'], $edit['pass']);
}
else {
$account = user_authenticate($edit['name'], $edit['pass']);
}
// Step #7: Process login attempt
if ((isset($account->uid) ? $account->uid : FALSE) && user_access('access secured pages', $account)) {
// Login successful
$user = $account;
// Mark the session so Secure Site will be triggered on logout
$_SESSION['securesite_login'] = TRUE;
watchdog('user', t('Session opened for %name.', array(
'%name' => $user->name,
)));
db_query("UPDATE {users} SET login = '%d' WHERE uid = '%s'", time(), $user->uid);
user_module_invoke('login', $edit, $user);
// When caching is enabled, redirect to prevent some caching problems. If
// caching is enabled, some feed readers (that don't support cookies) will
// not be able to authenticate due to this redirect
if (variable_get('cache', CACHE_DISABLED) != CACHE_DISABLED) {
drupal_goto($_GET['q']);
}
}
else {
// Login failed
if (!empty($edit['name'])) {
watchdog('user', t('Login attempt failed for %user.', array(
'%user' => $edit['name'],
)));
}
else {
watchdog('user', t('Login attempt failed for <em>anonymous</em> user.', array(
'%user' => $edit['name'],
)));
}
_securesite_user_auth();
}
}