You are here

function securesite_init in Secure Site 5

Implementation of hook_init()

This is where Secure Site does most of its processing

Note: When a user is logged in, but doesn't have the 'access secured pages' permission, they get a normal Access Denied message

File

./securesite.module, line 194
Secure Site contrib module

Code

function securesite_init() {
  global $user, $base_path;
  $securesite_enabled = variable_get('securesite_enabled', SECURESITE_DISABLED);
  $guest_name = variable_get('securesite_guest_name', '');
  $guest_pass = variable_get('securesite_guest_pass', '');

  // Step #1: Process conditions that bypass Secure Site authentication
  if (!$securesite_enabled || $securesite_enabled == SECURESITE_AUTH_ALT || php_sapi_name() == 'cli' || request_uri() == $base_path . 'cron.php' || $user->uid == 1 || $user->uid && user_access('access secured pages') || !empty($guest_name) && (isset($_SESSION['securesite_guest']) ? $_SESSION['securesite_guest'] : '')) {
    return;
  }

  // Do a partial bootstrap when caching is enabled since Secure Site uses
  // stuff in path.inc for the following bypass check
  if (variable_get('cache', CACHE_DISABLED) != CACHE_DISABLED) {
    drupal_bootstrap(DRUPAL_BOOTSTRAP_PATH);
  }

  // User accessing a page in the bypass list. This has to be after a partial
  // bootstrap so path.inc functions are available and $_GET['q'] is set.
  if (_securesite_filter_check(isset($_GET['q']) ? $_GET['q'] : '')) {
    return;
  }

  // Prevent a login/logout loop by redirecting off the logout page
  if (strpos(request_uri(), $base_path . 'logout') === 0) {
    drupal_goto('<front>');
  }

  // Finish bootstrap since Secure Site uses many functions throughout Core,
  // such as user.module functions, t(), and theme()
  if (variable_get('cache', CACHE_DISABLED) != CACHE_DISABLED) {
    drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
  }

  // Step #2: Process password resets
  if (strpos($_GET['q'], 'user/reset/') === 0 || module_exists('i18n') && i18n_selection_mode() != 'off' && strpos($_GET['q'], i18n_selection_mode('params') . '/user/reset/') === 0) {
    $args = explode('/', $_GET['q']);
    if (module_exists('i18n') && i18n_selection_mode() != 'off' && i18n_selection_mode('params') != '') {

      // Remove the language argument.
      array_shift($args);
    }

    // The password reset function doesn't work well if it doesn't have all the
    // required parameters or if the UID parameter isn't valid
    if (count($args) >= 5 && user_load(array(
      'uid' => $args[2],
      'status' => 1,
    ))) {
      user_pass_reset($args[2], $args[3], $args[4], 'login');
    }
    else {
      drupal_set_message(t('You have tried to use an invalid one-time login link. Please request a new one using the form below.'), 'error');
    }
  }

  // Step #3: Set up variables
  if ($securesite_enabled == SECURESITE_FORM && !empty($_POST)) {
    $edit = $_POST['edit'];
  }
  elseif ($securesite_enabled == SECURESITE_AUTH) {

    // PHP in CGI mode work-arounds.  Sometimes, "REDIRECT_" prefixes $_SERVER
    // variables.  See http://www.php.net/reserved.variables
    if (!empty($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) && empty($_SERVER['HTTP_AUTHORIZATION'])) {
      $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
    }

    // Auth variables set via Rewrite rules need to be decoded
    // See http://www.php.net/manual/en/features.http-auth.php#76708
    if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
      list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
    }

    // Process username and password normally.  The correct $_SERVER variables
    // are now set if PHP is run in CGI mode
    if (isset($_SERVER['PHP_AUTH_USER'])) {
      $edit['name'] = $_SERVER['PHP_AUTH_USER'];
    }
    if (isset($_SERVER['PHP_AUTH_PW'])) {
      $edit['pass'] = $_SERVER['PHP_AUTH_PW'];
    }
  }

  // Step #4: If needed, ask user for credentials
  if ((empty($edit['name']) || empty($edit['pass'])) && $user->uid == 0) {
    _securesite_user_auth();
  }

  // Step #5: Check if user is a guest and log them in if they are
  if (!empty($guest_name) && !empty($guest_pass) && $guest_name == $edit['name'] && $guest_pass == $edit['pass']) {

    // Mark this session to prevent re-login (note: guests can't logout)
    $_SESSION['securesite_guest'] = TRUE;
    $_SESSION['securesite_login'] = TRUE;

    // Redirect to prevent some caching problems
    drupal_goto($_GET['q']);
  }
  unset($_SESSION['securesite_guest']);

  // If not a guest, make sure to clear the guest session
  // Step #6: Check user's credentials
  // The LDAP auth module can't use the regular external user login system, so
  // we have to call its login function directly
  if (function_exists('_ldapauth_user_authenticate')) {
    $account = _ldapauth_user_authenticate($edit['name'], $edit['pass']);
  }
  else {
    $account = user_authenticate($edit['name'], $edit['pass']);
  }

  // Step #7: Process login attempt
  if ((isset($account->uid) ? $account->uid : FALSE) && user_access('access secured pages', $account)) {

    // Login successful
    $user = $account;

    // Mark the session so Secure Site will be triggered on logout
    $_SESSION['securesite_login'] = TRUE;
    watchdog('user', t('Session opened for %name.', array(
      '%name' => $user->name,
    )));
    db_query("UPDATE {users} SET login = '%d' WHERE uid = '%s'", time(), $user->uid);
    user_module_invoke('login', $edit, $user);

    // When caching is enabled, redirect to prevent some caching problems.  If
    // caching is enabled, some feed readers (that don't support cookies) will
    // not be able to authenticate due to this redirect
    if (variable_get('cache', CACHE_DISABLED) != CACHE_DISABLED) {
      drupal_goto($_GET['q']);
    }
  }
  else {

    // Login failed
    if (!empty($edit['name'])) {
      watchdog('user', t('Login attempt failed for %user.', array(
        '%user' => $edit['name'],
      )));
    }
    else {
      watchdog('user', t('Login attempt failed for <em>anonymous</em> user.', array(
        '%user' => $edit['name'],
      )));
    }
    _securesite_user_auth();
  }
}