You are here

Home » API reference » Shibboleth Authentication 6.4 » shib_auth.module

function shib_auth_init in Shibboleth Authentication 6.4

Same name and namespace in other branches
  1. 5.3 shib_auth.module \shib_auth_init()
  2. 5.2 shib_auth.module \shib_auth_init()
  3. 6 shib_auth.module \shib_auth_init()
  4. 6.2 shib_auth.module \shib_auth_init()
  5. 6.3 shib_auth.module \shib_auth_init()
  6. 7.4 shib_auth.module \shib_auth_init()

Create a new user based on informations from the Shibboleth handler if it's necessary or log in.

If already authenticated - do nothing If Shibboleth doesn't provide User information - error message Else if user exists, and mail override (shib_auth_req_shib_only) enabled, override existing user info If not exists, and Shibboleth provides mail address, create an account for this user If there's no mail attribute, ask for the mail address on a generated form if mail override (shib_auth_req_shib_only) is disabled In this case, the account will be created with this e-mail address.

File

./shib_auth.module, line 592
Drupal Shibboleth authentication module.

Code

function shib_auth_init() {
  global $user;

  //add theme css
  drupal_add_css(drupal_get_path('module', 'shib_auth') . '/shib_auth.css');

  // Make sure that the user module is already loaded.
  drupal_load('module', 'user');
  $consent_accepted = FALSE;

  /* We want to return as early as possible if we have nothing to do.
    But for checking the session, we need the username first (if it's set) */
  $uname = $_SERVER[shib_auth_config('username_variable')];

  // Storing whether the user was already logged in or not
  $alreadyloggedin = user_is_anonymous() ? False : True;

  /* CHECKING THE SESSION
       Here shib_auth_session_check() will destroy the session if
         * the shib session is expired and auto_destroy_session is enabled
         * the username has changed unexpectedly
       Either this happens or we do not have a shib session, we don't have anything to do
       but send out some debug and exit.
    */
  if (!shib_auth_session_check($uname) || !shib_auth_session_valid()) {
    shib_auth_debug();
    return;
  }

  /* Time to retrevie the mail and begin some work */
  $umail = $_SERVER[shib_auth_config('email_variable')];
  $umail_single = preg_replace('/;.*/', '', $umail);

  // get the first one if there're many

  //************ ROLE ASSIGMENT  **************
  shib_auth_role_assignment();

  //**************** DEBUG ********************
  shib_auth_debug();

  // Do nothing if the user is logged in and we're not doing account linking
  if ($user->uid && empty($_SESSION['shib_auth_account_linking'])) {
    return;
  }

  // Do virtually nothing when we need to display the custom data form
  if (isset($_SESSION['shib_auth_custom_form']) && $_SESSION['shib_auth_custom_form']) {
    unset($_SESSION['shib_auth_custom_form']);

    // Display it only once
    return;
  }

  /********* Start the login/registering process **********/

  //check identifier if it exists, and not too long
  if (!shib_auth_check_identifier($uname)) {
    shib_auth_error('Shibboleth authentication process can\'t continue');
    return;
  }

  //check if the old user exists in the shibboleth authmap
  $existing_authmap = shib_auth_load_from_authmap($uname);

  //Check whether CONSENT VERSION is CHANGED, if so, users have to accept it again
  if ($_POST['form_id'] == 'shib_auth_custom_data' && $_POST['accept'] && $_POST['op'] != t('Cancel')) {
    $consent_accepted = (bool) $_POST['accept'];
  }

  //*********** LOGIN EXISTING USER ***************

  //The user exists in the authmap, and the consent version check is switched off, or she/he had accepted the newest consent version

  //Then let the user log in
  if ($existing_authmap && (!shib_auth_config('terms_accept') || $existing_authmap['consentver'] == shib_auth_config('terms_ver'))) {
    if (empty($_SESSION['shib_auth_account_linking'])) {
      shib_login_authmap($uname, $umail_single, $existing_authmap['uid'], $alreadyloggedin);
    }
    else {
      shib_auth_terminate_session('This ID has already been registered, please log in again');
    }
  }
  elseif ($existing_authmap && $consent_accepted) {
    shib_auth_consent_update($uname, $umail_single, $existing_authmap['uid']);
  }
  else {

    //If it is account linking and the terms are accepted or forcing an existing user to accept termsandconditions

    //If we have an e-mail address from the shib server, and there isn't any user with this address, create an account with these infos
    if (!empty($_SESSION['shib_auth_account_linking']) || $umail_single && !shib_auth_config('enable_custom_mail') && !shib_auth_config('define_username') && !shib_auth_config('terms_accept')) {
      shib_auth_save_authmap($uname, $uname, $umail_single);
    }
    elseif ($_GET['q'] == shib_auth_config('terms_url')) {

      //Don't display custom form, let the terms and conditions be displayed
    }
    elseif (shib_auth_custom_form($umail_single, $uname)) {

      //We display custom forms on every page, if the user isn't registered yet
    }
    else {
      shib_auth_error('E-mail address is missing. Please contact your site administrator!');
    }
  }

  //****** ASSIGN ROLES AFTER REGISTER *******
  shib_auth_role_assignment();

  //********* END OF REGISTERING *************
  if (isset($_SESSION['shib_auth_account_linking']) && $_SESSION['shib_auth_account_linking']) {
    unset($_SESSION['shib_auth_account_linking']);
    drupal_set_message('End of account linking session');
  }
}