You are here

Home » API reference » Shibboleth Authentication 7.4 » shib_auth.module

function shib_auth_init in Shibboleth Authentication 7.4

Same name and namespace in other branches
  1. 5.3 shib_auth.module \shib_auth_init()
  2. 5.2 shib_auth.module \shib_auth_init()
  3. 6.4 shib_auth.module \shib_auth_init()
  4. 6 shib_auth.module \shib_auth_init()
  5. 6.2 shib_auth.module \shib_auth_init()
  6. 6.3 shib_auth.module \shib_auth_init()

Creates a new user, if necessary, based on information from the handler.

Create a new user based on information from the Shibboleth handler if it's necessary or log in. If already authenticated - do nothing. If Shibboleth doesn't provide User information - error message. Else if user exists, and mail override (shib_auth_req_shib_only) enabled, override existing user info. If not exists, and Shibboleth provides mail address, create an account for this user. If there's no mail attribute, ask for the mail address on a generated form if mail override (shib_auth_req_shib_only) is disabled. In this case, the account will be created with this email address.

File

./shib_auth.module, line 726
Drupal Shibboleth authentication module.

Code

function shib_auth_init() {

  // Add theme css.
  drupal_add_css(drupal_get_path('module', 'shib_auth') . '/shib_auth.css');

  // Make sure that the user module is already loaded.
  drupal_load('module', 'user');
  $consent_accepted = FALSE;

  /* We want to return as early as possible if we have nothing to do.
    But for checking the session, we need the username first (if it's set) */

  // Might be NULL.
  $uname = shib_auth_getenv(shib_auth_config('username_variable'));

  // Storing whether the user was already logged in or not.
  $alreadyloggedin = user_is_anonymous() ? FALSE : TRUE;

  /* CHECKING THE SESSION
    Here shib_auth_session_check() will destroy the session if
     * the shib session is expired and auto_destroy_session is enabled
     * the username has changed unexpectedly
    Either this happens or we do not have a shib session, we don't have anything
    to do but send out some debug and exit.
     */
  if (!shib_auth_session_check($uname) || !shib_auth_session_valid()) {
    shib_auth_debug();
    return;
  }

  /* Time to retrieve the mail and begin some work */
  $umail = shib_auth_getenv(shib_auth_config('email_variable')) ? shib_auth_getenv(shib_auth_config('email_variable')) : '';

  // Get the first one if there're many.
  $umail_single = preg_replace('/;.*/', '', $umail);

  // ************ ROLE ASSIGNMENT  **************.
  shib_auth_role_assignment();

  // **************** DEBUG ********************.
  shib_auth_debug();

  // Do nothing if the user is logged in and we're not doing account linking.
  if (user_is_logged_in() && empty($_SESSION['shib_auth_account_linking'])) {
    return;
  }

  // Do virtually nothing when we need to display the custom data form.
  if (isset($_SESSION['shib_auth_custom_form']) && $_SESSION['shib_auth_custom_form']) {

    // Display it only once.
    unset($_SESSION['shib_auth_custom_form']);
    return;
  }

  /********* Start the login/registering process **********/

  // check identifier if it exists, and not too long.
  if (!shib_auth_check_identifier($uname)) {
    shib_auth_error('Shibboleth authentication process can\'t continue');
    return;
  }

  // Check if the old user exists in the shibboleth authmap.
  $existing_authmap = shib_auth_load_from_authmap($uname);

  // Check whether CONSENT VERSION is CHANGED, if so, users have to accept it
  // again.
  if (isset($_POST['form_id']) && $_POST['form_id'] == 'shib_auth_custom_data' && !empty($_POST['accept'])) {
    $consent_accepted = filter_xss($_POST['accept']);
  }

  // *********** LOGIN EXISTING USER ***************
  // The user exists in the authmap, and the consent version check is
  // switched off, or she/he had accepted the newest consent version
  // Then let the user log in.
  if ($existing_authmap && (!shib_auth_config('terms_accept') || $existing_authmap['consentver'] == shib_auth_config('terms_ver'))) {
    if (empty($_SESSION['shib_auth_account_linking'])) {
      shib_login_authmap($uname, $umail_single, $existing_authmap['uid'], $alreadyloggedin);
    }
    else {
      shib_auth_terminate_session('This ID has already been registered, please log in again');
    }
  }
  elseif ($existing_authmap && $consent_accepted) {
    shib_auth_consent_update($uname, $umail_single, $existing_authmap['uid']);
  }
  else {

    // If it is account linking and the terms are accepted or forcing an
    // existing user to accept terms and conditions.
    // If we have an email address from the shib server, and there isn't
    // any user with this address, create an account with this information.
    if (!empty($_SESSION['shib_auth_account_linking']) || $umail_single && !shib_auth_config('enable_custom_mail') && !shib_auth_config('define_username') && !shib_auth_config('terms_accept')) {
      shib_auth_save_authmap($uname, $uname, $umail_single);
    }
    elseif ($_GET['q'] == shib_auth_config('terms_url')) {

      // Don't display custom form, let the terms and conditions be displayed.
    }
    elseif (shib_auth_custom_form($umail_single, $uname)) {

      // We display custom forms on every page, if the user isn't
      // registered yet.
    }
    else {
      shib_auth_error('Email address is missing. Please contact your site administrator!');
    }
  }

  // ****** ASSIGN ROLES AFTER REGISTER *******.
  shib_auth_role_assignment();

  // ********* END OF REGISTERING *************.
  if (isset($_SESSION['shib_auth_account_linking']) && $_SESSION['shib_auth_account_linking']) {
    unset($_SESSION['shib_auth_account_linking']);
    drupal_set_message(t('End of account linking session'));
  }
}