You are here

function shib_auth_process_rule in Shibboleth Authentication 6.4

Same name and namespace in other branches
  1. 7.4 shib_auth.module \shib_auth_process_rule()

This function processes role assignment rules The function matches rule regular expressions with defined server variables If there is a match, it assigns roles to the user logged in @rule the id of the rule currently processed

1 call to shib_auth_process_rule()
shib_auth_assignroles in ./shib_auth.module
The admin can define authorization rules based on the server variables (possibly provided by Shibboleth IdP) to give roles to users. The rules can be defined as a [server field - Regexp - role(s)] triplet

File

./shib_auth.module, line 1087
Drupal Shibboleth authentication module.

Code

function shib_auth_process_rule($rule) {
  global $user;
  $profile_changed = 0;

  // is a constant 0 when the rule is not a sticky one
  $fieldname = $rule['field'];
  $expression = '/' . urldecode($rule['regexpression']) . '/';

  // if the given server field exists
  if (isset($_SERVER[$fieldname])) {
    foreach (explode(';', $_SERVER[$fieldname]) as $value) {

      //check if the RegEx fits to one of the value of the server field
      if (preg_match($expression, trim($value))) {
        $roles = unserialize($rule['role']);

        // there is a match, so give this user the specified role(s)
        if (empty($roles)) {

          // null-rule, NOP
          return NULL;
        }
        foreach ($roles as $role_id) {
          $role_name = shib_auth_get_rolename($role_id);
          if ($user->roles[$role_id] == $role_name) {
            continue;

            // NOP if the user already has the given role
          }
          $user->roles[$role_id] = $role_name;
          if ($rule['sticky']) {

            // Sticky rules change the profile
            $profile_changed = 1;
            if (!isset($_SESSION['shib_auth_rolelog'])) {
              watchdog('shib_grant_stick', 'Role "@id" has been permanently granted', array(
                '@id' => $role_name,
              ), WATCHDOG_NOTICE);
            }
          }
          else {
            if (!isset($_SESSION['shib_auth_rolelog'])) {
              watchdog('shib_grant_role', 'Role "@id" has been granted', array(
                '@id' => $role_name,
              ), WATCHDOG_NOTICE);
            }
          }
        }
      }
    }
  }
  return $profile_changed;
}