function shib_auth_process_rule in Shibboleth Authentication 6.4
Same name and namespace in other branches
- 7.4 shib_auth.module \shib_auth_process_rule()
This function processes role assignment rules The function matches rule regular expressions with defined server variables If there is a match, it assigns roles to the user logged in @rule the id of the rule currently processed
1 call to shib_auth_process_rule()
- shib_auth_assignroles in ./
shib_auth.module - The admin can define authorization rules based on the server variables (possibly provided by Shibboleth IdP) to give roles to users. The rules can be defined as a [server field - Regexp - role(s)] triplet
File
- ./
shib_auth.module, line 1087 - Drupal Shibboleth authentication module.
Code
function shib_auth_process_rule($rule) {
global $user;
$profile_changed = 0;
// is a constant 0 when the rule is not a sticky one
$fieldname = $rule['field'];
$expression = '/' . urldecode($rule['regexpression']) . '/';
// if the given server field exists
if (isset($_SERVER[$fieldname])) {
foreach (explode(';', $_SERVER[$fieldname]) as $value) {
//check if the RegEx fits to one of the value of the server field
if (preg_match($expression, trim($value))) {
$roles = unserialize($rule['role']);
// there is a match, so give this user the specified role(s)
if (empty($roles)) {
// null-rule, NOP
return NULL;
}
foreach ($roles as $role_id) {
$role_name = shib_auth_get_rolename($role_id);
if ($user->roles[$role_id] == $role_name) {
continue;
// NOP if the user already has the given role
}
$user->roles[$role_id] = $role_name;
if ($rule['sticky']) {
// Sticky rules change the profile
$profile_changed = 1;
if (!isset($_SESSION['shib_auth_rolelog'])) {
watchdog('shib_grant_stick', 'Role "@id" has been permanently granted', array(
'@id' => $role_name,
), WATCHDOG_NOTICE);
}
}
else {
if (!isset($_SESSION['shib_auth_rolelog'])) {
watchdog('shib_grant_role', 'Role "@id" has been granted', array(
'@id' => $role_name,
), WATCHDOG_NOTICE);
}
}
}
}
}
}
return $profile_changed;
}