You are here

Home » API reference » Shibboleth Authentication 7.4 » shib_auth.module

function shib_auth_process_rule in Shibboleth Authentication 7.4

Same name and namespace in other branches
  1. 6.4 shib_auth.module \shib_auth_process_rule()

This function processes role assignment rules.

The function matches rule regular expressions with defined server variables If there is a match, it assigns roles to the user logged in.

Parameters

int $rule: The id of the rule currently processed.

Return value

int|null 1 if profile changed and 0 if not.

1 call to shib_auth_process_rule()
shib_auth_assignroles in ./shib_auth.module
Defines authorization rules for assigning roles to users.

File

./shib_auth.module, line 1315
Drupal Shibboleth authentication module.

Code

function shib_auth_process_rule($rule) {
  global $user;

  // Is a constant 0 when the rule is not a sticky one.
  $profile_changed = 0;
  $fieldname = $rule['field'];
  $expression = '/' . urldecode($rule['regexpression']) . '/';

  // If the given server field exists.
  if (shib_auth_getenv($fieldname)) {
    foreach (explode(';', shib_auth_getenv($fieldname)) as $value) {

      // Check if the RegEx fits to one of the value of the server field.
      if (preg_match($expression, trim($value))) {
        $roles = unserialize($rule['role']);

        // There is a match, so give this user the specified role(s)
        if (empty($roles)) {
          return NULL;
        }
        foreach ($roles as $role_id) {
          if (!$role_id) {

            // Zero is not allowed as a role_id.
            continue;
          }
          $role_name = shib_auth_get_rolename($role_id);
          if (!empty($user->roles[$role_id]) && $user->roles[$role_id] == $role_name) {

            // NOP if the user already has the given role.
            continue;
          }
          $user->roles[$role_id] = $role_name;

          // Sticky rules change the profile.
          if ($rule['sticky']) {
            $profile_changed = 1;
            if (!isset($_SESSION['shib_auth_rolelog'])) {
              watchdog('shib_grant_stick', 'Role "@id" has been permanently granted', array(
                '@id' => $role_name,
              ), WATCHDOG_NOTICE);
            }
          }
          else {
            if (!isset($_SESSION['shib_auth_rolelog'])) {
              watchdog('shib_grant_role', 'Role "@id" has been granted', array(
                '@id' => $role_name,
              ), WATCHDOG_NOTICE);
            }
          }
        }
      }
    }
  }
  return $profile_changed;
}