You are here

Home » API reference » simpleSAMLphp Authentication 7.3 » simplesamlphp_auth.inc

function simplesaml_auth_moderate_local_login in simpleSAMLphp Authentication 7.3

Denies non-SAML-authenticated access to the site for configured Drupal roles.

1 call to simplesaml_auth_moderate_local_login()
simplesamlphp_auth_loginpage in ./simplesamlphp_auth.pages.inc
Returns markup for SimpleSAMLphp login page.

File

./simplesamlphp_auth.inc, line 232
Contains non-hook implementations.

Code

function simplesaml_auth_moderate_local_login() {
  global $user;
  global $_simplesamlphp_auth_as;

  // If we forbid users from logging in using local accounts.
  if (!variable_get('simplesamlphp_auth_allowdefaultlogin', TRUE)) {

    // If the user has NOT been authenticated via simpleSAML...
    if (!$_simplesamlphp_auth_as
      ->isAuthenticated()) {

      // FYI: Until Drupal issue #754560 is corrected this message will never be
      // seen by the user.
      drupal_set_message(t("We are sorry, users are not permitted to log in using local accounts."));

      // Destroy the user's session (log out).
      _simplesamlphp_auth_destroy_drupal_session();
    }
  }
  else {

    // If the user has NOT been authenticated via simpleSAML.
    if (!$_simplesamlphp_auth_as
      ->isAuthenticated()) {

      // See if we limit this privilege to specified users.
      $str_users_allowed_local = variable_get('simplesamlphp_auth_allowdefaultloginusers', '');

      // See if we limit this privilege to specified roles.
      $array_roles_allowed_local = variable_get('simplesamlphp_auth_allowdefaultloginroles', array());

      // If user IDs or roles are specified, we let them in, but everyone else
      // gets logged out.
      if (drupal_strlen($str_users_allowed_local) || $array_roles_allowed_local) {

        // Convert the string into an array.
        // @todo Perform a test to make sure that only numbers, spaces, or
        // commas are in the string.
        $array_users_allowed_local = explode(',', $str_users_allowed_local);

        // If we still have something to work with.
        if (0 < count($array_users_allowed_local) || 0 < count($array_roles_allowed_local)) {

          // Log the user out of Drupal if:
          // 1) the current user's uid is NOT in the list of allowed uids
          // 2) or their role does not match and allowed mixed mode role.
          $match_roles = array_intersect(array_keys($user->roles), $array_roles_allowed_local);
          if (!in_array($user->uid, $array_users_allowed_local) && count($match_roles) == 0) {

            // User is logged into Drupal, but may not be logged into
            // simpleSAML.  If this is the case we're supposed to log the user
            // out of Drupal.
            // FYI: Until Drupal issue #754560 is corrected this message will
            // never be seen by the user.
            drupal_set_message(t("We are sorry, you are not permitted to log in using a local account."));

            // The least we can do is write something to the watchdog so someone
            // will know what's happening.
            watchdog('simplesamlphp_auth', 'User %name not authorized to log in using local account.', array(
              '%name' => $user->name,
            ));
            _simplesamlphp_auth_destroy_drupal_session();
          }
        }
      }
    }
  }
}