function simplesaml_auth_moderate_local_login in simpleSAMLphp Authentication 7.3
Denies non-SAML-authenticated access to the site for configured Drupal roles.
1 call to simplesaml_auth_moderate_local_login()
- simplesamlphp_auth_loginpage in ./
simplesamlphp_auth.pages.inc - Returns markup for SimpleSAMLphp login page.
File
- ./
simplesamlphp_auth.inc, line 232 - Contains non-hook implementations.
Code
function simplesaml_auth_moderate_local_login() {
global $user;
global $_simplesamlphp_auth_as;
// If we forbid users from logging in using local accounts.
if (!variable_get('simplesamlphp_auth_allowdefaultlogin', TRUE)) {
// If the user has NOT been authenticated via simpleSAML...
if (!$_simplesamlphp_auth_as
->isAuthenticated()) {
// FYI: Until Drupal issue #754560 is corrected this message will never be
// seen by the user.
drupal_set_message(t("We are sorry, users are not permitted to log in using local accounts."));
// Destroy the user's session (log out).
_simplesamlphp_auth_destroy_drupal_session();
}
}
else {
// If the user has NOT been authenticated via simpleSAML.
if (!$_simplesamlphp_auth_as
->isAuthenticated()) {
// See if we limit this privilege to specified users.
$str_users_allowed_local = variable_get('simplesamlphp_auth_allowdefaultloginusers', '');
// See if we limit this privilege to specified roles.
$array_roles_allowed_local = variable_get('simplesamlphp_auth_allowdefaultloginroles', array());
// If user IDs or roles are specified, we let them in, but everyone else
// gets logged out.
if (drupal_strlen($str_users_allowed_local) || $array_roles_allowed_local) {
// Convert the string into an array.
// @todo Perform a test to make sure that only numbers, spaces, or
// commas are in the string.
$array_users_allowed_local = explode(',', $str_users_allowed_local);
// If we still have something to work with.
if (0 < count($array_users_allowed_local) || 0 < count($array_roles_allowed_local)) {
// Log the user out of Drupal if:
// 1) the current user's uid is NOT in the list of allowed uids
// 2) or their role does not match and allowed mixed mode role.
$match_roles = array_intersect(array_keys($user->roles), $array_roles_allowed_local);
if (!in_array($user->uid, $array_users_allowed_local) && count($match_roles) == 0) {
// User is logged into Drupal, but may not be logged into
// simpleSAML. If this is the case we're supposed to log the user
// out of Drupal.
// FYI: Until Drupal issue #754560 is corrected this message will
// never be seen by the user.
drupal_set_message(t("We are sorry, you are not permitted to log in using a local account."));
// The least we can do is write something to the watchdog so someone
// will know what's happening.
watchdog('simplesamlphp_auth', 'User %name not authorized to log in using local account.', array(
'%name' => $user->name,
));
_simplesamlphp_auth_destroy_drupal_session();
}
}
}
}
}
}