diff options
author | Simon Rettberg | 2022-11-22 17:11:38 +0100 |
---|---|---|
committer | Simon Rettberg | 2022-11-22 17:11:38 +0100 |
commit | 6e5647f25e26c2a31d7b4cf0ee6924a2db4916c5 (patch) | |
tree | 7f655584ec5f569ea565c4622eadd2f2eda46b87 | |
parent | api: Refactor supplying satellite list to user (diff) | |
download | bwlp-webadmin-6e5647f25e26c2a31d7b4cf0ee6924a2db4916c5.tar.gz bwlp-webadmin-6e5647f25e26c2a31d7b4cf0ee6924a2db4916c5.tar.xz bwlp-webadmin-6e5647f25e26c2a31d7b4cf0ee6924a2db4916c5.zip |
user/api: Handle IdPs that supply multiple persistent-ids
To be backwards compat with the old way, in case we already have
concatenated persistent-ids in our DB, just try all persistent-ids
supplied, plus the unparsed concatenated one.
-rw-r--r-- | inc/user.inc.php | 16 | ||||
-rw-r--r-- | shib/api.php | 11 |
2 files changed, 21 insertions, 6 deletions
diff --git a/inc/user.inc.php b/inc/user.inc.php index a5a8e3c..539b6f8 100644 --- a/inc/user.inc.php +++ b/inc/user.inc.php @@ -159,7 +159,8 @@ class User return false; } // Try user from local DB - self::$user = Database::queryFirst('SELECT userid, shibid, organizationid AS organization, firstname, lastname, email FROM user WHERE userid = :uid LIMIT 1', array('uid' => Session::getUid())); + self::$user = Database::queryFirst('SELECT userid, shibid, organizationid AS organization, firstname, lastname, email + FROM user WHERE userid = :uid LIMIT 1', ['uid' => Session::getUid()]); self::$isInDb = self::$user !== false; if (!self::$isInDb) { Session::delete(); @@ -187,10 +188,16 @@ class User $_SERVER['givenName'] = ''; if (!isset($_SERVER['mail'])) $_SERVER['mail'] = ''; - $shibId = md5($_SERVER['persistent-id']); + $shibId = []; + if (strpos($_SERVER['persistent-id'], ';') !== false) { + foreach (explode(';', $_SERVER['persistent-id']) as $s) { + $shibId[] = md5($s); + } + } + $shibId[] = md5($_SERVER['persistent-id']); self::$user = array( 'userid' => NULL, - 'shibid' => $shibId, + 'shibid' => $shibId[0], 'firstname' => $_SERVER['givenName'], 'lastname' => $_SERVER[CONFIG_SURNAME], 'email' => $_SERVER['mail'], @@ -212,7 +219,8 @@ class User self::$user['organization'] = $out[1]; } // Get matching db entry if any - $user = Database::queryFirst('SELECT userid, firstname, lastname, email, fixedname FROM user WHERE shibid = :shibid LIMIT 1', array('shibid' => $shibId)); + $user = Database::queryFirst('SELECT userid, firstname, lastname, email, fixedname FROM user + WHERE shibid IN (:shibid) LIMIT 1', ['shibid' => $shibId]); if ($user === false) { // No match in database, user is not signed up return true; diff --git a/shib/api.php b/shib/api.php index 38b2d7a..0c32f9a 100644 --- a/shib/api.php +++ b/shib/api.php @@ -47,11 +47,18 @@ if (empty($_SERVER['persistent-id'])) { file_put_contents('/tmp/shib-nopid-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true)); } else { // Query database for user - $shibId = md5($_SERVER['persistent-id']); + $shibId = [ md5($_SERVER['persistent-id']) ]; + if (strpos($_SERVER['persistent-id'], ';') !== false) { + foreach (explode(';', $_SERVER['persistent-id']) as $s) { + if (empty($s)) + continue; + $shibId[] = md5($s); + } + } $user = Database::queryFirst("SELECT user.userid, user.organizationid, user.firstname, user.lastname, user.email " . " FROM user " . " INNER JOIN organization USING (organizationid) " - . " WHERE user.shibid = :shibid LIMIT 1", array('shibid' => $shibId)); + . " WHERE user.shibid IN (:shibid) LIMIT 1", array('shibid' => $shibId)); // Figure out role if (strpos(";{$_SERVER['entitlement']};", CONFIG_ENTITLEMENT) !== false) { $role = 'TUTOR'; |