summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon Rettberg2016-10-19 10:46:20 +0200
committerSimon Rettberg2016-10-19 10:46:20 +0200
commitdb0225db8ff4993e4c91024a42b002ba3c813564 (patch)
treea1403db34ea79112f9ce5af3c376fc1a699e108c
parentFix session handling, support staff-affiliation as being detected as tutor (diff)
downloadbwlp-webadmin-db0225db8ff4993e4c91024a42b002ba3c813564.tar.gz
bwlp-webadmin-db0225db8ff4993e4c91024a42b002ba3c813564.tar.xz
bwlp-webadmin-db0225db8ff4993e4c91024a42b002ba3c813564.zip
Handle missing meta data from IdP when logging in via api
-rw-r--r--inc/user.inc.php3
-rw-r--r--modules/register.inc.php11
-rw-r--r--shib/api.php67
3 files changed, 64 insertions, 17 deletions
diff --git a/inc/user.inc.php b/inc/user.inc.php
index 16ec77d..70a6cdb 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -200,7 +200,8 @@ class User
);
// Figure out whether the user should be considered a tutor
if (isset($_SERVER['affiliation']) && (strpos(";{$_SERVER['affiliation']}", ';employee@') !== false
- || strpos(";{$_SERVER['affiliation']}", ';staff@') !== false))
+ || strpos(";{$_SERVER['affiliation']}", ';staff@') !== false
+ || strpos(";{$_SERVER['affiliation']}", ';faculty@') !== false))
self::$user['role'] = 'TUTOR';
elseif (isset($_SERVER['entitlement']) && strpos(";{$_SERVER['entitlement']};", ';http://bwidm.de/entitlement/bwLehrpool;') !== false)
self::$user['role'] = 'TUTOR';
diff --git a/modules/register.inc.php b/modules/register.inc.php
index f9a6ef5..c5c5cae 100644
--- a/modules/register.inc.php
+++ b/modules/register.inc.php
@@ -48,8 +48,15 @@ class Page_Register extends Page
}
if (Request::post('agb') === 'on') {
- // Put stuff in DB
- if (User::deploy(Request::post('share') !== 'on', Request::post('testlogin'))) {
+ // Check if everything's there
+ if (!User::isTutor()) {
+ Message::addError('Sie sind weder Mitglied einer Gruppe, die als Zugriffsberechtigt eingestuft wird, noch tragen Sie das bwLehrpool-Entitlement. Bitte kontaktieren Sie Ihren lokalen bwLehrpool-Support.');
+ } elseif (empty(User::getMail())) {
+ Message::addError('Ihr Identity Provider hat keine E-Mail-Adresse zu Ihrem Account geliefert. Registrierung nicht möglich.');
+ } elseif (!User::hasFullName()) {
+ Message::addError('Ihr Identity Provider hat keinen Namen zu Ihrem Account geliefert. Registrierung nicht möglich.');
+ // Put stuff in DB
+ } elseif (User::deploy(Request::post('share') !== 'on', Request::post('testlogin'))) {
Message::addSuccess('Ihr Konto wurde freigeschaltet');
} else {
Message::addError('Fehler beim Zusammenführen mit Ihrem Test-Account. Bitte wenden Sie sich an den Support.');
diff --git a/shib/api.php b/shib/api.php
index 0910c3d..54ebd55 100644
--- a/shib/api.php
+++ b/shib/api.php
@@ -35,10 +35,47 @@ if (empty($_SERVER['persistent-id'])) {
. " FROM user "
. " INNER JOIN organization USING (organizationid) "
. " WHERE user.shibid = :shibid LIMIT 1", array('shibid' => $shibId));
+ // Figure out role
+ if (strpos(";{$_SERVER['entitlement']};", ';http://bwidm.de/entitlement/bwLehrpool;') !== false) {
+ $role = 'TUTOR';
+ } else if (strpos(";{$_SERVER['affiliation']};", ';employee@') !== false
+ || strpos(";{$_SERVER['affiliation']};", ';staff@') !== false
+ || strpos(";{$_SERVER['affiliation']};", ';faculty@') !== false) {
+ $role = 'TUTOR';
+ } else {
+ @file_put_contents('/tmp/shib-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
+ $role = 'STUDENT';
+ }
if ($user === false) {
// Not found, so we don't know which satellite to use
- // TODO: Support STUDENT mode
- $response['status'] = 'unregistered';
+ if ($role === 'STUDENT') {
+ $response['status'] = 'ok';
+ if (isset($_SERVER['givenName'])) {
+ $response['firstName'] = $_SERVER['givenName'];
+ }
+ if (isset($_SERVER['sn'])) {
+ $response['lastName'] = $_SERVER['sn'];
+ }
+ if (isset($_SERVER['mail'])) {
+ $response['mail'] = $_SERVER['mail'];
+ }
+ $response['userId'] = $shibId;
+ preg_match('/(^|;)[^@]+@([^;]+)/', $_SERVER['affiliation'], $out);
+ $out = Database::queryFirst("SELECT organizationid FROM organization_suffix WHERE suffix = :suffix", array(
+ 'suffix' => $out[2]
+ ));
+ if ($out !== false) {
+ $response['organizationId'] = $out['organizationid'];
+ }
+ // This one we send to the running master server handler
+ $rpc = $response;
+ $rpc['role'] = $role;
+ // This one we only send to the user
+ $response['satellites'] = $sat1;
+ $response['satellites2'] = $sat2;
+ } else {
+ $response['status'] = 'unregistered';
+ }
$response['id'] = $shibId;
$response['url'] = 'https://bwlp-masterserver.ruf.uni-freiburg.de/webif/';
} else {
@@ -59,16 +96,6 @@ if (empty($_SERVER['persistent-id'])) {
$response['status'] = 'anonymous';
} else {
// Seems ok!
- // Figure out role
- if (strpos(";{$_SERVER['entitlement']};", ';http://bwidm.de/entitlement/bwLehrpool;') !== false) {
- $role = 'TUTOR';
- } else if (strpos(";{$_SERVER['affiliation']};", ';employee@') !== false
- || strpos(";{$_SERVER['affiliation']};", ';staff@') !== false) {
- $role = 'TUTOR';
- } else {
- @file_put_contents('/tmp/shib-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
- $role = 'STUDENT';
- }
// Determine satellite(s)
$res = Database::simpleQuery("SELECT satellitename, addresses, certsha256 FROM satellite"
. " WHERE organizationid = :organizationid AND userid IS NULL", array('organizationid' => $user['organizationid']));
@@ -98,16 +125,28 @@ if (empty($_SERVER['persistent-id'])) {
// This one we only send to the user
$response['satellites'] = $sat1;
$response['satellites2'] = $sat2;
+ }
+ }
+}
+
+if (isset($rpc)) {
$reply = RPC::submit($rpc);
if (preg_match('/^TOKEN:(\w+) SESSIONID:(\w+)$/', $reply, $out)) {
$response['token'] = $out[1];
$response['sessionId'] = $out[2];
} else {
+ if (empty($rpc['mail'])) {
+ $reply .= ' (No email given)';
+ }
+ if (empty($rpc['firstName'])) {
+ $reply .= ' (No first name given)';
+ }
+ if (empty($rpc['lastName'])) {
+ $reply .= ' (No last name given)';
+ }
$response['error'] = $reply;
$response['status'] = 'error';
}
- }
- }
}
Header('Content-Type: text/plain; charset=utf-8');