[deploy] Improve account merging

* Make matching of name and email case insensitive
* Add config option to allow/disallow merging with existing shib-account

2 files changed, 21 insertions, 12 deletions

diff --git a/modules/main.inc.php b/modules/main.inc.php
index 6119814..95d72c1 100644
--- a/modules/main.inc.php
+++ b/modules/main.inc.php
@@ -35,6 +35,8 @@ class Page_Main extends Page
 			return;
 		}
 		if (!User::isTutor()) {
+			Message::addError('Sie sind kein Mitarbeiter der Einrichtung "' . User::getOrganization()
+				. '" und können daher die ' . CONFIG_SUITE . '-Suite nicht nutzen.');
 			return;
 		}
 		// User is not in DB, so he might want so sign up for the service - see if conditions are met
@@ -63,22 +65,25 @@ class Page_Main extends Page
 		$data = User::getData();
 		$data['organization'] = User::getOrganizationName();
 		// Show testacc merge form if organization has test accounts
-		$res = Database::queryFirst('SELECT Count(*) as cnt FROM user WHERE organizationid = :oid AND Length(password) <> 0', array(
-			'oid' => User::getOrganizationId()
-		));
 		$mail = trim(User::getMail());
-		if (!empty($mail)) {
+		$fn = User::getFirstName();
+		$ln = User::getLastName();
+		if (!empty($mail) && (!empty($fn) || !empty($ln))) {
+			$extra = '';
+			if (!CONFIG_ALLOW_SHIB_MERGE) {
+				$extra = ' AND password IS NOT NULL AND Length(password) <> 0 ';
+			}
 			$existing = Database::queryFirst('SELECT userid FROM user
-				WHERE email = :email AND lastname = :ln AND firstname = :fn LIMIT 1', array(
+				WHERE email = :email AND lastname = :ln AND firstname = :fn AND organizationid = :org ' . $extra . ' LIMIT 1', array(
 				'email' => $mail,
-				'fn' => User::getFirstName(),
-				'ln' => User::getLastName(),
+				'fn' => $fn,
+				'ln' => $ln,
+				'org' => User::getOrganizationId(),
 			));
 			if ($existing !== false) {
 				$data['testlogin'] = $existing['userid'];
 			}
 		}
-		$data['testacc'] =  ($res !== false && $res['cnt'] > 0) || !empty($existing);
 		$data['suite'] = CONFIG_SUITE;
 		$data['idm'] = CONFIG_IDM;
 		Render::addTemplate('main/deploy', $data);
diff --git a/modules/register.inc.php b/modules/register.inc.php
index aa2b94c..f55e900 100644
--- a/modules/register.inc.php
+++ b/modules/register.inc.php
@@ -30,7 +30,7 @@ class Page_Register extends Page
 		}
 		if ($testLogin !== false) {
 			// Check if one of firstname, lastname or email matches
-			$user = Database::queryFirst('SELECT firstname, lastname, email, organizationid FROM user WHERE userid = :login LIMIT 1',
+			$user = Database::queryFirst('SELECT firstname, lastname, email, password, organizationid FROM user WHERE userid = :login LIMIT 1',
 					array('login' => $testLogin));
 			if ($user === false || User::getOrganizationId() !== $user['organizationid']) {
 				// Invalid Login
@@ -38,9 +38,13 @@ class Page_Register extends Page
 					. ' Bitte wenden Sie sich an den {{1}}-Support, wenn dieser Test-Account Ihnen gehört.', $testLogin, CONFIG_SUITE);
 				Util::redirect('?do=Main');
 			}
-			if (User::getLastName() !== $user['lastname']
-				|| User::getFirstName() !== $user['firstname']
-				|| User::getMail() !== $user['email']) {
+			if (empty($user['password']) && !CONFIG_ALLOW_SHIB_MERGE) {
+				Message::addError('Verknüpfung mit altem Shibboleth-basiertem Account nicht erlaubt');
+				Util::redirect('?do=Main');
+			}
+			if (strcasecmp(User::getLastName(), $user['lastname']) !== 0
+				|| strcasecmp(User::getFirstName(), $user['firstname']) !== 0
+				|| strcasecmp(User::getMail(), $user['email']) !== 0) {
 				// No match by personal information
 				Message::addError('Ihre Metadaten stimmen nicht mit dem Test-Account {{0}} überein. '
 					. ' Bitte wenden Sie sich an den {{1}}-Support, wenn dieser Test-Account Ihnen gehört.', $testLogin, CONFIG_SUITE);