summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--inc/session.inc.php12
-rw-r--r--inc/user.inc.php23
-rw-r--r--modules/main.inc.php7
-rw-r--r--modules/register.inc.php6
-rw-r--r--shib/api.php7
5 files changed, 41 insertions, 14 deletions
diff --git a/inc/session.inc.php b/inc/session.inc.php
index 891a465..93c33e5 100644
--- a/inc/session.inc.php
+++ b/inc/session.inc.php
@@ -9,7 +9,8 @@ class Session
private static function generateSessionId()
{
- if (self::$sid !== false) Util::traceError('Error: Asked to generate session id when already set.');
+ if (self::$sid !== false)
+ Util::traceError('Error: Asked to generate session id when already set.');
self::$sid = sha1(
mt_rand(0, 65535)
. $_SERVER['REMOTE_ADDR']
@@ -47,9 +48,9 @@ class Session
public static function setUid($value)
{
- if (!is_numeric($value) || $value < 1)
+ if (strlen($value) < 5)
Util::traceError('Invalid user id: ' . $value);
- self::set('uid', (int)$value);
+ self::set('uid', $value);
}
public static function get($key)
@@ -72,7 +73,7 @@ class Session
private static function loadSessionId()
{
if (self::$sid !== false)
- die('Error: Asked to load session id when already set.');
+ Util::traceError('Error: Asked to load session id when already set.');
if (empty($_COOKIE['sid']))
return false;
$id = preg_replace('/[^a-zA-Z0-9]/', '', $_COOKIE['sid']);
@@ -112,8 +113,9 @@ class Session
if (self::$sid === false || self::$data !== false)
Util::traceError('Tried to readSessionData on an active session!');
$data = Database::queryFirst('SELECT dateline, data FROM websession WHERE sid = :sid LIMIT 1', array('sid' => self::$sid));
- if ($data === false)
+ if ($data === false) {
return false;
+ }
if ($data['dateline'] + CONFIG_SESSION_TIMEOUT < time()) {
self::delete();
return false;
diff --git a/inc/user.inc.php b/inc/user.inc.php
index 28a1fd5..16ec77d 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -81,7 +81,7 @@ class User
public static function isTutor()
{
- return isset(self::$user['role']) && self::$user['role'] === 'tutor';
+ return isset(self::$user['role']) && self::$user['role'] === 'TUTOR';
}
public static function isAdmin()
@@ -158,18 +158,30 @@ class User
. ' aber der IdP Ihrer Einrichtung scheint die benötigten Metadaten nicht'
. ' an den bwLehrpool-SP zu übermitteln. Bitte wenden Sie sich an den Support.');
}
+ Session::delete();
return false;
}
// Try user from local DB
self::$user = Database::queryFirst('SELECT userid, shibid, organizationid AS organization, firstname, lastname, email FROM user WHERE userid = :uid LIMIT 1', array('uid' => Session::getUid()));
self::$isInDb = self::$user !== false;
+ if (!self::$isInDb) {
+ Session::delete();
+ }
return self::$isInDb;
}
// Try bwIDM etc.
if (!$hasSession) {
+ // Make sure cookies are enabled
+ if (!empty($_SERVER['Shib-Session-ID'])) {
+ if (isset($_GET['force-cookie']))
+ die('Bitte aktivieren Sie Cookies und Javascript!');
+
+ }
Session::create();
Session::set('token', md5(mt_rand() . $_SERVER['REMOTE_ADDR'] . microtime(true) . $_SERVER['persistent-id'] . mt_rand()));
Session::save();
+ if (!empty($_SERVER['Shib-Session-ID']))
+ Util::redirect('?do=Main&force-cookie=true.dat');
}
self::$isShib = true;
if (!isset($_SERVER['sn']))
@@ -187,10 +199,13 @@ class User
'email' => $_SERVER['mail'],
);
// Figure out whether the user should be considered a tutor
- if (isset($_SERVER['affiliation']) && preg_match('/(^|;)employee@/', $_SERVER['affiliation']))
- self::$user['role'] = 'tutor';
+ if (isset($_SERVER['affiliation']) && (strpos(";{$_SERVER['affiliation']}", ';employee@') !== false
+ || strpos(";{$_SERVER['affiliation']}", ';staff@') !== false))
+ self::$user['role'] = 'TUTOR';
elseif (isset($_SERVER['entitlement']) && strpos(";{$_SERVER['entitlement']};", ';http://bwidm.de/entitlement/bwLehrpool;') !== false)
- self::$user['role'] = 'tutor';
+ self::$user['role'] = 'TUTOR';
+ else
+ self::$user['role'] = 'STUDENT';
// Try to figure out organization
if (isset($_SERVER['affiliation']) && preg_match('/@([a-zA-Z\-\._]+)(;|$)/', $_SERVER['affiliation'], $out))
self::$user['organization'] = $out[1];
diff --git a/modules/main.inc.php b/modules/main.inc.php
index 2581a59..8873b12 100644
--- a/modules/main.inc.php
+++ b/modules/main.inc.php
@@ -34,6 +34,9 @@ class Page_Main extends Page
$this->renderShibbolethRegistered();
return;
}
+ if (!User::isTutor()) {
+ return;
+ }
// User is not in DB, so he might want so sign up for the service - see if conditions are met
if (User::getOrganization() !== false) {
// Organization is known, show signup form
@@ -67,11 +70,11 @@ class Page_Main extends Page
$data['testacc'] = true;
$mail = trim(User::getMail());
if (!empty($mail)) {
- $existing = Database::queryFirst('SELECT login FROM user WHERE email = :email LIMIT 1', array(
+ $existing = Database::queryFirst('SELECT userid FROM user WHERE email = :email LIMIT 1', array(
'email' => $mail
));
if ($existing !== false) {
- $data['testlogin'] = $existing['login'];
+ $data['testlogin'] = $existing['userid'];
}
}
}
diff --git a/modules/register.inc.php b/modules/register.inc.php
index d24d304..f9a6ef5 100644
--- a/modules/register.inc.php
+++ b/modules/register.inc.php
@@ -12,6 +12,10 @@ class Page_Register extends Page
}
if (!User::isShibbolethAuth())
Util::redirect(CONFIG_PREFIX . 'shib/?do=Main');
+
+ if (!User::isTutor()) {
+ return;
+ }
if (User::getOrganization() === false) {
Message::addError('Ihre Einrichtung {{0}} scheint kein bwIDM zu unterstützen. Bitte wenden Sie sich an den Support.',
@@ -21,7 +25,7 @@ class Page_Register extends Page
if (Request::post('testlogin')) {
// Check if one of firstname, lastname or email matches
- $user = Database::queryFirst('SELECT firstname, lastname, email, organizationid FROM user WHERE login = :login LIMIT 1', array('login' => Request::post('testlogin')));
+ $user = Database::queryFirst('SELECT firstname, lastname, email, organizationid FROM user WHERE userid = :login LIMIT 1', array('login' => Request::post('testlogin')));
if ($user === false || User::getOrganizationId() !== $user['organizationid']) {
// Invalid Login
Message::addError('Test-Account {{0}} unbekannt. '
diff --git a/shib/api.php b/shib/api.php
index 6772e86..0910c3d 100644
--- a/shib/api.php
+++ b/shib/api.php
@@ -37,6 +37,7 @@ if (empty($_SERVER['persistent-id'])) {
. " WHERE user.shibid = :shibid LIMIT 1", array('shibid' => $shibId));
if ($user === false) {
// Not found, so we don't know which satellite to use
+ // TODO: Support STUDENT mode
$response['status'] = 'unregistered';
$response['id'] = $shibId;
$response['url'] = 'https://bwlp-masterserver.ruf.uni-freiburg.de/webif/';
@@ -52,7 +53,7 @@ if (empty($_SERVER['persistent-id'])) {
if (empty($mail) && isset($_SERVER['mail']))
$mail = trim($_SERVER['mail']);
//
- $login = ( empty($user['userid']) ? $shibId : $user['userid'] );
+ $login = (empty($user['userid']) ? $shibId : $user['userid'] );
if (empty($firstName) || empty($lastName) || empty($login)) {
// This means the user did not provide personal information on signup, nor does the IdP send them
$response['status'] = 'anonymous';
@@ -61,9 +62,11 @@ if (empty($_SERVER['persistent-id'])) {
// Figure out role
if (strpos(";{$_SERVER['entitlement']};", ';http://bwidm.de/entitlement/bwLehrpool;') !== false) {
$role = 'TUTOR';
- } else if (strpos(";{$_SERVER['affiliation']};", ';employee@') !== false) {
+ } else if (strpos(";{$_SERVER['affiliation']};", ';employee@') !== false
+ || strpos(";{$_SERVER['affiliation']};", ';staff@') !== false) {
$role = 'TUTOR';
} else {
+ @file_put_contents('/tmp/shib-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
$role = 'STUDENT';
}
// Determine satellite(s)