diff options
-rw-r--r-- | inc/image.inc.php | 8 | ||||
-rw-r--r-- | inc/user.inc.php | 34 | ||||
-rw-r--r-- | modules/adduser.inc.php | 6 | ||||
-rw-r--r-- | modules/logout.inc.php | 4 | ||||
-rw-r--r-- | modules/main.inc.php | 2 | ||||
-rw-r--r-- | shib/api.php | 39 | ||||
-rw-r--r-- | templates/main/guest.html | 2 |
7 files changed, 56 insertions, 39 deletions
diff --git a/inc/image.inc.php b/inc/image.inc.php index 5b8f077..1bad04f 100644 --- a/inc/image.inc.php +++ b/inc/image.inc.php @@ -7,14 +7,14 @@ class Image { if ($userid === false || !is_numeric($userid)) return false; - return Database::exec('DELETE FROM image WHERE ownerid = :userid', array('userid' => $userid)); + //return Database::exec('DELETE FROM image WHERE ownerid = :userid', array('userid' => $userid)); + // TODO } public static function getImageCount($login) { - $ret = Database::queryFirst('SELECT Count(*) AS cnt FROM image ' - . ' INNER JOIN user ON (image.ownerid = user.userid) ' - . ' WHERE user.login = :login', array('login' => $login)); + $ret = Database::queryFirst('SELECT Count(*) AS cnt FROM imagebase ' + . ' WHERE imagebase.ownerid = :userid', array('userid' => $login)); if ($ret === false) return 0; return $ret['cnt']; diff --git a/inc/user.inc.php b/inc/user.inc.php index c09e936..28a1fd5 100644 --- a/inc/user.inc.php +++ b/inc/user.inc.php @@ -43,7 +43,7 @@ class User { if (!isset(self::$user['userid'])) return false; - return (int) self::$user['userid']; + return self::$user['userid']; } public static function getMail() @@ -152,10 +152,16 @@ class User return true; $hasSession = Session::load(); if (empty($_SERVER['persistent-id'])) { - if (Session::getUid() === false) + if (Session::getUid() === false) { + if (!empty($_SERVER['Shib-Session-ID'])) { + Message::addError('Sie haben sich erfolgreich mittels bwIDM authentifiziert,' + . ' aber der IdP Ihrer Einrichtung scheint die benötigten Metadaten nicht' + . ' an den bwLehrpool-SP zu übermitteln. Bitte wenden Sie sich an den Support.'); + } return false; + } // Try user from local DB - self::$user = Database::queryFirst('SELECT userid, shibid, login, organizationid AS organization, firstname, lastname, email FROM user WHERE userid = :uid LIMIT 1', array('uid' => Session::getUid())); + self::$user = Database::queryFirst('SELECT userid, shibid, organizationid AS organization, firstname, lastname, email FROM user WHERE userid = :uid LIMIT 1', array('uid' => Session::getUid())); self::$isInDb = self::$user !== false; return self::$isInDb; } @@ -174,9 +180,8 @@ class User $_SERVER['mail'] = ''; $shibId = md5($_SERVER['persistent-id']); self::$user = array( - 'userid' => 0, + 'userid' => NULL, 'shibid' => $shibId, - 'login' => NULL, 'firstname' => $_SERVER['givenName'], 'lastname' => $_SERVER['sn'], 'email' => $_SERVER['mail'], @@ -190,7 +195,7 @@ class User if (isset($_SERVER['affiliation']) && preg_match('/@([a-zA-Z\-\._]+)(;|$)/', $_SERVER['affiliation'], $out)) self::$user['organization'] = $out[1]; // Get matching db entry if any - $user = Database::queryFirst('SELECT userid, login, firstname, lastname, email, fixedname FROM user WHERE shibid = :shibid LIMIT 1', array('shibid' => $shibId)); + $user = Database::queryFirst('SELECT userid, firstname, lastname, email, fixedname FROM user WHERE shibid = :shibid LIMIT 1', array('shibid' => $shibId)); if ($user === false) { // No match in database, user is not signed up return true; @@ -201,7 +206,6 @@ class User Session::save(); } // Already signed up, see if we can fetch missing fields from DB - self::$user['login'] = $user['login']; self::$isInDb = true; self::$isAnonymous = (empty($user['firstname']) && empty($user['lastname'])); foreach (array('firstname', 'lastname', 'email') as $key) { @@ -220,15 +224,15 @@ class User if (!empty($existingLogin)) { if ($anonymous) { $ret = Database::exec("UPDATE user SET shibid = :shibid, firstname = '', lastname = '', email = '', password = '' " - . " WHERE login = :login LIMIT 1", array( + . " WHERE userid = :userid LIMIT 1", array( 'shibid' => self::$user['shibid'], - 'login' => $existingLogin + 'userid' => $existingLogin )); } else { $ret = Database::exec("UPDATE user SET shibid = :shibid, password = '', firstname = :firstname, lastname = :lastname, email = :email " - . " WHERE login = :login LIMIT 1", array( + . " WHERE userid = :userid LIMIT 1", array( 'shibid' => self::$user['shibid'], - 'login' => $existingLogin, + 'userid' => $existingLogin, 'firstname' => self::$user['firstname'], 'lastname' => self::$user['lastname'], 'email' => self::$user['email'] @@ -239,14 +243,14 @@ class User // New account if ($anonymous) { - Database::exec("INSERT INTO user (shibid, login, organizationid, firstname, lastname, email) " + Database::exec("INSERT INTO user (shibid, userid, organizationid, firstname, lastname, email) " . " VALUES (:shibid, :shibid, :org, '', '', '') " . " ON DUPLICATE KEY UPDATE firstname = '', lastname = '', email = '', password = ''", array( 'shibid' => self::$user['shibid'], 'org' => self::getOrganizationId() )); } else { - Database::exec("INSERT INTO user (shibid, login, organizationid, firstname, lastname, email) " + Database::exec("INSERT INTO user (shibid, userid, organizationid, firstname, lastname, email) " . " VALUES (:shibid, :shibid, :org, :firstname, :lastname, :email) " . " ON DUPLICATE KEY UPDATE firstname = VALUES(firstname), lastname = VALUES(lastname), email = VALUES(email), password = ''", array( 'shibid' => self::$user['shibid'], @@ -284,7 +288,7 @@ class User public static function login($user, $pass) { - $ret = Database::queryFirst('SELECT userid, password FROM user WHERE login = :user LIMIT 1', array(':user' => $user)); + $ret = Database::queryFirst('SELECT userid, password FROM user WHERE userid = :user LIMIT 1', array(':user' => $user)); if ($ret === false) return false; if (!Crypto::verify($pass, $ret['password'])) @@ -305,7 +309,7 @@ class User } Session::delete(); if (self::$isShib) { - Header('Location: ' . CONFIG_PREFIX . '?do=Logout&noredirect=yes'); + Header('Location: /Shibboleth.sso/Logout'); } else { Header('Location: ?do=Main'); } diff --git a/modules/adduser.inc.php b/modules/adduser.inc.php index f27717b..7bb6c1f 100644 --- a/modules/adduser.inc.php +++ b/modules/adduser.inc.php @@ -47,9 +47,9 @@ class Page_AddUser extends Page if ($ok === false) { Message::addError('Login-Suffix @{{0}} ist ungültig.', $suffix); } else { - Database::exec('INSERT INTO user (login, password, organizationid, firstname, lastname, email) ' - . ' VALUES (:login, :password, :organization, :firstname, :lastname, :email)', array( - 'login' => $login, + Database::exec('INSERT INTO user (userid, password, organizationid, firstname, lastname, email) ' + . ' VALUES (:userid, :password, :organization, :firstname, :lastname, :email)', array( + 'userid' => $login, 'password' => Crypto::hash6($password), 'organization' => $organizationid, 'firstname' => $firstname, diff --git a/modules/logout.inc.php b/modules/logout.inc.php index f1379d6..7351abc 100644 --- a/modules/logout.inc.php +++ b/modules/logout.inc.php @@ -8,9 +8,7 @@ class Page_Logout extends Page if (!User::load()) { Util::redirect('?do=Main'); } - if (User::isLocalOnly()) { - User::logout(); - } + User::logout(); } public function doRender() diff --git a/modules/main.inc.php b/modules/main.inc.php index 3e3aff8..2581a59 100644 --- a/modules/main.inc.php +++ b/modules/main.inc.php @@ -13,7 +13,7 @@ class Page_Main extends Page Render::addTemplate('main/_page'); if (!User::isLoggedIn()) { // Guest - Render::addTemplate('main/guest'); + Render::addTemplate('main/guest', array('prefix' => CONFIG_PREFIX)); return; } // Logged in user -- diff --git a/shib/api.php b/shib/api.php index 58b9c80..6772e86 100644 --- a/shib/api.php +++ b/shib/api.php @@ -27,12 +27,13 @@ if (empty($_SERVER['persistent-id'])) { // No persistent id given, should not happen! $response['status'] = 'error'; $response['error'] = 'Shibboleth meta data missing!'; + @file_put_contents('/tmp/shib-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true)); } else { // Query database for user $shibId = md5($_SERVER['persistent-id']); - $user = Database::queryFirst("SELECT user.userid, user.login, user.organizationid, user.firstname, user.lastname, user.email, satellite.address " + $user = Database::queryFirst("SELECT user.userid, user.organizationid, user.firstname, user.lastname, user.email " . " FROM user " - . " INNER JOIN satellite USING (organizationid) " + . " INNER JOIN organization USING (organizationid) " . " WHERE user.shibid = :shibid LIMIT 1", array('shibid' => $shibId)); if ($user === false) { // Not found, so we don't know which satellite to use @@ -51,7 +52,7 @@ if (empty($_SERVER['persistent-id'])) { if (empty($mail) && isset($_SERVER['mail'])) $mail = trim($_SERVER['mail']); // - $login = ( empty($user['login']) ? $shibId : $user['login'] ); + $login = ( empty($user['userid']) ? $shibId : $user['userid'] ); if (empty($firstName) || empty($lastName) || empty($login)) { // This means the user did not provide personal information on signup, nor does the IdP send them $response['status'] = 'anonymous'; @@ -59,27 +60,41 @@ if (empty($_SERVER['persistent-id'])) { // Seems ok! // Figure out role if (strpos(";{$_SERVER['entitlement']};", ';http://bwidm.de/entitlement/bwLehrpool;') !== false) { - $role = 'tutor'; + $role = 'TUTOR'; } else if (strpos(";{$_SERVER['affiliation']};", ';employee@') !== false) { - $role = 'tutor'; + $role = 'TUTOR'; } else { - $role = 'student'; + $role = 'STUDENT'; + } + // Determine satellite(s) + $res = Database::simpleQuery("SELECT satellitename, addresses, certsha256 FROM satellite" + . " WHERE organizationid = :organizationid AND userid IS NULL", array('organizationid' => $user['organizationid'])); + $sat1 = array(); // Legacy + $sat2 = array(); + while ($row = $res->fetch(PDO::FETCH_ASSOC)) { + $addrs = json_decode($row['addresses'], true); + if (!is_array($addrs) || empty($addrs)) + continue; + $sat1[$row['satellitename']] = $addrs[0]; + $sat2[$row['satellitename']] = array( + 'addresses' => $addrs, + 'certHash' => $row['certsha256'] + ); } // $response['status'] = 'ok'; $response['firstName'] = $firstName; $response['lastName'] = $lastName; $response['mail'] = $mail; + $response['userId'] = $user['userid']; + $response['organizationId'] = $user['organizationid']; // This one we send to the running master server handler $rpc = $response; - $rpc['userId'] = $user['userid']; + $rpc['userId'] = $login; $rpc['role'] = $role; - $rpc['organizationid'] = $user['organizationid']; - $rpc['login'] = $login; // This one we only send to the user - $response['satellites'] = array( - 'default' => $user['address'] - ); + $response['satellites'] = $sat1; + $response['satellites2'] = $sat2; $reply = RPC::submit($rpc); if (preg_match('/^TOKEN:(\w+) SESSIONID:(\w+)$/', $reply, $out)) { $response['token'] = $out[1]; diff --git a/templates/main/guest.html b/templates/main/guest.html index 14cc902..3788633 100644 --- a/templates/main/guest.html +++ b/templates/main/guest.html @@ -1,7 +1,7 @@ <div class="form-narrow"> Sie sind nicht authentifiziert. Bitte wählen Sie: <ul> - <li><a href="shib/">Anmelden oder registrieren über bwIDM</a></li> + <li><a href="{{prefix}}shib/">Anmelden oder registrieren über bwIDM</a></li> <li><a href="?do=Login">Anmelden mit einem bwLehrpool-Testaccount</a></li> </ul> </div> |