summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--inc/image.inc.php8
-rw-r--r--inc/user.inc.php34
-rw-r--r--modules/adduser.inc.php6
-rw-r--r--modules/logout.inc.php4
-rw-r--r--modules/main.inc.php2
-rw-r--r--shib/api.php39
-rw-r--r--templates/main/guest.html2
7 files changed, 56 insertions, 39 deletions
diff --git a/inc/image.inc.php b/inc/image.inc.php
index 5b8f077..1bad04f 100644
--- a/inc/image.inc.php
+++ b/inc/image.inc.php
@@ -7,14 +7,14 @@ class Image
{
if ($userid === false || !is_numeric($userid))
return false;
- return Database::exec('DELETE FROM image WHERE ownerid = :userid', array('userid' => $userid));
+ //return Database::exec('DELETE FROM image WHERE ownerid = :userid', array('userid' => $userid));
+ // TODO
}
public static function getImageCount($login)
{
- $ret = Database::queryFirst('SELECT Count(*) AS cnt FROM image '
- . ' INNER JOIN user ON (image.ownerid = user.userid) '
- . ' WHERE user.login = :login', array('login' => $login));
+ $ret = Database::queryFirst('SELECT Count(*) AS cnt FROM imagebase '
+ . ' WHERE imagebase.ownerid = :userid', array('userid' => $login));
if ($ret === false)
return 0;
return $ret['cnt'];
diff --git a/inc/user.inc.php b/inc/user.inc.php
index c09e936..28a1fd5 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -43,7 +43,7 @@ class User
{
if (!isset(self::$user['userid']))
return false;
- return (int) self::$user['userid'];
+ return self::$user['userid'];
}
public static function getMail()
@@ -152,10 +152,16 @@ class User
return true;
$hasSession = Session::load();
if (empty($_SERVER['persistent-id'])) {
- if (Session::getUid() === false)
+ if (Session::getUid() === false) {
+ if (!empty($_SERVER['Shib-Session-ID'])) {
+ Message::addError('Sie haben sich erfolgreich mittels bwIDM authentifiziert,'
+ . ' aber der IdP Ihrer Einrichtung scheint die benötigten Metadaten nicht'
+ . ' an den bwLehrpool-SP zu übermitteln. Bitte wenden Sie sich an den Support.');
+ }
return false;
+ }
// Try user from local DB
- self::$user = Database::queryFirst('SELECT userid, shibid, login, organizationid AS organization, firstname, lastname, email FROM user WHERE userid = :uid LIMIT 1', array('uid' => Session::getUid()));
+ self::$user = Database::queryFirst('SELECT userid, shibid, organizationid AS organization, firstname, lastname, email FROM user WHERE userid = :uid LIMIT 1', array('uid' => Session::getUid()));
self::$isInDb = self::$user !== false;
return self::$isInDb;
}
@@ -174,9 +180,8 @@ class User
$_SERVER['mail'] = '';
$shibId = md5($_SERVER['persistent-id']);
self::$user = array(
- 'userid' => 0,
+ 'userid' => NULL,
'shibid' => $shibId,
- 'login' => NULL,
'firstname' => $_SERVER['givenName'],
'lastname' => $_SERVER['sn'],
'email' => $_SERVER['mail'],
@@ -190,7 +195,7 @@ class User
if (isset($_SERVER['affiliation']) && preg_match('/@([a-zA-Z\-\._]+)(;|$)/', $_SERVER['affiliation'], $out))
self::$user['organization'] = $out[1];
// Get matching db entry if any
- $user = Database::queryFirst('SELECT userid, login, firstname, lastname, email, fixedname FROM user WHERE shibid = :shibid LIMIT 1', array('shibid' => $shibId));
+ $user = Database::queryFirst('SELECT userid, firstname, lastname, email, fixedname FROM user WHERE shibid = :shibid LIMIT 1', array('shibid' => $shibId));
if ($user === false) {
// No match in database, user is not signed up
return true;
@@ -201,7 +206,6 @@ class User
Session::save();
}
// Already signed up, see if we can fetch missing fields from DB
- self::$user['login'] = $user['login'];
self::$isInDb = true;
self::$isAnonymous = (empty($user['firstname']) && empty($user['lastname']));
foreach (array('firstname', 'lastname', 'email') as $key) {
@@ -220,15 +224,15 @@ class User
if (!empty($existingLogin)) {
if ($anonymous) {
$ret = Database::exec("UPDATE user SET shibid = :shibid, firstname = '', lastname = '', email = '', password = '' "
- . " WHERE login = :login LIMIT 1", array(
+ . " WHERE userid = :userid LIMIT 1", array(
'shibid' => self::$user['shibid'],
- 'login' => $existingLogin
+ 'userid' => $existingLogin
));
} else {
$ret = Database::exec("UPDATE user SET shibid = :shibid, password = '', firstname = :firstname, lastname = :lastname, email = :email "
- . " WHERE login = :login LIMIT 1", array(
+ . " WHERE userid = :userid LIMIT 1", array(
'shibid' => self::$user['shibid'],
- 'login' => $existingLogin,
+ 'userid' => $existingLogin,
'firstname' => self::$user['firstname'],
'lastname' => self::$user['lastname'],
'email' => self::$user['email']
@@ -239,14 +243,14 @@ class User
// New account
if ($anonymous) {
- Database::exec("INSERT INTO user (shibid, login, organizationid, firstname, lastname, email) "
+ Database::exec("INSERT INTO user (shibid, userid, organizationid, firstname, lastname, email) "
. " VALUES (:shibid, :shibid, :org, '', '', '') "
. " ON DUPLICATE KEY UPDATE firstname = '', lastname = '', email = '', password = ''", array(
'shibid' => self::$user['shibid'],
'org' => self::getOrganizationId()
));
} else {
- Database::exec("INSERT INTO user (shibid, login, organizationid, firstname, lastname, email) "
+ Database::exec("INSERT INTO user (shibid, userid, organizationid, firstname, lastname, email) "
. " VALUES (:shibid, :shibid, :org, :firstname, :lastname, :email) "
. " ON DUPLICATE KEY UPDATE firstname = VALUES(firstname), lastname = VALUES(lastname), email = VALUES(email), password = ''", array(
'shibid' => self::$user['shibid'],
@@ -284,7 +288,7 @@ class User
public static function login($user, $pass)
{
- $ret = Database::queryFirst('SELECT userid, password FROM user WHERE login = :user LIMIT 1', array(':user' => $user));
+ $ret = Database::queryFirst('SELECT userid, password FROM user WHERE userid = :user LIMIT 1', array(':user' => $user));
if ($ret === false)
return false;
if (!Crypto::verify($pass, $ret['password']))
@@ -305,7 +309,7 @@ class User
}
Session::delete();
if (self::$isShib) {
- Header('Location: ' . CONFIG_PREFIX . '?do=Logout&noredirect=yes');
+ Header('Location: /Shibboleth.sso/Logout');
} else {
Header('Location: ?do=Main');
}
diff --git a/modules/adduser.inc.php b/modules/adduser.inc.php
index f27717b..7bb6c1f 100644
--- a/modules/adduser.inc.php
+++ b/modules/adduser.inc.php
@@ -47,9 +47,9 @@ class Page_AddUser extends Page
if ($ok === false) {
Message::addError('Login-Suffix @{{0}} ist ungültig.', $suffix);
} else {
- Database::exec('INSERT INTO user (login, password, organizationid, firstname, lastname, email) '
- . ' VALUES (:login, :password, :organization, :firstname, :lastname, :email)', array(
- 'login' => $login,
+ Database::exec('INSERT INTO user (userid, password, organizationid, firstname, lastname, email) '
+ . ' VALUES (:userid, :password, :organization, :firstname, :lastname, :email)', array(
+ 'userid' => $login,
'password' => Crypto::hash6($password),
'organization' => $organizationid,
'firstname' => $firstname,
diff --git a/modules/logout.inc.php b/modules/logout.inc.php
index f1379d6..7351abc 100644
--- a/modules/logout.inc.php
+++ b/modules/logout.inc.php
@@ -8,9 +8,7 @@ class Page_Logout extends Page
if (!User::load()) {
Util::redirect('?do=Main');
}
- if (User::isLocalOnly()) {
- User::logout();
- }
+ User::logout();
}
public function doRender()
diff --git a/modules/main.inc.php b/modules/main.inc.php
index 3e3aff8..2581a59 100644
--- a/modules/main.inc.php
+++ b/modules/main.inc.php
@@ -13,7 +13,7 @@ class Page_Main extends Page
Render::addTemplate('main/_page');
if (!User::isLoggedIn()) {
// Guest
- Render::addTemplate('main/guest');
+ Render::addTemplate('main/guest', array('prefix' => CONFIG_PREFIX));
return;
}
// Logged in user --
diff --git a/shib/api.php b/shib/api.php
index 58b9c80..6772e86 100644
--- a/shib/api.php
+++ b/shib/api.php
@@ -27,12 +27,13 @@ if (empty($_SERVER['persistent-id'])) {
// No persistent id given, should not happen!
$response['status'] = 'error';
$response['error'] = 'Shibboleth meta data missing!';
+ @file_put_contents('/tmp/shib-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
} else {
// Query database for user
$shibId = md5($_SERVER['persistent-id']);
- $user = Database::queryFirst("SELECT user.userid, user.login, user.organizationid, user.firstname, user.lastname, user.email, satellite.address "
+ $user = Database::queryFirst("SELECT user.userid, user.organizationid, user.firstname, user.lastname, user.email "
. " FROM user "
- . " INNER JOIN satellite USING (organizationid) "
+ . " INNER JOIN organization USING (organizationid) "
. " WHERE user.shibid = :shibid LIMIT 1", array('shibid' => $shibId));
if ($user === false) {
// Not found, so we don't know which satellite to use
@@ -51,7 +52,7 @@ if (empty($_SERVER['persistent-id'])) {
if (empty($mail) && isset($_SERVER['mail']))
$mail = trim($_SERVER['mail']);
//
- $login = ( empty($user['login']) ? $shibId : $user['login'] );
+ $login = ( empty($user['userid']) ? $shibId : $user['userid'] );
if (empty($firstName) || empty($lastName) || empty($login)) {
// This means the user did not provide personal information on signup, nor does the IdP send them
$response['status'] = 'anonymous';
@@ -59,27 +60,41 @@ if (empty($_SERVER['persistent-id'])) {
// Seems ok!
// Figure out role
if (strpos(";{$_SERVER['entitlement']};", ';http://bwidm.de/entitlement/bwLehrpool;') !== false) {
- $role = 'tutor';
+ $role = 'TUTOR';
} else if (strpos(";{$_SERVER['affiliation']};", ';employee@') !== false) {
- $role = 'tutor';
+ $role = 'TUTOR';
} else {
- $role = 'student';
+ $role = 'STUDENT';
+ }
+ // Determine satellite(s)
+ $res = Database::simpleQuery("SELECT satellitename, addresses, certsha256 FROM satellite"
+ . " WHERE organizationid = :organizationid AND userid IS NULL", array('organizationid' => $user['organizationid']));
+ $sat1 = array(); // Legacy
+ $sat2 = array();
+ while ($row = $res->fetch(PDO::FETCH_ASSOC)) {
+ $addrs = json_decode($row['addresses'], true);
+ if (!is_array($addrs) || empty($addrs))
+ continue;
+ $sat1[$row['satellitename']] = $addrs[0];
+ $sat2[$row['satellitename']] = array(
+ 'addresses' => $addrs,
+ 'certHash' => $row['certsha256']
+ );
}
//
$response['status'] = 'ok';
$response['firstName'] = $firstName;
$response['lastName'] = $lastName;
$response['mail'] = $mail;
+ $response['userId'] = $user['userid'];
+ $response['organizationId'] = $user['organizationid'];
// This one we send to the running master server handler
$rpc = $response;
- $rpc['userId'] = $user['userid'];
+ $rpc['userId'] = $login;
$rpc['role'] = $role;
- $rpc['organizationid'] = $user['organizationid'];
- $rpc['login'] = $login;
// This one we only send to the user
- $response['satellites'] = array(
- 'default' => $user['address']
- );
+ $response['satellites'] = $sat1;
+ $response['satellites2'] = $sat2;
$reply = RPC::submit($rpc);
if (preg_match('/^TOKEN:(\w+) SESSIONID:(\w+)$/', $reply, $out)) {
$response['token'] = $out[1];
diff --git a/templates/main/guest.html b/templates/main/guest.html
index 14cc902..3788633 100644
--- a/templates/main/guest.html
+++ b/templates/main/guest.html
@@ -1,7 +1,7 @@
<div class="form-narrow">
Sie sind nicht authentifiziert. Bitte wählen Sie:
<ul>
- <li><a href="shib/">Anmelden oder registrieren über bwIDM</a></li>
+ <li><a href="{{prefix}}shib/">Anmelden oder registrieren über bwIDM</a></li>
<li><a href="?do=Login">Anmelden mit einem bwLehrpool-Testaccount</a></li>
</ul>
</div>