diff options
Diffstat (limited to 'inc/user.inc.php')
| -rw-r--r-- | inc/user.inc.php | 109 |
1 files changed, 64 insertions, 45 deletions
diff --git a/inc/user.inc.php b/inc/user.inc.php index 6e3c06d..bc07f5d 100644 --- a/inc/user.inc.php +++ b/inc/user.inc.php @@ -3,15 +3,15 @@ class User { - private static $user = false; - private static $organization = NULL; - private static $isShib = false; - private static $isInDb = false; - private static $isAnonymous = false; + private static ?array $user = null; + private static ?array $organization = NULL; + private static bool $isShib = false; + private static bool $isInDb = false; + private static bool $isAnonymous = false; - public static function isLoggedIn() + public static function isLoggedIn(): bool { - return self::$user !== false; + return self::$user !== null; } public static function isShibbolethAuth() @@ -26,7 +26,7 @@ class User public static function isLocalOnly() { - return self::$user !== false && self::$isShib === false; + return self::$user !== null && self::$isShib === false; } public static function isAnonymous() @@ -39,44 +39,44 @@ class User return self::$user; } - public static function getId() + public static function getId(): ?string { if (!isset(self::$user['userid'])) - return false; + return null; return self::$user['userid']; } - public static function getMail() + public static function getMail(): ?string { if (!isset(self::$user['email'])) - return false; + return null; return self::$user['email']; } - public static function getName() + public static function getName(): ?string { if (!self::isLoggedIn()) - return false; + return null; return self::$user['firstname'] . ' ' . self::$user['lastname']; } - public static function getFirstName() + public static function getFirstName(): ?string { if (!self::isLoggedIn()) - return false; + return null; return self::$user['firstname']; } - public static function getLastName() + public static function getLastName(): ?string { if (!self::isLoggedIn()) - return false; + return null; return self::$user['lastname']; } - public static function hasFullName() + public static function hasFullName(): bool { - return self::$user !== false && !empty(self::$user['firstname']) && !empty(self::$user['lastname']); + return self::$user !== null && !empty(self::$user['firstname']) && !empty(self::$user['lastname']); } public static function isTutor() @@ -84,7 +84,7 @@ class User return isset(self::$user['role']) && self::$user['role'] === 'TUTOR'; } - public static function isAdmin() + public static function isAdmin(): bool { // TODO: per Institution... return in_array(self::getShibId(), unserialize(CONFIG_ADMINS), true); @@ -95,19 +95,19 @@ class User * * @return string */ - public static function getOrganizationId() + public static function getOrganizationId(): ?string { $org = self::getOrganization(); if (!isset($org['organizationid'])) - return false; + return null; return $org['organizationid']; } - public static function getOrganizationName() + public static function getOrganizationName(): ?string { $org = self::getOrganization(); if (!isset($org['name'])) - return false; + return null; return $org['name']; } @@ -116,21 +116,26 @@ class User * * @return string */ - public static function getRemoteOrganizationId() + public static function getRemoteOrganizationId(): ?string { if (empty(self::$user['organization'])) - return false; + return null; return self::$user['organization']; } - public static function getOrganization() + /** + * Return user's organization, or null if not known in our DB. + * @return ?array{organizationid: string, name: string} + */ + public static function getOrganization(): ?array { if (!self::isLoggedIn()) - return false; + return null; if (is_null(self::$organization)) { - self::$organization = Database::queryFirst('SELECT organizationid, name FROM organization_suffix ' + $org = Database::queryFirst('SELECT organizationid, name FROM organization_suffix ' . ' INNER JOIN organization USING (organizationid) ' . ' WHERE suffix = :org LIMIT 1', array('org' => self::$user['organization'])); + self::$organization = $org !== false ? $org : null; } return self::$organization; } @@ -159,8 +164,10 @@ class User return false; } // Try user from local DB - self::$user = Database::queryFirst('SELECT userid, shibid, organizationid AS organization, firstname, lastname, email FROM user WHERE userid = :uid LIMIT 1', array('uid' => Session::getUid())); - self::$isInDb = self::$user !== false; + $usr = Database::queryFirst('SELECT userid, shibid, organizationid AS organization, firstname, lastname, email + FROM user WHERE userid = :uid LIMIT 1', ['uid' => Session::getUid()]); + self::$user = $usr !== false ? $usr : null; + self::$isInDb = self::$user !== null; if (!self::$isInDb) { Session::delete(); } @@ -181,38 +188,45 @@ class User Util::redirect('?do=Main&force-cookie=true.dat'); } self::$isShib = true; - if (!isset($_SERVER['sn'])) - $_SERVER['sn'] = ''; + if (!isset($_SERVER[CONFIG_SURNAME])) + $_SERVER[CONFIG_SURNAME] = ''; if (!isset($_SERVER['givenName'])) $_SERVER['givenName'] = ''; if (!isset($_SERVER['mail'])) $_SERVER['mail'] = ''; - $shibId = md5($_SERVER['persistent-id']); + $shibId = []; + if (strpos($_SERVER['persistent-id'], ';') !== false) { + foreach (explode(';', $_SERVER['persistent-id']) as $s) { + $shibId[] = md5($s); + } + } + $shibId[] = md5($_SERVER['persistent-id']); self::$user = array( 'userid' => NULL, - 'shibid' => $shibId, + 'shibid' => $shibId[0], 'firstname' => $_SERVER['givenName'], - 'lastname' => $_SERVER['sn'], + 'lastname' => $_SERVER[CONFIG_SURNAME], 'email' => $_SERVER['mail'], ); // Figure out whether the user should be considered a tutor - if (isset($_SERVER['affiliation']) && (strpos(";{$_SERVER['affiliation']}", ';employee@') !== false - || strpos(";{$_SERVER['affiliation']}", ';staff@') !== false - || strpos(";{$_SERVER['affiliation']}", ';faculty@') !== false)) + if (isset($_SERVER[CONFIG_SCOPED_AFFILIATION]) && (strpos(";{$_SERVER[CONFIG_SCOPED_AFFILIATION]}", ';employee@') !== false + || strpos(";{$_SERVER[CONFIG_SCOPED_AFFILIATION]}", ';staff@') !== false + || strpos(";{$_SERVER[CONFIG_SCOPED_AFFILIATION]}", ';faculty@') !== false)) self::$user['role'] = 'TUTOR'; elseif (isset($_SERVER['entitlement']) && strpos(";{$_SERVER['entitlement']};", CONFIG_ENTITLEMENT) !== false) self::$user['role'] = 'TUTOR'; else self::$user['role'] = 'STUDENT'; // Try to figure out organization - if (isset($_SERVER['eppn']) && preg_match('/@([0-9a-zA-Z\-\._]+)$/', $_SERVER['eppn'], $out)) { + if (isset($_SERVER[CONFIG_EPPN]) && preg_match('/@([0-9a-zA-Z\-._]+)$/', $_SERVER[CONFIG_EPPN], $out)) { self::$user['organization'] = $out[1]; } - if (!isset(self::$user['organization']) && isset($_SERVER['affiliation']) && preg_match('/@([0-9a-zA-Z\-\._]+)(;|$)/', $_SERVER['affiliation'], $out)) { + if (!isset(self::$user['organization']) && isset($_SERVER[CONFIG_SCOPED_AFFILIATION]) && preg_match('/@([0-9a-zA-Z\-._]+)(;|$)/', $_SERVER[CONFIG_SCOPED_AFFILIATION], $out)) { self::$user['organization'] = $out[1]; } // Get matching db entry if any - $user = Database::queryFirst('SELECT userid, firstname, lastname, email, fixedname FROM user WHERE shibid = :shibid LIMIT 1', array('shibid' => $shibId)); + $user = Database::queryFirst('SELECT userid, firstname, lastname, email, fixedname FROM user + WHERE shibid IN (:shibid) LIMIT 1', ['shibid' => $shibId]); if ($user === false) { // No match in database, user is not signed up return true; @@ -232,11 +246,16 @@ class User return true; } - public static function deploy($anonymous, $existingLogin = false) + public static function deploy(bool $anonymous, $existingLogin = false): bool { if (empty(self::$user['shibid'])) Util::traceError('NO SHIBID'); + if (self::getOrganizationId() === null) { + Message::addError('Your home organization ID {{0}} is not known to this server', self::getRemoteOrganizationId()); + Util::redirect('?do=Main'); + } + // Merging with test-account: if (!empty($existingLogin)) { if ($anonymous) { @@ -300,7 +319,7 @@ class User 'mail' => $mail, 'user' => self::getId() )); - return $ret == 1 || $mail === self::get('email'); + return $ret == 1 || $mail === self::$user['email']; } public static function login($user, $pass) |