From 242b0e0a204db1dcf9ea453ec1a86618fc740ebf Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 22 Jan 2021 10:34:42 +0100 Subject: [deploy] Improve account merging * Make matching of name and email case insensitive * Add config option to allow/disallow merging with existing shib-account --- config.php.example | 7 +++++++ modules/main.inc.php | 21 +++++++++++++-------- modules/register.inc.php | 12 ++++++++---- templates/main/deploy.html | 20 ++++++++++++-------- 4 files changed, 40 insertions(+), 20 deletions(-) diff --git a/config.php.example b/config.php.example index 083c555..919ad91 100644 --- a/config.php.example +++ b/config.php.example @@ -24,6 +24,13 @@ define('CONFIG_IDM_LINK_EPSA', 'https://www.bwidm.de/attribute/#eduPersonScopedA define('CONFIG_SURNAME', 'sn'); define('CONFIG_EPPN', 'eppn'); define('CONFIG_SCOPED_AFFILIATION', 'affiliation'); +// If enabled, when a new user registers, check if there is an existing user with +// same organizationid, email, first and last name. If so, allow user to merge account +// with existing one. This should be safe if you trust all the IdPs in your federation, +// which should be assumed to be true anyways for a million other reasons. +// If this is false, only offer merge if the existing account is a "test account", local +// to the masterserver. +define('CONFIG_ALLOW_SHIB_MERGE', true); // Have a properties file or set variables here manually. // Make sure properties file is not in webroot diff --git a/modules/main.inc.php b/modules/main.inc.php index 6119814..95d72c1 100644 --- a/modules/main.inc.php +++ b/modules/main.inc.php @@ -35,6 +35,8 @@ class Page_Main extends Page return; } if (!User::isTutor()) { + Message::addError('Sie sind kein Mitarbeiter der Einrichtung "' . User::getOrganization() + . '" und können daher die ' . CONFIG_SUITE . '-Suite nicht nutzen.'); return; } // User is not in DB, so he might want so sign up for the service - see if conditions are met @@ -63,22 +65,25 @@ class Page_Main extends Page $data = User::getData(); $data['organization'] = User::getOrganizationName(); // Show testacc merge form if organization has test accounts - $res = Database::queryFirst('SELECT Count(*) as cnt FROM user WHERE organizationid = :oid AND Length(password) <> 0', array( - 'oid' => User::getOrganizationId() - )); $mail = trim(User::getMail()); - if (!empty($mail)) { + $fn = User::getFirstName(); + $ln = User::getLastName(); + if (!empty($mail) && (!empty($fn) || !empty($ln))) { + $extra = ''; + if (!CONFIG_ALLOW_SHIB_MERGE) { + $extra = ' AND password IS NOT NULL AND Length(password) <> 0 '; + } $existing = Database::queryFirst('SELECT userid FROM user - WHERE email = :email AND lastname = :ln AND firstname = :fn LIMIT 1', array( + WHERE email = :email AND lastname = :ln AND firstname = :fn AND organizationid = :org ' . $extra . ' LIMIT 1', array( 'email' => $mail, - 'fn' => User::getFirstName(), - 'ln' => User::getLastName(), + 'fn' => $fn, + 'ln' => $ln, + 'org' => User::getOrganizationId(), )); if ($existing !== false) { $data['testlogin'] = $existing['userid']; } } - $data['testacc'] = ($res !== false && $res['cnt'] > 0) || !empty($existing); $data['suite'] = CONFIG_SUITE; $data['idm'] = CONFIG_IDM; Render::addTemplate('main/deploy', $data); diff --git a/modules/register.inc.php b/modules/register.inc.php index aa2b94c..f55e900 100644 --- a/modules/register.inc.php +++ b/modules/register.inc.php @@ -30,7 +30,7 @@ class Page_Register extends Page } if ($testLogin !== false) { // Check if one of firstname, lastname or email matches - $user = Database::queryFirst('SELECT firstname, lastname, email, organizationid FROM user WHERE userid = :login LIMIT 1', + $user = Database::queryFirst('SELECT firstname, lastname, email, password, organizationid FROM user WHERE userid = :login LIMIT 1', array('login' => $testLogin)); if ($user === false || User::getOrganizationId() !== $user['organizationid']) { // Invalid Login @@ -38,9 +38,13 @@ class Page_Register extends Page . ' Bitte wenden Sie sich an den {{1}}-Support, wenn dieser Test-Account Ihnen gehört.', $testLogin, CONFIG_SUITE); Util::redirect('?do=Main'); } - if (User::getLastName() !== $user['lastname'] - || User::getFirstName() !== $user['firstname'] - || User::getMail() !== $user['email']) { + if (empty($user['password']) && !CONFIG_ALLOW_SHIB_MERGE) { + Message::addError('Verknüpfung mit altem Shibboleth-basiertem Account nicht erlaubt'); + Util::redirect('?do=Main'); + } + if (strcasecmp(User::getLastName(), $user['lastname']) !== 0 + || strcasecmp(User::getFirstName(), $user['firstname']) !== 0 + || strcasecmp(User::getMail(), $user['email']) !== 0) { // No match by personal information Message::addError('Ihre Metadaten stimmen nicht mit dem Test-Account {{0}} überein. ' . ' Bitte wenden Sie sich an den {{1}}-Support, wenn dieser Test-Account Ihnen gehört.', $testLogin, CONFIG_SUITE); diff --git a/templates/main/deploy.html b/templates/main/deploy.html index 4181a0b..062378d 100644 --- a/templates/main/deploy.html +++ b/templates/main/deploy.html @@ -19,6 +19,7 @@ Ihr Name und Ihre e-Mail-Adresse zentral gespeichert und für Dozenten anderer Hochschulen auffindbar gemacht. Sie können diese Einstellung später jederzeit ändern.
+- Haben Sie bisher einen lokalen Account (Test-Account) benutzt? Falls ja können Sie diesen - jetzt mit Ihrem {{idm}}-Account zusammenführen, um Ihre bisherigen Veranstaltungen und Virtuelle - Maschinen zu übernehmen. Ansonsten lassen Sie das Feld leer. -
+ {{#testlogin}} +