From 8eee10ead8906df04255d275b460a78cc90c4e12 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Wed, 14 Oct 2015 16:57:54 +0200 Subject: Fix session handling, support staff-affiliation as being detected as tutor --- inc/session.inc.php | 12 +++++++----- inc/user.inc.php | 23 +++++++++++++++++++---- modules/main.inc.php | 7 +++++-- modules/register.inc.php | 6 +++++- shib/api.php | 7 +++++-- 5 files changed, 41 insertions(+), 14 deletions(-) diff --git a/inc/session.inc.php b/inc/session.inc.php index 891a465..93c33e5 100644 --- a/inc/session.inc.php +++ b/inc/session.inc.php @@ -9,7 +9,8 @@ class Session private static function generateSessionId() { - if (self::$sid !== false) Util::traceError('Error: Asked to generate session id when already set.'); + if (self::$sid !== false) + Util::traceError('Error: Asked to generate session id when already set.'); self::$sid = sha1( mt_rand(0, 65535) . $_SERVER['REMOTE_ADDR'] @@ -47,9 +48,9 @@ class Session public static function setUid($value) { - if (!is_numeric($value) || $value < 1) + if (strlen($value) < 5) Util::traceError('Invalid user id: ' . $value); - self::set('uid', (int)$value); + self::set('uid', $value); } public static function get($key) @@ -72,7 +73,7 @@ class Session private static function loadSessionId() { if (self::$sid !== false) - die('Error: Asked to load session id when already set.'); + Util::traceError('Error: Asked to load session id when already set.'); if (empty($_COOKIE['sid'])) return false; $id = preg_replace('/[^a-zA-Z0-9]/', '', $_COOKIE['sid']); @@ -112,8 +113,9 @@ class Session if (self::$sid === false || self::$data !== false) Util::traceError('Tried to readSessionData on an active session!'); $data = Database::queryFirst('SELECT dateline, data FROM websession WHERE sid = :sid LIMIT 1', array('sid' => self::$sid)); - if ($data === false) + if ($data === false) { return false; + } if ($data['dateline'] + CONFIG_SESSION_TIMEOUT < time()) { self::delete(); return false; diff --git a/inc/user.inc.php b/inc/user.inc.php index 28a1fd5..16ec77d 100644 --- a/inc/user.inc.php +++ b/inc/user.inc.php @@ -81,7 +81,7 @@ class User public static function isTutor() { - return isset(self::$user['role']) && self::$user['role'] === 'tutor'; + return isset(self::$user['role']) && self::$user['role'] === 'TUTOR'; } public static function isAdmin() @@ -158,18 +158,30 @@ class User . ' aber der IdP Ihrer Einrichtung scheint die benötigten Metadaten nicht' . ' an den bwLehrpool-SP zu übermitteln. Bitte wenden Sie sich an den Support.'); } + Session::delete(); return false; } // Try user from local DB self::$user = Database::queryFirst('SELECT userid, shibid, organizationid AS organization, firstname, lastname, email FROM user WHERE userid = :uid LIMIT 1', array('uid' => Session::getUid())); self::$isInDb = self::$user !== false; + if (!self::$isInDb) { + Session::delete(); + } return self::$isInDb; } // Try bwIDM etc. if (!$hasSession) { + // Make sure cookies are enabled + if (!empty($_SERVER['Shib-Session-ID'])) { + if (isset($_GET['force-cookie'])) + die('Bitte aktivieren Sie Cookies und Javascript!'); + + } Session::create(); Session::set('token', md5(mt_rand() . $_SERVER['REMOTE_ADDR'] . microtime(true) . $_SERVER['persistent-id'] . mt_rand())); Session::save(); + if (!empty($_SERVER['Shib-Session-ID'])) + Util::redirect('?do=Main&force-cookie=true.dat'); } self::$isShib = true; if (!isset($_SERVER['sn'])) @@ -187,10 +199,13 @@ class User 'email' => $_SERVER['mail'], ); // Figure out whether the user should be considered a tutor - if (isset($_SERVER['affiliation']) && preg_match('/(^|;)employee@/', $_SERVER['affiliation'])) - self::$user['role'] = 'tutor'; + if (isset($_SERVER['affiliation']) && (strpos(";{$_SERVER['affiliation']}", ';employee@') !== false + || strpos(";{$_SERVER['affiliation']}", ';staff@') !== false)) + self::$user['role'] = 'TUTOR'; elseif (isset($_SERVER['entitlement']) && strpos(";{$_SERVER['entitlement']};", ';http://bwidm.de/entitlement/bwLehrpool;') !== false) - self::$user['role'] = 'tutor'; + self::$user['role'] = 'TUTOR'; + else + self::$user['role'] = 'STUDENT'; // Try to figure out organization if (isset($_SERVER['affiliation']) && preg_match('/@([a-zA-Z\-\._]+)(;|$)/', $_SERVER['affiliation'], $out)) self::$user['organization'] = $out[1]; diff --git a/modules/main.inc.php b/modules/main.inc.php index 2581a59..8873b12 100644 --- a/modules/main.inc.php +++ b/modules/main.inc.php @@ -34,6 +34,9 @@ class Page_Main extends Page $this->renderShibbolethRegistered(); return; } + if (!User::isTutor()) { + return; + } // User is not in DB, so he might want so sign up for the service - see if conditions are met if (User::getOrganization() !== false) { // Organization is known, show signup form @@ -67,11 +70,11 @@ class Page_Main extends Page $data['testacc'] = true; $mail = trim(User::getMail()); if (!empty($mail)) { - $existing = Database::queryFirst('SELECT login FROM user WHERE email = :email LIMIT 1', array( + $existing = Database::queryFirst('SELECT userid FROM user WHERE email = :email LIMIT 1', array( 'email' => $mail )); if ($existing !== false) { - $data['testlogin'] = $existing['login']; + $data['testlogin'] = $existing['userid']; } } } diff --git a/modules/register.inc.php b/modules/register.inc.php index d24d304..f9a6ef5 100644 --- a/modules/register.inc.php +++ b/modules/register.inc.php @@ -12,6 +12,10 @@ class Page_Register extends Page } if (!User::isShibbolethAuth()) Util::redirect(CONFIG_PREFIX . 'shib/?do=Main'); + + if (!User::isTutor()) { + return; + } if (User::getOrganization() === false) { Message::addError('Ihre Einrichtung {{0}} scheint kein bwIDM zu unterstützen. Bitte wenden Sie sich an den Support.', @@ -21,7 +25,7 @@ class Page_Register extends Page if (Request::post('testlogin')) { // Check if one of firstname, lastname or email matches - $user = Database::queryFirst('SELECT firstname, lastname, email, organizationid FROM user WHERE login = :login LIMIT 1', array('login' => Request::post('testlogin'))); + $user = Database::queryFirst('SELECT firstname, lastname, email, organizationid FROM user WHERE userid = :login LIMIT 1', array('login' => Request::post('testlogin'))); if ($user === false || User::getOrganizationId() !== $user['organizationid']) { // Invalid Login Message::addError('Test-Account {{0}} unbekannt. ' diff --git a/shib/api.php b/shib/api.php index 6772e86..0910c3d 100644 --- a/shib/api.php +++ b/shib/api.php @@ -37,6 +37,7 @@ if (empty($_SERVER['persistent-id'])) { . " WHERE user.shibid = :shibid LIMIT 1", array('shibid' => $shibId)); if ($user === false) { // Not found, so we don't know which satellite to use + // TODO: Support STUDENT mode $response['status'] = 'unregistered'; $response['id'] = $shibId; $response['url'] = 'https://bwlp-masterserver.ruf.uni-freiburg.de/webif/'; @@ -52,7 +53,7 @@ if (empty($_SERVER['persistent-id'])) { if (empty($mail) && isset($_SERVER['mail'])) $mail = trim($_SERVER['mail']); // - $login = ( empty($user['userid']) ? $shibId : $user['userid'] ); + $login = (empty($user['userid']) ? $shibId : $user['userid'] ); if (empty($firstName) || empty($lastName) || empty($login)) { // This means the user did not provide personal information on signup, nor does the IdP send them $response['status'] = 'anonymous'; @@ -61,9 +62,11 @@ if (empty($_SERVER['persistent-id'])) { // Figure out role if (strpos(";{$_SERVER['entitlement']};", ';http://bwidm.de/entitlement/bwLehrpool;') !== false) { $role = 'TUTOR'; - } else if (strpos(";{$_SERVER['affiliation']};", ';employee@') !== false) { + } else if (strpos(";{$_SERVER['affiliation']};", ';employee@') !== false + || strpos(";{$_SERVER['affiliation']};", ';staff@') !== false) { $role = 'TUTOR'; } else { + @file_put_contents('/tmp/shib-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true)); $role = 'STUDENT'; } // Determine satellite(s) -- cgit v1.2.3-55-g7522