From 242b0e0a204db1dcf9ea453ec1a86618fc740ebf Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 22 Jan 2021 10:34:42 +0100 Subject: [deploy] Improve account merging * Make matching of name and email case insensitive * Add config option to allow/disallow merging with existing shib-account --- modules/main.inc.php | 21 +++++++++++++-------- modules/register.inc.php | 12 ++++++++---- 2 files changed, 21 insertions(+), 12 deletions(-) (limited to 'modules') diff --git a/modules/main.inc.php b/modules/main.inc.php index 6119814..95d72c1 100644 --- a/modules/main.inc.php +++ b/modules/main.inc.php @@ -35,6 +35,8 @@ class Page_Main extends Page return; } if (!User::isTutor()) { + Message::addError('Sie sind kein Mitarbeiter der Einrichtung "' . User::getOrganization() + . '" und können daher die ' . CONFIG_SUITE . '-Suite nicht nutzen.'); return; } // User is not in DB, so he might want so sign up for the service - see if conditions are met @@ -63,22 +65,25 @@ class Page_Main extends Page $data = User::getData(); $data['organization'] = User::getOrganizationName(); // Show testacc merge form if organization has test accounts - $res = Database::queryFirst('SELECT Count(*) as cnt FROM user WHERE organizationid = :oid AND Length(password) <> 0', array( - 'oid' => User::getOrganizationId() - )); $mail = trim(User::getMail()); - if (!empty($mail)) { + $fn = User::getFirstName(); + $ln = User::getLastName(); + if (!empty($mail) && (!empty($fn) || !empty($ln))) { + $extra = ''; + if (!CONFIG_ALLOW_SHIB_MERGE) { + $extra = ' AND password IS NOT NULL AND Length(password) <> 0 '; + } $existing = Database::queryFirst('SELECT userid FROM user - WHERE email = :email AND lastname = :ln AND firstname = :fn LIMIT 1', array( + WHERE email = :email AND lastname = :ln AND firstname = :fn AND organizationid = :org ' . $extra . ' LIMIT 1', array( 'email' => $mail, - 'fn' => User::getFirstName(), - 'ln' => User::getLastName(), + 'fn' => $fn, + 'ln' => $ln, + 'org' => User::getOrganizationId(), )); if ($existing !== false) { $data['testlogin'] = $existing['userid']; } } - $data['testacc'] = ($res !== false && $res['cnt'] > 0) || !empty($existing); $data['suite'] = CONFIG_SUITE; $data['idm'] = CONFIG_IDM; Render::addTemplate('main/deploy', $data); diff --git a/modules/register.inc.php b/modules/register.inc.php index aa2b94c..f55e900 100644 --- a/modules/register.inc.php +++ b/modules/register.inc.php @@ -30,7 +30,7 @@ class Page_Register extends Page } if ($testLogin !== false) { // Check if one of firstname, lastname or email matches - $user = Database::queryFirst('SELECT firstname, lastname, email, organizationid FROM user WHERE userid = :login LIMIT 1', + $user = Database::queryFirst('SELECT firstname, lastname, email, password, organizationid FROM user WHERE userid = :login LIMIT 1', array('login' => $testLogin)); if ($user === false || User::getOrganizationId() !== $user['organizationid']) { // Invalid Login @@ -38,9 +38,13 @@ class Page_Register extends Page . ' Bitte wenden Sie sich an den {{1}}-Support, wenn dieser Test-Account Ihnen gehört.', $testLogin, CONFIG_SUITE); Util::redirect('?do=Main'); } - if (User::getLastName() !== $user['lastname'] - || User::getFirstName() !== $user['firstname'] - || User::getMail() !== $user['email']) { + if (empty($user['password']) && !CONFIG_ALLOW_SHIB_MERGE) { + Message::addError('Verknüpfung mit altem Shibboleth-basiertem Account nicht erlaubt'); + Util::redirect('?do=Main'); + } + if (strcasecmp(User::getLastName(), $user['lastname']) !== 0 + || strcasecmp(User::getFirstName(), $user['firstname']) !== 0 + || strcasecmp(User::getMail(), $user['email']) !== 0) { // No match by personal information Message::addError('Ihre Metadaten stimmen nicht mit dem Test-Account {{0}} überein. ' . ' Bitte wenden Sie sich an den {{1}}-Support, wenn dieser Test-Account Ihnen gehört.', $testLogin, CONFIG_SUITE); -- cgit v1.2.3-55-g7522