root / drupal7 / sites / all / modules / cas / cas.api.php @ 6ae446a4
1 | 85ad3d82 | Assos Assos | <?php
|
---|---|---|---|
2 | |||
3 | /**
|
||
4 | * @file
|
||
5 | * Documentation for CAS API.
|
||
6 | */
|
||
7 | |||
8 | /**
|
||
9 | * Modify CAS user properties before the user is logged in.
|
||
10 | *
|
||
11 | * Allows modules to alter the CAS username and account creation permissions
|
||
12 | * after the CAS username is returned from phpCAS::getUser().
|
||
13 | *
|
||
14 | * Modules implementing this hook may wish to alter 'name' if the CAS server
|
||
15 | * returns user names which contain excess information or are not directly
|
||
16 | * machine readable. This field is not the Drupal name of the user. Instead,
|
||
17 | * this is used to load a Drupal user via the mapping in the {cas_user} table.
|
||
18 | *
|
||
19 | * The 'login' parameter controls whether the user is able to login. By
|
||
20 | * default this will be set to TRUE, but modules may set this flag to FALSE
|
||
21 | * to deny the user login access. For example, one might want to only allow
|
||
22 | * login access to members of a certain LDAP group. This verification is in
|
||
23 | * addition to the standard feature which lets you block users.
|
||
24 | *
|
||
25 | * The 'register' parameter controls whether an account should be created if
|
||
26 | * the user does not already have a Drupal account. Defaults to the value of
|
||
27 | * "Should Drupal user accounts be automatically created?" in the CAS module
|
||
28 | * settings. This setting is ignored if 'login' is set to FALSE.
|
||
29 | *
|
||
30 | * If multiple modules implement this hook, the values set by the last module
|
||
31 | * to execute this hook will be used. Therefore, it is good practice to only
|
||
32 | * set the 'login' and 'register' flags to FALSE, rather than the output of
|
||
33 | * a function. This prevents accidentally allowing a user to login when another
|
||
34 | * module had already denied access.
|
||
35 | *
|
||
36 | * @param $cas_user
|
||
37 | * An associative array, with the following keys:
|
||
38 | * - 'name': The CAS machine-readable user name.
|
||
39 | * - 'login': If TRUE, the user will be allowed to login to an existing
|
||
40 | * Drupal account.
|
||
41 | * - 'register': If TRUE, the user will be allowed to register a Drupal
|
||
42 | * account if one does not already exist. If 'login' is FALSE, this
|
||
43 | * setting will be ignored.
|
||
44 | * - 'attributes': If phpCAS is new enough to support getAttributes and the
|
||
45 | * CAS server supports SAML attributes, this consists of an associative
|
||
46 | * array of attribute names and values; otherwise it is an empty array.
|
||
47 | */
|
||
48 | function hook_cas_user_alter(&$cas_user) { |
||
49 | // Alter the CAS username. The CAS server returned a compound name like
|
||
50 | // it:johndoe:10.10.1.2:200805064255
|
||
51 | // and so we extract the actual user name of 'johndoe'.
|
||
52 | $parts = explode(':', $cas_user['name'], 3); |
||
53 | $cas_user['name'] = $parts[1]; |
||
54 | |||
55 | // Allow logins only for users in a certain LDAP group.
|
||
56 | if (!_ldap_is_member_group($cas_user['name'], 'admins')) { |
||
57 | $cas_user['login'] = FALSE; |
||
58 | } |
||
59 | |||
60 | // Allow registrations only for a certain class of users.
|
||
61 | if (!_ldap_user_has_home_directory($cas_user['name'])) { |
||
62 | $cas_user['register'] = FALSE; |
||
63 | } |
||
64 | } |
||
65 | |||
66 | /**
|
||
67 | * A CAS user has authenticated and the login is about to be finalized.
|
||
68 | *
|
||
69 | * This allows modules to react to a CAS user logging in and alter their
|
||
70 | * account properties. For example, modules may want to synchronize Drupal
|
||
71 | * user roles or profile information with LDAP properties.
|
||
72 | *
|
||
73 | * If you would like to synchronize information only for new accounts, you may
|
||
74 | * examine the value of $account->login which will be 0 if the user has never
|
||
75 | * logged in before.
|
||
76 | *
|
||
77 | * The 'cas_user' key in $edit contains all information returned from
|
||
78 | * hook_cas_user_alter().
|
||
79 | *
|
||
80 | * The CAS module promises to call user_save() and user_login_finalize() with
|
||
81 | * this $edit data.
|
||
82 | *
|
||
83 | * @param $edit
|
||
84 | * An array of values corresponding to the Drupal user to be created.
|
||
85 | * @param $account
|
||
86 | * A Druapl user object.
|
||
87 | */
|
||
88 | function hook_cas_user_presave(&$edit, $account) { |
||
89 | $cas_name = $edit['cas_user']['name']; |
||
90 | |||
91 | // Look up the user's real name using LDAP.
|
||
92 | $ldap_connection = ldap_connect('ldap.example.com', 389); |
||
93 | $ldap_result = ldap_search($ldap_connection, 'ou=people', 'uid=' . $cas_name, array('cn'), 0, 1); |
||
94 | $entries = ldap_get_entries($ldap_connection, $ldap_result); |
||
95 | $attributes = $entries[0]; |
||
96 | |||
97 | if (!empty($attributes['cn'])) { |
||
98 | $edit['name'] = $attributes['cn']; |
||
99 | } |
||
100 | } |
||
101 | |||
102 | /**
|
||
103 | * Modify phpCAS authentication properties.
|
||
104 | *
|
||
105 | * This is called after phpCAS has been configured with the basic server
|
||
106 | * properties, but before phpCAS::forceAuthentication() is called.
|
||
107 | *
|
||
108 | * Users will generally not need to implement this hook, as most phpCAS
|
||
109 | * configuration options are already provided in the CAS module UI.
|
||
110 | *
|
||
111 | * There are no parameters, instead the module should directly call the
|
||
112 | * functions in the phpCAS namespace.
|
||
113 | */
|
||
114 | function hook_cas_phpcas_alter() { |
||
115 | // Set a custom server login URL.
|
||
116 | phpCAS::setServerLoginURL('https://login.example.com/cas/login');
|
||
117 | } |