root / htmltest / sites / all / modules / cas / cas.api.php @ a5572547
| 1 | 85ad3d82 | Assos Assos | <?php
|
|---|---|---|---|
| 2 | |||
| 3 | /**
|
||
| 4 | * @file
|
||
| 5 | * Documentation for CAS API.
|
||
| 6 | */
|
||
| 7 | |||
| 8 | /**
|
||
| 9 | * Modify CAS user properties before the user is logged in.
|
||
| 10 | *
|
||
| 11 | * Allows modules to alter the CAS username and account creation permissions
|
||
| 12 | * after the CAS username is returned from phpCAS::getUser().
|
||
| 13 | *
|
||
| 14 | * Modules implementing this hook may wish to alter 'name' if the CAS server
|
||
| 15 | * returns user names which contain excess information or are not directly
|
||
| 16 | * machine readable. This field is not the Drupal name of the user. Instead,
|
||
| 17 | * this is used to load a Drupal user via the mapping in the {cas_user} table.
|
||
| 18 | *
|
||
| 19 | * The 'login' parameter controls whether the user is able to login. By
|
||
| 20 | * default this will be set to TRUE, but modules may set this flag to FALSE
|
||
| 21 | * to deny the user login access. For example, one might want to only allow
|
||
| 22 | * login access to members of a certain LDAP group. This verification is in
|
||
| 23 | * addition to the standard feature which lets you block users.
|
||
| 24 | *
|
||
| 25 | * The 'register' parameter controls whether an account should be created if
|
||
| 26 | * the user does not already have a Drupal account. Defaults to the value of
|
||
| 27 | * "Should Drupal user accounts be automatically created?" in the CAS module
|
||
| 28 | * settings. This setting is ignored if 'login' is set to FALSE.
|
||
| 29 | *
|
||
| 30 | * If multiple modules implement this hook, the values set by the last module
|
||
| 31 | * to execute this hook will be used. Therefore, it is good practice to only
|
||
| 32 | * set the 'login' and 'register' flags to FALSE, rather than the output of
|
||
| 33 | * a function. This prevents accidentally allowing a user to login when another
|
||
| 34 | * module had already denied access.
|
||
| 35 | *
|
||
| 36 | * @param $cas_user
|
||
| 37 | * An associative array, with the following keys:
|
||
| 38 | * - 'name': The CAS machine-readable user name.
|
||
| 39 | * - 'login': If TRUE, the user will be allowed to login to an existing
|
||
| 40 | * Drupal account.
|
||
| 41 | * - 'register': If TRUE, the user will be allowed to register a Drupal
|
||
| 42 | * account if one does not already exist. If 'login' is FALSE, this
|
||
| 43 | * setting will be ignored.
|
||
| 44 | * - 'attributes': If phpCAS is new enough to support getAttributes and the
|
||
| 45 | * CAS server supports SAML attributes, this consists of an associative
|
||
| 46 | * array of attribute names and values; otherwise it is an empty array.
|
||
| 47 | */
|
||
| 48 | function hook_cas_user_alter(&$cas_user) { |
||
| 49 | // Alter the CAS username. The CAS server returned a compound name like
|
||
| 50 | // it:johndoe:10.10.1.2:200805064255
|
||
| 51 | // and so we extract the actual user name of 'johndoe'.
|
||
| 52 | $parts = explode(':', $cas_user['name'], 3); |
||
| 53 | $cas_user['name'] = $parts[1]; |
||
| 54 | |||
| 55 | // Allow logins only for users in a certain LDAP group.
|
||
| 56 | if (!_ldap_is_member_group($cas_user['name'], 'admins')) { |
||
| 57 | $cas_user['login'] = FALSE; |
||
| 58 | } |
||
| 59 | |||
| 60 | // Allow registrations only for a certain class of users.
|
||
| 61 | if (!_ldap_user_has_home_directory($cas_user['name'])) { |
||
| 62 | $cas_user['register'] = FALSE; |
||
| 63 | } |
||
| 64 | } |
||
| 65 | |||
| 66 | /**
|
||
| 67 | * A CAS user has authenticated and the login is about to be finalized.
|
||
| 68 | *
|
||
| 69 | * This allows modules to react to a CAS user logging in and alter their
|
||
| 70 | * account properties. For example, modules may want to synchronize Drupal
|
||
| 71 | * user roles or profile information with LDAP properties.
|
||
| 72 | *
|
||
| 73 | * If you would like to synchronize information only for new accounts, you may
|
||
| 74 | * examine the value of $account->login which will be 0 if the user has never
|
||
| 75 | * logged in before.
|
||
| 76 | *
|
||
| 77 | * The 'cas_user' key in $edit contains all information returned from
|
||
| 78 | * hook_cas_user_alter().
|
||
| 79 | *
|
||
| 80 | * The CAS module promises to call user_save() and user_login_finalize() with
|
||
| 81 | * this $edit data.
|
||
| 82 | *
|
||
| 83 | * @param $edit
|
||
| 84 | * An array of values corresponding to the Drupal user to be created.
|
||
| 85 | * @param $account
|
||
| 86 | * A Druapl user object.
|
||
| 87 | */
|
||
| 88 | function hook_cas_user_presave(&$edit, $account) { |
||
| 89 | $cas_name = $edit['cas_user']['name']; |
||
| 90 | |||
| 91 | // Look up the user's real name using LDAP.
|
||
| 92 | $ldap_connection = ldap_connect('ldap.example.com', 389); |
||
| 93 | $ldap_result = ldap_search($ldap_connection, 'ou=people', 'uid=' . $cas_name, array('cn'), 0, 1); |
||
| 94 | $entries = ldap_get_entries($ldap_connection, $ldap_result); |
||
| 95 | $attributes = $entries[0]; |
||
| 96 | |||
| 97 | if (!empty($attributes['cn'])) { |
||
| 98 | $edit['name'] = $attributes['cn']; |
||
| 99 | } |
||
| 100 | } |
||
| 101 | |||
| 102 | /**
|
||
| 103 | * Modify phpCAS authentication properties.
|
||
| 104 | *
|
||
| 105 | * This is called after phpCAS has been configured with the basic server
|
||
| 106 | * properties, but before phpCAS::forceAuthentication() is called.
|
||
| 107 | *
|
||
| 108 | * Users will generally not need to implement this hook, as most phpCAS
|
||
| 109 | * configuration options are already provided in the CAS module UI.
|
||
| 110 | *
|
||
| 111 | * There are no parameters, instead the module should directly call the
|
||
| 112 | * functions in the phpCAS namespace.
|
||
| 113 | */
|
||
| 114 | function hook_cas_phpcas_alter() { |
||
| 115 | // Set a custom server login URL.
|
||
| 116 | phpCAS::setServerLoginURL('https://login.example.com/cas/login');
|
||
| 117 | } |