-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathwebauth.admin.inc
346 lines (312 loc) · 13.1 KB
/
webauth.admin.inc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
<?php
/**
* @file
* Admin menus for webauth module
*
*/
/**
* Base webauth settings form
*/
function webauth_admin_settings($form, &$form_state) {
$result = db_query('SELECT rid, name FROM {role} WHERE rid > :rid', array(':rid' => 2));
$roles = array();
while ($role = $result->fetchObject()) {
$roles[$role->rid] = $role->name;
}
$form['webauth_allow_local'] = array(
'#type' => 'radios',
'#title' => t('Stanford WebAuth options'),
'#default_value' => variable_get('webauth_allow_local', 1),
'#options' => array(
0 => t('Hide Local Drupal Login Block'),
1 => t('Show Local Drupal Login Block'),
),
'#description' => t('Hide the Local Drupal Login Block if it’s not needed by local accounts to prevent users from entering their SUNet ID and password there by mistake. This does not affect the <em>user/login</em> form which can still be used to log in as <em>user 1</em> when needed.'),
);
$form['webauth_link_text'] = array(
'#type' => 'textfield',
'#title' => t('WebAuth Link Text'),
'#size' => 80,
'#maxlength' => 255,
'#default_value' => variable_get('webauth_link_text', 'Log in with WebAuth'),
'#description' => t('The text for the WebAuth link. It’s what users will click on to log in using WebAuth. (E.g.: "Log in with WebAuth")'),
);
$form['webauth_destination'] = array(
'#type' => 'textfield',
'#title' => t('Post-Login Destination'),
'#size' => 80,
'#maxlength' => 255,
'#default_value' => variable_get('webauth_destination', ''),
'#description' => t('Drupal node to which the browser redirects after successful weblogin. (E.g.: \'node/add/page\' will automatically redirect user to a new content page.) If unsure, just leave blank to keep Drupal\'s default behavior.'),
);
$form['webauth_restrict_message'] = array(
'#type' => 'textarea',
'#title' => t('Restricted Access Message'),
'#cols' => 80,
'#rows' => 5,
'#default_value' => variable_get('webauth_restrict_message', 'This content has been restricted by the author or by the site administrator.'),
'#description' => t('Message to be displayed to user when access to content is restricted.'),
);
return system_settings_form($form);
}
/**
* The webauth groups/mapping form
*/
function webauth_admin_groups($form, &$form_state) {
$table = array();
$submitted = !empty($form_state['post']);
$result = db_query('SELECT rid, name FROM {role} WHERE rid > 2');
while ($role = $result->fetchObject()) {
$roles[$role->rid] = $role->name;
}
$form['new_rid'] = array(
'#name' => 'new_rid',
'#type' => 'select',
'#options' => $roles,
);
$form['new_group'] = array(
'#name' => 'new_group',
'#type' => 'textfield',
'#default_value' => '',
);
$form['new_submit'] = array(
'#name' => 'new_submit',
'#type' => 'submit',
'#value' => t('Add Mapping'),
);
if (!$submitted) {
$table[] = array(drupal_render($form['new_rid']), drupal_render($form['new_group']), drupal_render($form['new_submit']));
}
else {
// Keep the UI consistent.
$form['new_rid']['#prefix'] = '<table><tr class="odd"><td>';
$form['new_rid']['#suffix'] = '</td><td>';
$form['new_group']['#suffix'] = '</td><td>';
$form['new_submit']['#suffix'] = '</td><td>';
$form['cancel'] = array(
'#type' => 'markup',
'#value' => l(t('Cancel'), 'admin/config/webauth/mappings'),
'#suffix' => '</td></tr></table>',
);
}
$result = db_query("SELECT wr.warid, r.name, wr.wa_group as `group` FROM {webauth_roles} wr INNER JOIN {role} r ON wr.rid = r.rid WHERE r.rid > 2");
while ($group = $result->fetchObject()) {
$button_id = 'remove_warid_' . $group->warid;
$form[$button_id] = array(
'#name' => $button_id,
'#type' => 'submit',
'#value' => t('Remove Mapping'),
);
$row = array($group->name, $group->group, drupal_render($form[$button_id]));
$table[] = $row;
}
$header = array(
t('Drupal Role'),
t('Workgroup (e.g. stanford:staff)'),
t('Action')
);
$form['output'] = array(
'#markup' => theme('table', array(
'header' => $header,
'rows' => $table,
)),
);
return $form;
}
/**
* Validates the webauth_admin_groups form
*/
function webauth_admin_groups_validate($form, &$form_state) {
if ($form_state['clicked_button']['#value'] == t('Add Mapping')) {
if (preg_match("/^[-_\w\d\~]+:[\w\d-_]+$/", $form_state['values']['new_group']) == 0) {
form_set_error('new_group', t('There was an error in your workgroup name. Please make sure you entered it correctly.'));
}
$query = db_query("SELECT * FROM {webauth_roles} WHERE rid = :rid AND wa_group = :wa_group",
array(':rid' => $form_state['values']['new_rid'], ':wa_group' => $form_state['values']['new_group']));
if ($query->fetchField()) {
form_set_error('new_group', t('This workgroup is already mapped to this Drupal role!'));
}
}
}
/**
* The submit function for the webauth_admin_groups form
*/
function webauth_admin_groups_submit($form, &$form_state) {
if ($form_state['clicked_button']['#value'] == t('Add Mapping')) {
// Add mapping
$id = db_insert('webauth_roles')
->fields(array(
'rid' => $form_state['values']['new_rid'],
'wa_group' => $form_state['values']['new_group'],
))
->execute();
$role_name = db_query("SELECT name FROM {role} WHERE rid = :rid", array(':rid' => $form_state['values']['new_rid']))->fetchField();
drupal_set_message(t('Added new WebAuth mapping: @role_name => @new_group', array('@role_name' => $role_name, '@new_group' => $form_state['values']['new_group'])));
}
elseif ($form_state['clicked_button']['#value'] == t('Remove Mapping')) {
// Remove mapping
$warid = drupal_substr($form_state['clicked_button']['#name'], 13);
db_delete('webauth_roles')
->condition('warid', $warid)
->execute();
drupal_set_message(t('Removed WebAuth mapping from table. [ID: @warid]', array('@warid' => $warid)));
// Clear out any roles that were granted as a result.
$result = db_query("SELECT * FROM {webauth_roles_history} WHERE warid = :warid", array(':warid' => $warid));
while ($history = $result->fetchObject()) {
// See if there's another mapping for this role.
if (!db_query("SELECT * FROM {webauth_roles_history} WHERE uid = :uid AND rid = :rid AND warid <> :warid", array(':uid' => $history->uid, ':rid' => $history->rid, ':warid' => $warid))->fetchField()) {
// If not, nix the users_roles value so they lose privileges immediately.
db_delete('users_roles')
->condition('uid', $history->uid)
->condition('rid', $history->rid)
->execute();
}
}
db_delete('webauth_roles_history')
->condition('warid', $warid)
->execute();
}
// Need to update the .htaccess file.
webauth_write_htaccess();
}
/**
* WebAuth user specific functionality form.
*/
function webauth_admin_users($form, &$form_state) {
$form['webauth_require_valid_user'] = array(
'#type' => 'checkbox',
'#title' => t('Require ANY valid user'),
'#description' => t('If checked, anyone with a valid SUNet ID will be allowed to log in. This overrides whatever users or groups are entered below. Default is on.'),
'#default_value' => variable_get('webauth_require_valid_user', 1),
);
$form['webauth_require_users'] = array(
'#type' => 'textarea',
'#title' => t('SUNet IDs of users permitted access'),
'#description' => t('Enter one SUNet ID per line.'),
'#default_value' => variable_get('webauth_require_users', ''),
);
$form['webauth_require_privgroups'] = array(
'#type' => 'textarea',
'#title' => t('Workgroups permitted access'),
'#description' => t('Enter one workgroup (e.g."stanford:staff") per line. You can create and maintain workgroups using <a href="https://workgroup.stanford.edu">workgroup manager</a>.'),
'#default_value' => variable_get('webauth_require_privgroups', ''),
);
$form = system_settings_form($form);
$form['#validata'][] = 'webauth_admin_users_validate';
$form['#submit'][] = 'webauth_admin_users_submit';
return $form;
}
/**
* Validate that we're getting valid input in our .htaccess file.
*/
function webauth_admin_users_validate($form, &$form_state) {
$userlines = explode("\n", chop($form_state['values']['webauth_require_users']));
$grouplines = explode("\n", chop($form_state['values']['webauth_require_privgroups']));
foreach ($userlines as $line) {
$line = chop($line);
if ($line != '' && preg_match("/^[\w\d-_]+$/", $line) != 1) {
form_set_error('webauth_require_users', t('@line is not a valid user format. Please enter one username per line.', array('@line' => $line)));
}
}
foreach ($grouplines as $line) {
$line = chop($line);
if ($line != '' && preg_match("/^[-_\w\d\~]+:[\w\d-_]+$/", $line) != 1) {
form_set_error('webauth_require_privgroups', t('@line is not a valid user format. Please enter one username per line.', array('@line' => $line)));
}
}
if (trim($form_state['values']['webauth_require_users']) == '' && trim($form_state['values']['webauth_require_privgroups']) == '' && $form_state['values']['webauth_require_valid_user'] == FALSE) {
form_set_error('webauth_require_valid_user', t('You must specify some valid means for accessing the site.'));
}
}
/**
* Submit function for webauth_admin_users form
*/
function webauth_admin_users_submit($form, &$form_state) {
// Need to update the .htaccess file.
webauth_write_htaccess();
}
/**
* Migrate old-style {webauth} and {webauth_force} data to {node_access}.
*
* This is here so it can be called from the install file or at a later date.
*/
function webauth_migrate_to_content_access() {
// make sure content_access is loaded in case this is during an update hook
require_once DRUPAL_ROOT . '/' . drupal_get_path('module', 'content_access') . "/content_access.module";
require_once DRUPAL_ROOT . '/' . drupal_get_path('module', 'content_access') . "/content_access.admin.inc";
$types = array(); // we will need to track node types touched so they're enabled.
$default_role = variable_get('webauth_default_role', 0);
// The webauth table contains specific mappings, which we should respect.
$result = db_query("SELECT * FROM {webauth}");
while ($webauth_access = $result->fetchObject()) {
$node = node_load($webauth_access->nid);
$webauth_roles = unserialize($webauth_access->roles);
if (trim($webauth_access->sugroups) != '') {
$sugroups = explode(',', $webauth_access->sugroups);
foreach ($sugroups as $sugroup) {
$sugroup = trim($sugroup);
$wa_mapped_role = db_query("SELECT * FROM {webauth_roles} WHERE wa_group = :wa_group", array(':wa_group' => $sugroup))->fetchObject();
if ($wa_mapped_role->rid) {
$webauth_roles[$wa_mapped_role->rid] = $wa_mapped_role->rid;
}
else {
$role_exists = (bool) db_query("SELECT COUNT(*) FROM {role} WHERE name = :name", array(':name' => $sugroup))->fetchField();
if (!$role_exists) {
$id = db_insert('role')
->fields(array(
'name' => $sugroup,
))
->execute();
drupal_set_message(t('Added Role: @sugroup', array('@sugroup' => $sugroup)));
}
$rid = db_query("SELECT rid FROM {role} WHERE name = :name", array(':name' => $sugroup))->fetchField();
if ($rid) {
$id = db_insert('webauth_roles')
->fields(array(
'rid' => $rid,
'wa_group' => $sugroup,
))
->execute();
drupal_set_message(t('Added group mapping for @sugroup => @sugroup2', array('@sugroup' => $sugroup, '@sugroup' => $sugroup)));
$webauth_roles[$rid] = $rid;
}
}
}
}
$settings = array(
'view' => array_keys($webauth_roles),
'view_own' => array(),
'update' => array(),
'update_own' => array(),
'delete' => array(),
'delete_own' => array(),
);
content_access_save_per_node_settings($node, $settings);
$types[$node->type] = 1;
}
// Force maps to the default role, so only proceed if we have one set.
if ($default_role > 0) {
$result = db_query("SELECT * FROM {webauth_force}");
$settings = array(
'view' => array($default_role),
'view_own' => array(),
'update' => array(),
'update_own' => array(),
'delete' => array(),
'delete_own' => array(),
);
while ($webauth_force = $result->fetchObject()) {
$node = node_load($webauth_force->nid);
content_access_save_per_node_settings($node, $settings);
$types[$node->type] = 1;
}
}
// Ensure that all types are set to per-node control.
$content_access_settings = array('per_node' => $types);
content_access_set_settings($content_access_settings);
// Rebuild content_access settings.
content_access_mass_update($types);
$link = l(t('here'), 'admin/content/node-settings');
drupal_set_message(t("You need to rebuild the node access settings now. You can do that !link.", array('!link' => $link)), 'error');
node_access_needs_rebuild(TRUE);
}