Project

General

Profile

Bug #2925 ยป chamilo_1870_11af281f65b4.patch

Laurent Opprecht, 22/02/2011 15:25

View differences:

common/libraries/php/authentication/shibboleth/index.php
1 1
<?php
2 2
namespace common\libraries;
3
/**
4
 * $Id: index.php 128 2009-11-09 13:13:20Z vanpouckesven $
5
 * @package common.authentication.shibboleth
6
 */
7
require_once dirname(__FILE__) . '/../../../global.inc.php';
3

  
4
require_once dirname(__FILE__) . '/../../../../global.inc.php';
8 5
require_once dirname(__FILE__) . '/shibboleth_authentication.class.php';
9 6

  
10 7
$shibAuth = new ShibbolethAuthentication();
common/libraries/php/authentication/shibboleth/shibboleth.xml
1 1
<?xml version="1.0" encoding="UTF-8"?>
2 2
<authentication>
3 3

  
4
	<attribute_mapping>
5
		<attribute name="Shib-SwissEP-UniqueID" mapped_to="external_uid"
4
    <attribute_mapping>
5
        <attribute name="Shib-SwissEP-UniqueID" mapped_to="external_uid"
6 6
			default_value="" update_at_login="false" />
7
		<attribute name="Shib-InetOrgPerson-givenName" mapped_to="firstname"
7
        <attribute name="Shib-InetOrgPerson-givenName" mapped_to="firstname"
8 8
			default_value="" update_at_login="true" />
9
		<attribute name="Shib-Person-surname" mapped_to="lastname"
9
        <attribute name="Shib-Person-surname" mapped_to="lastname"
10 10
			default_value="" update_at_login="true" />
11
		<attribute name="Shib-InetOrgPerson-mail" mapped_to="email"
11
        <attribute name="Shib-InetOrgPerson-mail" mapped_to="email"
12 12
			default_value="" update_at_login="true" />
13
		<attribute name="Shib-EP-Affiliation" mapped_to="affiliation"
13
        <attribute name="Shib-EP-Affiliation" mapped_to="affiliation"
14 14
			default_value="student" update_at_login="false" />
15
	</attribute_mapping>
15
    </attribute_mapping>
16 16

  
17
	<role_mapping name_separator=";"
17
    <role_mapping name_separator=";"
18 18
		display_request_form_when_unclear="true">
19
		<value name="faculty" precedence="0" group_id="" role_id="" />
19
        <value name="faculty" precedence="0" group_id="" role_id="" />
20 20

  
21
		<value name="student" precedence="1" group_id="" role_id="" />
22
		<value name="member" precedence="1" group_id="" role_id="" />
23
		<value name="staff" precedence="1" group_id="" role_id="" />
24
		<value name="alum" precedence="1" group_id="" role_id="" />
25
		<value name="affiliate" precedence="1" group_id="" role_id="" />
26
	</role_mapping>
21
        <value name="student" precedence="1" group_id="" role_id="" />
22
        <value name="member" precedence="1" group_id="" role_id="" />
23
        <value name="staff" precedence="1" group_id="" role_id="" />
24
        <value name="alum" precedence="1" group_id="" role_id="" />
25
        <value name="affiliate" precedence="1" group_id="" role_id="" />
26
    </role_mapping>
27 27

  
28 28
</authentication>
common/libraries/php/authentication/shibboleth/shibboleth_authentication.class.php
1 1
<?php
2

  
2 3
namespace common\libraries;
4

  
3 5
/**
4
 * $Id: shibboleth_authentication.class.php 128 2009-11-09 13:13:20Z vanpouckesven $
5 6
 * @package common.authentication.shibboleth
6 7
 */
7
use group\GroupRelUser;
8

  
9
use user\User;
8
use group\GroupRelUser;
9
use user\User;
10 10

  
11 11
require_once dirname(__FILE__) . '/../external_authentication.class.php';
12 12

  
13
/**
14
 * This class allow to login into Chamilo by using the Shibboleth authentication system.
15
 *
16
 * To use this class, the folder 'shibboleth' must be configured in your webserver settings
17
 * to be protected by Shibboleth. In this way, user attributes can be retrieved from the code.
18
 *
19
 * Shibboleth attributes can be mapped to Chamilo user atributes by setting the correct mappings
20
 * in the 'shibboleth.xml' file. Role / Group mapping can be configured in this file as well.
21
 *
22
 * The configuration file allow to define :
23
 *
24
 * - the mapping between Shibboleth attributes and Chamilo user attributes
25
 * - the mapping between the 'affiliation' attribute and Chamilo user roles / groups
26
 * - default values for Chamilo user attributes
27
 * - what Chamilo user attributes must be updated when a user logs in again
28
 *
29
 * About the Role / Group mapping
30
 * *******************************
31
 * The role / group mapping can retrieved from an attribute mapped to 'affiliation'
32
 * This attribute may contain more than one value, separated by a character (typically a semi-colon).
33
 *
34
 * The config file allow to add possible values that may be given by Shibboleth and allow for each of them
35
 * to specify to which group and / or role it must be mapped.
36
 * If a specific value must be mapped to more than one group or role, you can add many times the same value.
37
 *
38
 * Each value has a precedence. It allows to look for values in priority. All values with the same precedence
39
 * are searched in the Shibboleth attributes at the same time. If the user 'affiliation' attribute contains one
40
 * of the searched values, the role / group links are created and the next values with the next precedence are ignored.
41
 * If no value match the user 'affiliation' attribute for a precedence, then the values with next precedence
42
 * are looked for.
43
 *
44
 * It allows for instance in weblcms to check first if a user is a teacher. If he is a teacher, he can be created
45
 * with "teacher" rights, meaning with specific group(s) and / or role(s) links. In the case the user was not recognized
46
 * as a teacher on the first step (with the first precedence value), the system can then (and only then) check
47
 * if the user is a "student", and create the corresponding role / group links for him.
48
 *
13
/**
14
 * This class allow to login into Chamilo by using the Shibboleth authentication system.
15
 *
16
 * To use this class, the folder 'shibboleth' must be configured in your webserver settings
17
 * to be protected by Shibboleth. In this way, user attributes can be retrieved from the code.
18
 *
19
 * Shibboleth attributes can be mapped to Chamilo user atributes by setting the correct mappings
20
 * in the 'shibboleth.xml' file. Role / Group mapping can be configured in this file as well.
21
 *
22
 * The configuration file allow to define :
23
 *
24
 * - the mapping between Shibboleth attributes and Chamilo user attributes
25
 * - the mapping between the 'affiliation' attribute and Chamilo user roles / groups
26
 * - default values for Chamilo user attributes
27
 * - what Chamilo user attributes must be updated when a user logs in again
28
 *
29
 * About the Role / Group mapping
30
 * *******************************
31
 * The role / group mapping can retrieved from an attribute mapped to 'affiliation'
32
 * This attribute may contain more than one value, separated by a character (typically a semi-colon).
33
 *
34
 * The config file allow to add possible values that may be given by Shibboleth and allow for each of them
35
 * to specify to which group and / or role it must be mapped.
36
 * If a specific value must be mapped to more than one group or role, you can add many times the same value.
37
 *
38
 * Each value has a precedence. It allows to look for values in priority. All values with the same precedence
39
 * are searched in the Shibboleth attributes at the same time. If the user 'affiliation' attribute contains one
40
 * of the searched values, the role / group links are created and the next values with the next precedence are ignored.
41
 * If no value match the user 'affiliation' attribute for a precedence, then the values with next precedence
42
 * are looked for.
43
 *
44
 * It allows for instance in weblcms to check first if a user is a teacher. If he is a teacher, he can be created
45
 * with "teacher" rights, meaning with specific group(s) and / or role(s) links. In the case the user was not recognized
46
 * as a teacher on the first step (with the first precedence value), the system can then (and only then) check
47
 * if the user is a "student", and create the corresponding role / group links for him.
48
 *
49 49
 */
50
class ShibbolethAuthentication extends ExternalAuthentication
51
{
50
class ShibbolethAuthentication extends ExternalAuthentication {
51

  
52 52
    const SHIBBOLETH_AUTHENTICATION = 'shibboleth';
53 53
    const RIGHTS_SEPARATOR = 'RIGHTS_SEPARATOR';
54 54

  
55 55
    private $config_xml_document = null;
56 56
    private $user_status_is_unclear = false;
57 57

  
58
    /*
59
     * Constructor
58
    /*
59
     * Constructor
60 60
     */
61
    function __construct()
62
    {
61
    function __construct() {
63 62
        $this->initialize();
64 63
    }
65 64

  
66
    /*
67
     * Initialize the Shibboleth authentication configuration
65
    /*
66
     * Initialize the Shibboleth authentication configuration
68 67
     */
69
    protected function initialize()
70
    {
71
        $doc = simplexml_load_file('shibboleth.xml');
72
        if ($doc !== false)
73
        {
68
    protected function initialize() {
69
        $doc = simplexml_load_file(dirname(__FILE__) . '/shibboleth.xml');
70
        if ($doc !== false) {
74 71
            $this->config_xml_document = $doc;
75 72

  
76 73
            parent :: initialize();
......
78 75
            $this->set_authentication_source_name(self :: SHIBBOLETH_AUTHENTICATION);
79 76
            $this->set_automatic_registration(true);
80 77
            $this->set_register_user_without_role(false);
81
        }
82
        else
83
        {
84
            echo 'unable to load configuration';
78
        } else {
79
            $this->error('unable to load configuration');
85 80
        }
86 81
    }
87 82

  
88
    /**
89
     * Inherited. Note that with Shibboleth $user, $username and $password are not used
90
     *
91
     * @param unknown_type $user
92
     * @param unknown_type $username
93
     * @param unknown_type $password
83
    protected function error($message) {
84
        $parameters[Application :: PARAM_ERROR_MESSAGE] = $message;
85
        Redirect :: link('', $parameters, array(), false,  Redirect :: TYPE_INDEX);
86
    }
87

  
88
    /**
89
     * Inherited. Note that with Shibboleth $user, $username and $password are not used
90
     *
91
     * @param unknown_type $user
92
     * @param unknown_type $username
93
     * @param unknown_type $password
94 94
     */
95
    function check_login($user, $username, $password = null)
96
    {
97
        /*
98
         * With Shibboleth, we don't use $user, $username and $password
95
    function check_login($user, $username, $password = null) {
96
        /*
97
         * With Shibboleth, we don't use $user, $username and $password
99 98
         */
100 99
        unset($user);
101 100
        unset($username);
102 101
        unset($password);
103 102

  
104
        /*
105
         * Check if user already exists
103
        /*
104
         * Check if user already exists
106 105
         */
107 106
        $is_new_user = false;
108 107
        $user = $this->get_existing_user();
109 108

  
110
        if (isset($user) && is_a($user, self :: USER_OBJECT_CLASSNAME))
111
        {
112
            //user already exists
109
        if (isset($user)) {
110
            //user already exists
113 111

  
114 112

  
115
            if ($this->has_fields_to_update_at_login())
116
            {
117
                /*
118
                 * Update user's fields that must be updated when an existing user logs in
113
            if ($this->has_fields_to_update_at_login()) {
114
                /*
115
                 * Update user's fields that must be updated when an existing user logs in
119 116
                 */
120 117

  
121 118
                $user = $this->set_user_attributes($user, $this->get_fields_to_update_at_login());
122 119

  
123
                //save user in datasource
124
                if (! $user->update())
125
                {
120
                //save user in datasource
121
                if (!$user->update()) {
126 122
                    echo 'An error occured while updating your informations';
127
                }
128
                else
129
                {
130
                    if (in_array(self :: PARAM_MAPPING_AFFILIATION, $this->get_fields_to_update_at_login()))
131
                    {
132
                        if (! $this->set_user_rights($user))
133
                        {
134
                            echo 'Unable to set the user rights';
123
                } else {
124
                    if (in_array(self :: PARAM_MAPPING_AFFILIATION, $this->get_fields_to_update_at_login())) {
125
                        if (!$this->set_user_rights($user)) {
126
                            $this->error('Unable to set the user rights');
135 127
                        }
136 128
                    }
137 129
                }
138 130
            }
139
        }
140
        else
141
        {
142
            //user does not exist yet
143

  
131
        } else {
132
            //user does not exist yet
144 133

  
145 134
            $is_new_user = true;
146 135

  
147
            if ($this->is_automatic_registration_enabled())
148
            {
136
            if ($this->is_automatic_registration_enabled()) {
149 137
                $user = $this->get_new_user();
150 138

  
151
                if (isset($user) && is_a($user, self :: USER_OBJECT_CLASSNAME))
152
                {
153
                    if ($user->create())
154
                    {
155
                        if (array_key_exists(self :: PARAM_MAPPING_AFFILIATION, $this->get_user_attribute_mapping()))
156
                        {
157
                            if (! $this->set_user_rights($user))
158
                            {
159
                                echo 'Unable to set the user rights';
139
                if (isset($user)) {
140
                    if ($user->create()) {
141
                        if (array_key_exists(self :: PARAM_MAPPING_AFFILIATION, $this->get_user_attribute_mapping())) {
142
                            if (!$this->set_user_rights($user)) {
143
                                $this->error('Unable to set the user rights');
160 144
                            }
161 145
                        }
162 146
                    }
163 147
                }
164
            }
165
            else
166
            {
167
                echo 'You don\'t have the right to access this platform. Please contact the platform administrator';
148
            } else {
149
                $this->error('You don\'t have the right to access this platform. Please contact the platform administrator');
168 150
            }
169 151
        }
170 152

  
171
        /*
172
         * Login user
153
        /*
154
         * Login user
173 155
         */
174
        if (isset($user) && is_a($user, self :: USER_OBJECT_CLASSNAME))
175
        {
176
            if ($this->user_status_is_unclear && $this->get_display_rights_form_when_unclear_status())
177
            {
156
        if (isset($user)) {
157
            if ($this->user_status_is_unclear && $this->get_display_rights_form_when_unclear_status()) {
178 158
                $this->login($user, false);
179 159
                $this->redirect_to_rights_request_form($is_new_user);
180
            }
181
            else
182
            {
160
            } else {
183 161
                $this->login($user, true);
184 162
            }
185
        }
186
        else
187
        {
188
            echo 'Unable to perform login';
163
        } else {
164
            $this->error('Unable to perform login');
189 165
        }
190 166
    }
191 167

  
192
    /**
193
     * override
168
    /**
169
     * override
194 170
     */
195
    protected function initialize_user_attributes_mapping()
196
    {
197
        if (isset($this->config_xml_document))
198
        {
171
    protected function initialize_user_attributes_mapping() {
172
        if (isset($this->config_xml_document)) {
199 173
            $attributes_mapping = $this->config_xml_document->xpath('/authentication/attribute_mapping/attribute');
200 174

  
201 175
            $user_attribute_mapping = array();
202 176
            $fields_to_update_at_login = array();
203 177

  
204
            foreach ($attributes_mapping as $attribute)
205
            {
178
            foreach ($attributes_mapping as $attribute) {
206 179
                $user_attribute_mapping[(string) $attribute->attributes()->mapped_to] = array(
207
                        'name' => (string) $attribute->attributes()->name,
208
                        'default' => (string) $attribute->attributes()->default_value);
180
                    'name' => (string) $attribute->attributes()->name,
181
                    'default' => (string) $attribute->attributes()->default_value);
209 182

  
210
                if (isset($attribute->attributes()->update_at_login) && $attribute->attributes()->update_at_login == 'true')
211
                {
183
                if (isset($attribute->attributes()->update_at_login) && $attribute->attributes()->update_at_login == 'true') {
212 184
                    $fields_to_update_at_login[] = (string) $attribute->attributes()->mapped_to;
213 185
                }
214 186
            }
215 187

  
216 188
            $this->set_user_attribute_mapping($user_attribute_mapping);
217 189
            $this->set_fields_to_update_at_login($fields_to_update_at_login);
218
        }
219
        else
220
        {
190
        } else {
221 191
            echo '<p>Attribute mapping initialization error</p>';
222 192
        }
223 193
    }
224 194

  
225
    /**
226
     * override
195
    /**
196
     * override
227 197
     */
228
    protected function initialize_fields_to_update_at_login()
229
    {
230
        /*
231
         * Nothing is implemented here, as the initialization is already done when
232
         * 'initialize_user_attributes_mapping()' is called;
198
    protected function initialize_fields_to_update_at_login() {
199
        /*
200
         * Nothing is implemented here, as the initialization is already done when
201
         * 'initialize_user_attributes_mapping()' is called;
233 202
         */
234 203
    }
235 204

  
236
    /**
237
     * override
205
    /**
206
     * override
238 207
     */
239
    protected function initialize_role_attributes_mapping()
240
    {
241
        if (isset($this->config_xml_document))
242
        {
208
    protected function initialize_role_attributes_mapping() {
209
        if (isset($this->config_xml_document)) {
243 210
            $separator = $this->config_xml_document->xpath('/authentication/role_mapping/@name_separator');
244 211
            $this->set_config_parameter(self :: RIGHTS_SEPARATOR, $separator[0]);
245 212

  
246 213
            $display_form = $this->config_xml_document->xpath('/authentication/role_mapping/@display_request_form_when_unclear');
247
            if (isset($display_form[0]) && $display_form[0] == 'true')
248
            {
214
            if (isset($display_form[0]) && $display_form[0] == 'true') {
249 215
                $this->set_display_rights_form_when_unclear_status(true);
250
            }
251
            else
252
            {
216
            } else {
253 217
                $this->set_display_rights_form_when_unclear_status(false);
254 218
            }
255 219

  
......
257 221

  
258 222
            $value_nodes = $this->config_xml_document->xpath('/authentication/role_mapping/value');
259 223

  
260
            foreach ($value_nodes as $value_node)
261
            {
224
            foreach ($value_nodes as $value_node) {
262 225
                $name = (string) $value_node->attributes()->name;
263 226
                $precedence = (string) $value_node->attributes()->precedence;
264 227
                $group_id = (string) $value_node->attributes()->group_id;
265 228
                $role_id = (string) $value_node->attributes()->role_id;
266 229

  
267
                if (! array_key_exists($precedence, $role_mapping))
268
                {
230
                if (!array_key_exists($precedence, $role_mapping)) {
269 231
                    $role_mapping[$precedence] = array();
270 232
                }
271 233

  
272
                if (! array_key_exists($name, $role_mapping[$precedence]))
273
                {
234
                if (!array_key_exists($name, $role_mapping[$precedence])) {
274 235
                    $role_mapping[$precedence][$name] = array();
275 236
                    $role_mapping[$precedence][$name]['group_id'] = array();
276 237
                    $role_mapping[$precedence][$name]['role_id'] = array();
277 238
                }
278 239

  
279
                if (isset($group_id) && strlen($group_id) > 0)
280
                {
240
                if (isset($group_id) && strlen($group_id) > 0) {
281 241
                    $role_mapping[$precedence][$name]['group_id'][] = $group_id;
282 242
                }
283
                if (isset($role_id) && strlen($role_id) > 0)
284
                {
243
                if (isset($role_id) && strlen($role_id) > 0) {
285 244
                    $role_mapping[$precedence][$name]['role_id'][] = $role_id;
286 245
                }
287 246
            }
288 247

  
289 248
            $this->set_user_role_attribute_mapping($role_mapping);
290
        }
291
        else
292
        {
249
        } else {
293 250
            echo '<p>Role mapping initialization error</p>';
294 251
        }
295 252
    }
296 253

  
297
    /**
298
     * Returns the current user logged through Shibboleth if he already
299
     * exists in the datasource. Otherwise return null.
300
     *
301
     * @return User The current user if he already exists in the datasource
254
    /**
255
     * Returns the current user logged through Shibboleth if he already
256
     * exists in the datasource. Otherwise return null.
257
     *
258
     * @return User The current user if he already exists in the datasource
302 259
     */
303
    protected function get_existing_user()
304
    {
260
    protected function get_existing_user() {
305 261
        $user_mapping = $this->get_user_attribute_mapping();
306 262
        $shibboleth_id = $this->get_shibboleth_value($user_mapping[self :: PARAM_MAPPING_EXTERNAL_UID]['name']);
307 263

  
308 264
        $user = $this->retrieve_user_by_external_uid($shibboleth_id);
309 265

  
310
        if (isset($user))
311
        {
266
        if (isset($user)) {
312 267
            return $user;
313
        }
314
        else
315
        {
268
        } else {
316 269
            return null;
317 270
        }
318 271
    }
319 272

  
320
    /**
321
     * Creates and returns a new User based on the Shibboleth attributes
322
     *
323
     * @return User A new user
273
    /**
274
     * Creates and returns a new User based on the Shibboleth attributes
275
     *
276
     * @return User A new user
324 277
     */
325
    protected function get_new_user()
326
    {
278
    protected function get_new_user() {
327 279
        $user = new User();
328 280
        $user = $this->set_user_attributes($user);
329 281
        return $user;
330 282
    }
331 283

  
332
    /**
333
     * override
334
     *
335
     * @param User $user
336
     * @param array $fields_to_set
337
     * @return User
284
    /**
285
     * override
286
     *
287
     * @param User $user
288
     * @param array $fields_to_set
289
     * @return User
338 290
     */
339
    protected function set_user_attributes($user, $fields_to_set = null)
340
    {
341
        foreach ($this->get_user_attribute_mapping() as $field_name => $field_source)
342
        {
291
    protected function set_user_attributes($user, $fields_to_set = null) {
292
        foreach ($this->get_user_attribute_mapping() as $field_name => $field_source) {
343 293
            $must_set = true;
344
            if (isset($fields_to_set) && is_array($fields_to_set) && count($fields_to_set) > 0 && ! in_array($field_name, $fields_to_set))
345
            {
294
            if (isset($fields_to_set) && is_array($fields_to_set) && count($fields_to_set) > 0 && !in_array($field_name, $fields_to_set)) {
346 295
                $must_set = false;
347 296
            }
348 297

  
349
            if ($must_set)
350
            {
298
            if ($must_set) {
351 299
                $value = $this->get_shibboleth_value($field_source['name']);
352 300

  
353
                /*
354
        	     * Default value if no value is found
355
        	     */
356
                if (! isset($value))
357
                {
358
                    if (isset($field_source['default']) && strlen($field_source['default']) > 0)
359
                    {
301
                /*
302
                 * Default value if no value is found
303
                 */
304
                if (!isset($value)) {
305
                    if (isset($field_source['default']) && strlen($field_source['default']) > 0) {
360 306
                        $value = $field_source['default'];
361 307
                    }
362 308
                }
363 309

  
364
                if ($field_name == self :: PARAM_MAPPING_LANG)
365
                {
310
                if ($field_name == self :: PARAM_MAPPING_LANG) {
366 311
                    $lang = $this->get_language_code($value);
367 312
                    $user->set_language($lang);
368
                }
369
                elseif (method_exists($user, 'set_' . $field_name))
370
                {
313
                } elseif (method_exists($user, 'set_' . $field_name)) {
371 314
                    call_user_func_array(array($user, 'set_' . $field_name), array($value));
372 315
                }
373 316
            }
374 317
        }
375 318

  
376
        /*
377
         * Default mandatory values if no mapping is defined
378
         */
379
        //        $user_lang = $user->get_language();
380
        //        if (! isset($user_lang))
381
        //        {
382
        //            $lang = $this->get_language_code(null);
383
        //            $user->set_language($lang);
384
        //        }
385

  
386

  
387
        /*
388
         * case of new user -> init some more default values
319
        /*
320
         * case of new user -> init some more default values
389 321
         */
390 322
        $user_id = $user->get_id();
391
        if (! isset($user_id))
392
        {
323
        if (!isset($user_id)) {
393 324
            $user->set_username($this->generate_username($user->get_firstname(), $user->get_lastname()));
394
            $user->set_password(md5($this->generate_random_password())); //generate random password to prevent security hole if the user's auth_source is modified
325
            $user->set_password(md5($this->generate_random_password())); //generate random password to prevent security hole if the user's auth_source is modified
395 326
            $user->set_auth_source($this->get_authentication_source_name());
396 327
            $user->set_platformadmin(0);
397 328
        }
......
399 330
        return $user;
400 331
    }
401 332

  
402
    /**
403
     * Add the given user in groups and / or grant the user roles.
404
     * The user must already have an id (as it is used to create groups and /or role links)
405
     *
406
     * @param User $user
407
     * @return Boolean role(s) / group(s) affiliation result
333
    /**
334
     * Add the given user in groups and / or grant the user roles.
335
     * The user must already have an id (as it is used to create groups and /or role links)
336
     *
337
     * @param User $user
338
     * @return Boolean role(s) / group(s) affiliation result
408 339
     */
409
    protected function set_user_rights($user)
410
    {
411
        if ($this->has_user_role_attribute_mapping() && array_key_exists(self :: PARAM_MAPPING_AFFILIATION, $this->get_user_attribute_mapping()))
412
        {
340
    protected function set_user_rights($user) {
341
        if ($this->has_user_role_attribute_mapping() && array_key_exists(self :: PARAM_MAPPING_AFFILIATION, $this->get_user_attribute_mapping())) {
413 342
            $user_id = $user->get_id();
414
            if (isset($user) && is_a($user, self :: USER_OBJECT_CLASSNAME) && isset($user_id))
415
            {
416
                /*
417
                 * Deletes all user_role and user_group relations for the user
418
                 * before recreating them with his affiliation attribute
343
            if (isset($user) && isset($user_id)) {
344
                /*
345
                 * Deletes all user_role and user_group relations for the user
346
                 * before recreating them with his affiliation attribute
419 347
                 */
420
                //$user_roles = $user->get_roles();
421 348
                $user_groups = $user->get_user_groups();
422 349

  
423
                if (isset($user_groups))
424
                {
425
                    while ($user_group = $user_groups->next_result())
426
                    {
427
                        if (! $user_group->delete())
428
                        {
350
                if (isset($user_groups)) {
351
                    while ($user_group = $user_groups->next_result()) {
352
                        if (!$user_group->delete()) {
429 353
                            echo 'Unable to clear user groups';
430 354
                        }
431 355
                    }
432 356
                }
433 357

  
434
                //                if (isset($user_roles))
435
                //                {
436
                //                    while ($user_role = $user_roles->next_result())
437
                //                    {
438
                //                        if (! $user_role->delete())
439
                //                        {
440
                //                            echo 'Unable to clear user roles';
441
                //                        }
442
                //                    }
443
                //                }
444

  
445

  
446 358
                $user_mapping = $this->get_user_attribute_mapping();
447 359
                $affiliation = $this->get_shibboleth_value($user_mapping[self :: PARAM_MAPPING_AFFILIATION]['name']);
448 360

  
449
                /*
450
                 * Default value if no value is found
361
                /*
362
                 * Default value if no value is found
451 363
                 */
452
                if (! isset($affiliation))
453
                {
454
                    if (isset($user_mapping[self :: PARAM_MAPPING_AFFILIATION]['default']) && strlen($user_mapping[self :: PARAM_MAPPING_AFFILIATION]['default']) > 0)
455
                    {
364
                if (!isset($affiliation)) {
365
                    if (isset($user_mapping[self :: PARAM_MAPPING_AFFILIATION]['default']) && strlen($user_mapping[self :: PARAM_MAPPING_AFFILIATION]['default']) > 0) {
456 366
                        $affiliation = $user_mapping[self :: PARAM_MAPPING_AFFILIATION]['default'];
457 367
                    }
458 368
                }
......
461 371

  
462 372
                $role_mapping = $this->get_user_role_attribute_mapping();
463 373

  
464
                /*
465
                 * If the user has an affiliation value that the config file doesn't know,
466
                 * his status is considered as unclear
374
                /*
375
                 * If the user has an affiliation value that the config file doesn't know,
376
                 * his status is considered as unclear
467 377
                 */
468 378
                $configured_affiliation_values = array();
469 379

  
470
                foreach ($role_mapping as $mapping_for_precedence)
471
                {
472
                    foreach ($mapping_for_precedence as $attribute_value => $rights)
473
                    {
380
                foreach ($role_mapping as $mapping_for_precedence) {
381
                    foreach ($mapping_for_precedence as $attribute_value => $rights) {
474 382
                        $configured_affiliation_values[] = $attribute_value;
475 383
                    }
476 384
                }
477
                foreach ($affiliation_values as $affiliation_value)
478
                {
479
                    if (! in_array($affiliation_value, $configured_affiliation_values))
480
                    {
385
                foreach ($affiliation_values as $affiliation_value) {
386
                    if (!in_array($affiliation_value, $configured_affiliation_values)) {
481 387
                        $this->user_status_is_unclear = true;
482 388
                    }
483 389
                }
484 390

  
485
                /*
486
                 * Loops on each level of precedence and checks if a corresponding
487
                 * user affiliation value is found.
488
                 *
489
                 * If a value is found in the user attributes, the link between
490
                 * the user and group(s) and / or role(s) are created. The process then stops,
491
                 * meaning we don't look for other precedence levels
492
                 *
391
                /*
392
                 * Loops on each level of precedence and checks if a corresponding
393
                 * user affiliation value is found.
394
                 *
395
                 * If a value is found in the user attributes, the link between
396
                 * the user and group(s) and / or role(s) are created. The process then stops,
397
                 * meaning we don't look for other precedence levels
398
                 *
493 399
                 */
494 400
                $mapping_found = false;
495
                foreach ($role_mapping as $mapping_for_precedence)
496
                {
497
                    if ($mapping_found)
498
                    {
401
                foreach ($role_mapping as $mapping_for_precedence) {
402
                    if ($mapping_found) {
499 403
                        break;
500 404
                    }
501 405

  
502 406
                    $groups = array();
503
                    //                    $roles = array();
504 407

  
505

  
506
                    foreach ($mapping_for_precedence as $attribute_value => $rights)
507
                    {
508
                        if (in_array($attribute_value, $affiliation_values))
509
                        {
510
                            /*
511
                    	     * Find group mappings
512
                    	     */
513
                            foreach ($rights['group_id'] as $group_id)
514
                            {
515
                                if (! in_array($group_id, $groups))
516
                                {
408
                    foreach ($mapping_for_precedence as $attribute_value => $rights) {
409
                        if (in_array($attribute_value, $affiliation_values)) {
410
                            /*
411
                             * Find group mappings
412
                             */
413
                            foreach ($rights['group_id'] as $group_id) {
414
                                if (!in_array($group_id, $groups)) {
517 415
                                    $groups[] = $group_id;
518 416
                                }
519 417
                            }
520 418

  
521
                            //                            /*
522
                            //                    	     * Find role mappings
523
                            //                    	     */
524
                            //                            foreach ($rights['role_id'] as $role_id)
525
                            //                            {
526
                            //                                if (! in_array($role_id, $roles))
527
                            //                                {
528
                            //                                    $roles[] = $role_id;
529
                            //                                }
530
                            //                            }
531

  
532 419

  
533 420
                            $mapping_found = true;
534 421
                        }
535 422
                    }
536 423
                }
537 424

  
538
                if (count($groups) > 0)
539
                {
540
                    /*
541
                     * Create group_user records
425
                if (count($groups) > 0) {
426
                    /*
427
                     * Create group_user records
542 428
                     */
543
                    foreach ($groups as $group_id)
544
                    {
429
                    foreach ($groups as $group_id) {
545 430
                        $group_user = new GroupRelUser();
546 431
                        $group_user->set_user_id($user_id);
547 432
                        $group_user->set_group_id($group_id);
548 433

  
549
                        if (! $group_user->create())
550
                        {
434
                        if (!$group_user->create()) {
551 435
                            echo 'Unable to add user in group ' . $group_id;
552 436
                        }
553 437
                    }
554 438
                }
555

  
556
                //                if (count($roles) > 0)
557
                //                {
558
                //                    /*
559
                //                     * Create user_role records
560
                //                     */
561
                //                    foreach ($roles as $role_id)
562
                //                    {
563
                //                        if (! $user->add_role_link($role_id))
564
                //                        {
565
                //                            echo 'Unable to grant role ' . $role_id . ' to the user';
566
                //                        }
567
                //                    }
568
                //                }
569

  
570

  
571 439
                return true;
572
            }
573
            else
574
            {
440
            } else {
575 441
                return false;
576 442
            }
577
        }
578
        else
579
        {
443
        } else {
580 444
            return false;
581 445
        }
582 446
    }
583 447

  
584
    /**
585
     * Return the shibboleth attribute value for the given attribute name
586
     *
587
     * So far Shibboleth gives values to PHP through HTTP headers (Shibboleth 1.x) or
588
     * environment variables (Shibboleth 2) that can be read through the $_SERVER variable
589
     *
590
     * @param String $shibboleth_param_name the shibboleth attribute name
591
     * @return String the shibboleth attribute value
448
    /**
449
     * Return the shibboleth attribute value for the given attribute name
450
     *
451
     * So far Shibboleth gives values to PHP through HTTP headers (Shibboleth 1.x) or
452
     * environment variables (Shibboleth 2) that can be read through the $_SERVER variable
453
     *
454
     * @param String $shibboleth_param_name the shibboleth attribute name
455
     * @return String the shibboleth attribute value
592 456
     */
593
    protected function get_shibboleth_value($shibboleth_param_name)
594
    {
457
    protected function get_shibboleth_value($shibboleth_param_name) {
595 458
        $request = new Request();
596 459
        return $request->server($shibboleth_param_name);
597 460
    }
598 461

  
599
    /**
600
     * Print a table in the page with the current Shibboleth attributes.
601
     * Mainly useful for debugging the Shibboleth system.
602
     *
603
     * Note: see file 'show_my_infos.php' to see how this method can be called
604
     *
462
    /**
463
     * Print a table in the page with the current Shibboleth attributes.
464
     * Mainly useful for debugging the Shibboleth system.
465
     *
466
     * Note: see file 'show_my_infos.php' to see how this method can be called
467
     *
605 468
     */
606
    function print_shibboleth_attributes()
607
    {
469
    function print_shibboleth_attributes() {
608 470
        echo '<table cellpadding="5" cellspacing="0">';
609 471
        echo '<tr>';
610 472
        echo '<th>User property</th><th></th><th>Shibboleth parameter name</th><th></th><th>User value</th><th></th><th>Default value</th>';
611 473
        echo '</tr>';
612 474

  
613
        foreach ($this->get_user_attribute_mapping() as $field_name => $field_source)
614
        {
475
        foreach ($this->get_user_attribute_mapping() as $field_name => $field_source) {
615 476

  
616 477
            echo '<tr>';
617 478
            echo '  <td>' . $field_name . '</td>';
......
626 487

  
627 488
        echo '</table>';
628 489
    }
490

  
629 491
}
630 492

  
631 493
?>
common/libraries/php/authentication/shibboleth/show_my_infos.php
2 2
namespace common\libraries;
3 3

  
4 4
/**
5
 * $Id: show_my_infos.php 128 2009-11-09 13:13:20Z vanpouckesven $
6 5
 * @package common.authentication.shibboleth
7 6
 */
8 7
/**
9 8
 * This file allows to see the current Shibboleth user attribute values
10 9
 * that are sent to Chamilo. It can be useful to debug the Shibboleth authentication.
11 10
 */
12
require_once dirname(__FILE__) . '/../../../global.inc.php';
11
require_once dirname(__FILE__) . '/../../../../global.inc.php';
13 12
require_once dirname(__FILE__) . '/shibboleth_authentication.class.php';
14 13

  
15 14
/*
    (1-1/1)