diff --git a/main/auth/sso/sso.class.php b/main/auth/sso/sso.class.php index 394096adcd..89c4f840c1 100755 --- a/main/auth/sso/sso.class.php +++ b/main/auth/sso/sso.class.php @@ -25,7 +25,8 @@ class sso { /** * Instanciates the object, initializing all relevant URL strings */ - public function __construct() { + public function __construct() + { $this->protocol = api_get_setting('sso_authentication_protocol'); // There can be multiple domains, so make sure to take only the first // This might be later extended with a decision process @@ -43,7 +44,8 @@ class sso { /** * Unlogs the user from the remote server */ - public function logout() { + public function logout() + { header('Location: '.$this->deauth_url); exit; } @@ -51,12 +53,13 @@ class sso { /** * Sends the user to the master URL for a check of active connection */ - public function ask_master() { + public function ask_master() + { $tempKey = api_generate_password(32); $params = 'sso_referer='.urlencode($this->referer). '&sso_target='.urlencode($this->target). '&sso_challenge='.$tempKey; - Session::write('tempkey',$tempKey); + Session::write('tempkey', $tempKey); if (strpos($this->master_url, "?") === false) { $params = "?$params"; } else { @@ -70,7 +73,8 @@ class sso { * Validates the received active connection data with the database * @return bool Return the loginFailed variable value to local.inc.php */ - public function check_user() { + public function check_user() + { global $_user; $loginFailed = false; //change the way we recover the cookie depending on how it is formed @@ -103,8 +107,7 @@ class sso { global $_configuration; // Two possible authentication methods here: legacy using password // and new using a temporary, session-fixed, tempkey - if ( - ($sso['username'] == $uData['username'] + if (($sso['username'] == $uData['username'] && $sso['secret'] === sha1( $uData['username']. Session::read('tempkey'). @@ -120,14 +123,16 @@ class sso { //Check if the account is active (not locked) if ($uData['active']=='1') { // check if the expiration date has not been reached - if ($uData['expiration_date'] > date('Y-m-d H:i:s') OR $uData['expiration_date']=='0000-00-00 00:00:00') { + if ($uData['expiration_date'] > date('Y-m-d H:i:s') + or $uData['expiration_date']=='0000-00-00 00:00:00') { //If Multiple URL is enabled if (api_get_multiple_access_url()) { - //Check the access_url configuration setting if the user is registered in the access_url_rel_user table + //Check the access_url configuration setting if + // the user is registered in the access_url_rel_user table //Getting the current access_url_id of the platform $current_access_url_id = api_get_current_access_url_id(); - // my user is subscribed in these + // my user is subscribed in these //sites: $my_url_list $my_url_list = api_get_access_url_from_user($uData['user_id']); } else { @@ -138,7 +143,7 @@ class sso { $my_user_is_admin = UserManager::is_admin($uData['user_id']); if ($my_user_is_admin === false) { - if (is_array($my_url_list) && count($my_url_list) > 0 ) { + if (is_array($my_url_list) && count($my_url_list) > 0) { if (in_array($current_access_url_id, $my_url_list)) { // the user has permission to enter at this site $_user['user_id'] = $uData['user_id']; @@ -157,7 +162,7 @@ class sso { exit; } } else { - // there is no URL in the multiple + // there is no URL in the multiple // urls list for this user $loginFailed = true; Session::erase('_uid'); @@ -182,21 +187,27 @@ class sso { if (in_array($current_access_url_id, $my_url_list)) { $_user['user_id'] = $uData['user_id']; $_user = api_get_user_info($_user['user_id']); - Session::write('_user',$_user); + Session::write('_user', $_user); event_login(); } else { $loginFailed = true; Session::erase('_uid'); - header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=access_url_inactive'); + header( + 'Location: '.api_get_path(WEB_PATH) + .'index.php?loginFailed=1&error=access_url_inactive' + ); exit; } } - } + } } else { // user account expired $loginFailed = true; Session::erase('_uid'); - header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=account_expired'); + header( + 'Location: '.api_get_path(WEB_PATH) + .'index.php?loginFailed=1&error=account_expired' + ); exit; } } else { @@ -217,7 +228,10 @@ class sso { //Auth_source is wrong $loginFailed = true; Session::erase('_uid'); - header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=wrong_authentication_source'); + header( + 'Location: '.api_get_path(WEB_PATH) + .'index.php?loginFailed=1&error=wrong_authentication_source' + ); exit; } } else { @@ -236,7 +250,8 @@ class sso { * @param string Encoded cookie * @return array Parsed and unencoded cookie */ - private function decode_cookie($cookie) { + private function decode_cookie($cookie) + { return unserialize(base64_decode($cookie)); } }