Code for patch to fix issues inside

  • colemab

    (@colemab)


    11 years, 2 months ago

    Everyone,

    I have updated the code to address these issues:

    • After passing SAML, you will be redirected to the proper page – instead of the WP login.
    • Users that are added are given the subscriber role

    Here is the snippet of code with the updates:

    function authenticate(&$username, &$password) {
			global $simplesaml_authentication_opt, $simplesaml_configured, $as;

			if (!$simplesaml_configured) {
				die("simplesaml-authentication plugin not configured");
			}
			// Reset values from input ($_POST and $_COOKIE)
			$username = $password = '';

			$as->requireAuth();

			$attributes = $as->getAttributes();

			/*
			 * Only allow usernames that are not affected by sanitize_user(), and that are not
			 * longer than 60 characters (which is the 'user_login' database field length).
			 * Otherwise an account would be created but with a sanitized username, which might
			 * clash with an already existing account.
			 * See sanitize_user() in wp-includes/formatting.php.
			 */
			if(empty($simplesaml_authentication_opt['username_attribute'])) {
				$username = $attributes['uid'][0];
			} else {
				$username = $attributes[$simplesaml_authentication_opt['username_attribute']][0];
			}

			if ($username != substr(sanitize_user($username, TRUE), 0, 60)) {
				$error = sprintf(__('<p><strong>ERROR</strong><br /><br />
				We got back the following identifier from the login process:<pre>%s</pre>
				Unfortunately that is not suitable as a username.<br />
				Please contact the <a href="mailto:%s">blog administrator</a> and ask to reconfigure the
				simpleSAMLphp plugin!</p>'), $username, get_option('admin_email'));
				$errors['registerfail'] = $error;
				print($error);
				exit();
			}

			$password = md5(SimpleSAMLAuthentication::passwordRoot());

			if (!function_exists('get_user_by')) {
				die("Could not load user data");
			}

			$user = get_user_by('login', $username);

			if ($user) { // user already exists - try to log them in															

				$user = wp_authenticate($username, $password);
				wp_set_current_user($user->ID); //Here is where we update the global user variables
				wp_set_auth_cookie($user->ID);
				do_action('wp_login',$userdata->ID);

				if (isset($_REQUEST['redirect_to'])){
					wp_redirect($_REQUEST['redirect_to']);
				} else {
					wp_redirect(get_bloginfo('url'));
				}

				exit;

			} else {
				// First time logging in
				if ($simplesaml_authentication_opt['new_user'] == 1) {
					// Auto-registration is enabled
					// User is not in the WordPress database
					// They passed SimpleSAML and so are authorised
					// Add them to the database

					// User must have an e-mail address to register
					$user_email = '';
					$email_attribute = empty($simplesaml_authentication_opt['email_attribute']) ? 'mail' : $simplesaml_authentication_opt['email_attribute'];

					if($attributes[$email_attribute][0]) {
						// Try to get email address from attribute
						$user_email = $attributes[$email_attribute][0];
					} else {
						// Otherwise use default email suffix
						if ($simplesaml_authentication_opt['email_suffix'] != '') {
							$user_email = $username . '@' . $simplesaml_authentication_opt['email_suffix'];
						}
					}

					$user_info = array();
					$user_info['user_login'] = $username;
					$user_info['user_pass'] = $password;
					$user_info['user_email'] = $user_email;

					if(empty($simplesaml_authentication_opt['firstname_attribute'])) {
						$user_info['first_name'] = $attributes['givenName'][0];
					} else {
						$user_info['first_name'] = $attributes[$simplesaml_authentication_opt['firstname_attribute']][0];
					}

					if(empty($simplesaml_authentication_opt['lastname_attribute'])) {
						$user_info['last_name'] = $attributes['sn'][0];
					} else {
						$user_info['last_name'] = $attributes[$simplesaml_authentication_opt['lastname_attribute']][0];
					}

					// Set user role based on eduPersonEntitlement
					if ($simplesaml_authentication_opt['admin_entitlement'] != '' &&
						$attributes['eduPersonEntitlement'] &&
						in_array($simplesaml_authentication_opt['admin_entitlement'],
						$attributes['eduPersonEntitlement'])) {
						$user_info['role'] = "administrator";
					} else {
						$user_info['role'] = "subscriber";
					}

					$wp_uid = wp_insert_user($user_info);

					// the user should have been crated so lets confirm this
					$user = get_user_by('login', $username);

					if ($user) { // user already exists - try to log them in
						$user = wp_authenticate($username, $password);
						wp_set_current_user($user->ID); //Here is where we update the global user variables
						wp_set_auth_cookie($user->ID);
						do_action('wp_login',$userdata->ID);

						if (isset($_REQUEST['redirect_to'])){
							wp_redirect($_REQUEST['redirect_to']);
						} else {
							wp_redirect(get_bloginfo('url'));
						}

						exit;
					}

				} else {
					$error = sprintf(__('<p><strong>ERROR</strong>: %s is not registered with this blog.
						Please contact the <a href="mailto:%s">blog administrator</a> to create a new
						account!</p>'), $username, get_option('admin_email'));
					$errors['registerfail'] = $error;
					print($error);
					print('<p><a href="/wp-login.php?action=logout">Log out</a> of SimpleSAML.</p>');
					exit();
				}
			}
		}

    http://wordpress.org/extend/plugins/simplesamlphp-authentication/

  • The topic ‘Code for patch to fix issues inside’ is closed to new replies.