diff options
author | Brion Vibber <brion@pobox.com> | 2010-05-18 10:39:56 -0700 |
---|---|---|
committer | Brion Vibber <brion@pobox.com> | 2010-05-18 13:28:41 -0700 |
commit | 7c828ae5f8ab20f0daa8a1482fadce9b3e858975 (patch) | |
tree | 24cf70678bf106cf400a95e349ff4bde8416e943 /plugins/OpenID/openid.php | |
parent | b77878f46729d48588fb32b8a54ae13f3752c558 (diff) |
OpenID access control options: trusted provider URL, Launchpad team restrictions. Added an admin panel for setting these and OpenID-only mode, off by default.
To enable the admin panel:
$config['admin']['panels'][] = 'openid';
Or to set them manually:
$config['openid']['trusted_provider'] = 'https://login.ubuntu.net/';
$config['openid']['required_team'] = 'my-project-cabal';
$config['site']['openidonly'] = true;
OpenID-only mode can still be set from addPlugin() parameters as well for backwards compatibility.
Note: if it's set there, that value will override the setting from the database or config.php.
Note that team restrictions are only really meaningful if a trusted provider is set; otherwise,
any OpenID server could report back that users are members of the given team.
Restrictions are checked only at OpenID authentication time and will not kick off people currently
with a session open; existing remembered logins may also survive these changes.
Using code for Launchpad team support provided by Canonical under AGPLv3, pulled from r27 of
WordPress teams integration plugin:
https://code.edge.launchpad.net/~canonical-isd-hackers/wordpress-teams-integration/trunk
Diffstat (limited to 'plugins/OpenID/openid.php')
-rw-r--r-- | plugins/OpenID/openid.php | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/plugins/OpenID/openid.php b/plugins/OpenID/openid.php index 4ec336e1c..5ee9343d2 100644 --- a/plugins/OpenID/openid.php +++ b/plugins/OpenID/openid.php @@ -164,6 +164,15 @@ function oid_authenticate($openid_url, $returnto, $immediate=false) $auth_request->addExtension($sreg_request); } + $requiredTeam = common_config('openid', 'required_team'); + if ($requiredTeam) { + // LaunchPad OpenID extension + $team_request = new Auth_OpenID_TeamsRequest(array($requiredTeam)); + if ($team_request) { + $auth_request->addExtension($team_request); + } + } + $trust_root = common_root_url(true); $process_url = common_local_url($returnto); @@ -286,6 +295,33 @@ function oid_assert_allowed($url) return; } +/** + * Check the teams available in the given OpenID response + * Using Launchpad's OpenID teams extension + * + * @return boolean whether this user is acceptable + */ +function oid_check_teams($response) +{ + $requiredTeam = common_config('openid', 'required_team'); + if ($requiredTeam) { + $team_resp = new Auth_OpenID_TeamsResponse($response); + if ($team_resp) { + $teams = $team_resp->getTeams(); + } else { + $teams = array(); + } + + $match = in_array($requiredTeam, $teams); + $is = $match ? 'is' : 'is not'; + common_log(LOG_DEBUG, "Remote user $is in required team $requiredTeam: [" . implode(', ', $teams) . "]"); + + return $match; + } + + return true; +} + class AutosubmitAction extends Action { var $form_html = null; |