From 7c828ae5f8ab20f0daa8a1482fadce9b3e858975 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@pobox.com>
Date: Tue, 18 May 2010 10:39:56 -0700
Subject: OpenID access control options: trusted provider URL, Launchpad team
 restrictions. Added an admin panel for setting these and OpenID-only mode,
 off by default.

To enable the admin panel:
    $config['admin']['panels'][] = 'openid';

Or to set them manually:
    $config['openid']['trusted_provider'] = 'https://login.ubuntu.net/';
    $config['openid']['required_team'] = 'my-project-cabal';
    $config['site']['openidonly'] = true;

OpenID-only mode can still be set from addPlugin() parameters as well for backwards compatibility.
Note: if it's set there, that value will override the setting from the database or config.php.

Note that team restrictions are only really meaningful if a trusted provider is set; otherwise,
any OpenID server could report back that users are members of the given team.

Restrictions are checked only at OpenID authentication time and will not kick off people currently
with a session open; existing remembered logins may also survive these changes.

Using code for Launchpad team support provided by Canonical under AGPLv3, pulled from r27 of
WordPress teams integration plugin:
    https://code.edge.launchpad.net/~canonical-isd-hackers/wordpress-teams-integration/trunk
---
 plugins/OpenID/openidlogin.php | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

(limited to 'plugins/OpenID/openidlogin.php')

diff --git a/plugins/OpenID/openidlogin.php b/plugins/OpenID/openidlogin.php
index 2a743672c..8c559c934 100644
--- a/plugins/OpenID/openidlogin.php
+++ b/plugins/OpenID/openidlogin.php
@@ -29,7 +29,12 @@ class OpenidloginAction extends Action
         if (common_is_real_login()) {
             $this->clientError(_m('Already logged in.'));
         } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
-            $openid_url = $this->trimmed('openid_url');
+            $provider = common_config('openid', 'trusted_provider');
+            if ($provider) {
+                $openid_url = $provider;
+            } else {
+                $openid_url = $this->trimmed('openid_url');
+            }
 
             oid_assert_allowed($openid_url);
 
@@ -116,9 +121,18 @@ class OpenidloginAction extends Action
 
         $this->elementStart('ul', 'form_data');
         $this->elementStart('li');
-        $this->input('openid_url', _m('OpenID URL'),
-                     $this->openid_url,
-                     _m('Your OpenID URL'));
+        $provider = common_config('openid', 'trusted_provider');
+        if ($provider) {
+            $this->element('label', array(), _m('OpenID provider'));
+            $this->element('span', array(), $provider);
+            $this->element('p', 'form_guide',
+                           _m('You will be sent to the provider\'s site for authentication.'));
+            $this->hidden('openid_url', $provider);
+        } else {
+            $this->input('openid_url', _m('OpenID URL'),
+                         $this->openid_url,
+                         _m('Your OpenID URL'));
+        }
         $this->elementEnd('li');
         $this->elementStart('li', array('id' => 'settings_rememberme'));
         $this->checkbox('rememberme', _m('Remember me'), false,
-- 
cgit v1.2.3-54-g00ecf