You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@vcl.apache.org by jf...@apache.org on 2010/04/12 16:07:15 UTC

svn commit: r933243 - in /incubator/vcl/trunk/web/.ht-inc: authentication.php authmethods/shibauth.php privileges.php utils.php

Author: jfthomps
Date: Mon Apr 12 14:07:14 2010
New Revision: 933243

URL: http://svn.apache.org/viewvc?rev=933243&view=rev
Log:
VCL-250

After correcting this issue, I discovered that passing an affiliation not in the affiliation table would cause a query error.  testGeneralAffiliation in authentication.php had to be modified to correct this, resulting in getUserInfo and getAffilidAndLogin in utils.php needing to be modified, and anything that calls either of those functions.

shibauth.php: modified updateShibUser - check for return status of getAffilidAndLogin, if -1, return NULL

utils.php:
-modified checkAccess - uncommented check to see if $authtype is empty after trying to match the user's affiliation
-modified validateUserid - return 0 if return status of getAffilidAndLogin is -1
-modified getAffilidAndLogin - pass along return status of test function if it is non-zero
-modified addOwnedResourceGroups - return without modifying anything if getUserInfo returns NULL
-modified getUserInfo - return NULL if getAffilidAndLogin returns -1

privileges.php: modified checkUserHasPriv - return 0 if getUserInfo returns -1

authentication.php: modified testGeneralAffiliation - if getAffiliationID returns NULL, return -1

Modified:
    incubator/vcl/trunk/web/.ht-inc/authentication.php
    incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php
    incubator/vcl/trunk/web/.ht-inc/privileges.php
    incubator/vcl/trunk/web/.ht-inc/utils.php

Modified: incubator/vcl/trunk/web/.ht-inc/authentication.php
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authentication.php?rev=933243&r1=933242&r2=933243&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/authentication.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/authentication.php Mon Apr 12 14:07:14 2010
@@ -654,7 +654,8 @@ function checkExpiredDemoUser($userid, $
 /// \param $login - (pass by ref) a login id with affiliation
 /// \param $affilid - (pass by ref) gets overwritten
 ///
-/// \return - 1 if successfully found affiliation id, 0 if failed 
+/// \return - 1 if successfully found known affiliation id in $login, 0 if
+/// failed, -1 if found an unknown affilation in $login
 ///
 /// \brief changes $login to be without affiliation and sticks the associated
 /// affiliation id in $affilid
@@ -664,6 +665,8 @@ function testGeneralAffiliation(&$login,
 	if(preg_match('/^([^@]+)@([^@\.]*)$/', $login, $matches)) {
 		$login = $matches[1];
 		$affilid = getAffiliationID($matches[2]);
+		if(is_null($affilid))
+			return -1;
 		return 1;
 	}
 	return 0;

Modified: incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php?rev=933243&r1=933242&r2=933243&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php Mon Apr 12 14:07:14 2010
@@ -40,7 +40,9 @@
 ////////////////////////////////////////////////////////////////////////////////
 function updateShibUser($userid) {
 	global $mysql_link_vcl;
-	getAffilidAndLogin($userid, $affilid);
+	$rc = getAffilidAndLogin($userid, $affilid);
+	if($rc == -1)
+		return NULL;
 
 	if(array_key_exists('displayName', $_SERVER) &&
 	   ! empty($_SERVER['displayName'])) {

Modified: incubator/vcl/trunk/web/.ht-inc/privileges.php
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/privileges.php?rev=933243&r1=933242&r2=933243&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/privileges.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/privileges.php Mon Apr 12 14:07:14 2010
@@ -2583,8 +2583,11 @@ function checkUserHasPriv($priv, $uid, $
 	$key = getKey(array($priv, $uid, $node, $privs, $cascadePrivs));
 	if(array_key_exists($key, $_SESSION['userhaspriv']))
 		return $_SESSION['userhaspriv'][$key];
-	if($user["id"] != $uid)
+	if($user["id"] != $uid) {
 		$_user = getUserInfo($uid);
+		if(is_null($user))
+			return 0;
+	}
 	else
 		$_user = $user;
 	$affilUserid = "{$_user['unityid']}@{$_user['affiliation']}";

Modified: incubator/vcl/trunk/web/.ht-inc/utils.php
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/utils.php?rev=933243&r1=933242&r2=933243&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/utils.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/utils.php Mon Apr 12 14:07:14 2010
@@ -364,11 +364,11 @@ function checkAccess() {
 					break;
 				}
 			}
-			/*if(empty($authtype)) {
+			if(empty($authtype)) {
 				print "No authentication mechanism found for passed in X-User";
 				dbDisconnect();
 				exit;
-			}*/
+			}
 			if($authMechs[$authtype]['type'] == 'ldap') {
 				$ds = ldap_connect("ldaps://{$authMechs[$authtype]['server']}/");
 				if(! $ds) {
@@ -792,7 +792,9 @@ function validateUserid($loginid) {
 	if(empty($loginid))
 		return 0;
 	
-	getAffilidAndLogin($loginid, $affilid);
+	$rc = getAffilidAndLogin($loginid, $affilid);
+	if($rc == -1)
+		return 0;
 
 	if(empty($affilid))
 		return 0;
@@ -826,7 +828,9 @@ function validateUserid($loginid) {
 /// \param $login - login for user, may include \@affiliation
 /// \param $affilid - variable in which to stick the affiliation id
 ///
-/// \return 1 if $affilid set by a registered function, 0 if set to default
+/// \return 1 if $affilid set by a registered function, 0 if set to default,
+/// -1 if @affiliation was part of $login but did not contain a known
+/// affiliation
 ///
 /// \brief tries registered affiliation lookup functions to determine the
 /// affiliation id of the user; if it finds it, sticks the affiliationid in
@@ -836,8 +840,9 @@ function validateUserid($loginid) {
 function getAffilidAndLogin(&$login, &$affilid) {
 	global $findAffilFuncs;
 	foreach($findAffilFuncs as $func) {
-		if($func($login, $affilid))
-			return 1;
+		$rc = $func($login, $affilid);
+		if($rc)
+			return $rc;
 	}
 	$affilid = DEFAULT_AFFILID;
 	return 0;
@@ -1672,7 +1677,8 @@ function addOwnedResources(&$resources, 
 ///
 ////////////////////////////////////////////////////////////////////////////////
 function addOwnedResourceGroups(&$resourcegroups, $userid) {
-	$user = getUserInfo($userid, 1);
+	if(! $user = getUserInfo($userid, 1))
+		return;
 	$userid = $user["id"];
 	$groupids = implode(',', array_keys($user["groups"]));
 	if(empty($groupids))
@@ -2795,13 +2801,17 @@ function processInputData($data, $type, 
 ///
 /// \brief gets the user's information from the db and puts it into an array;
 /// if the user is not in the db, query ldap and add them; if the user changed
-/// their name and unity id; fix information in db based on numeric unity id
+/// their name and unity id; fix information in db based on numeric unity id;
+/// returns NULL if could not get information about the user
 ///
 ////////////////////////////////////////////////////////////////////////////////
 function getUserInfo($id, $noupdate=0) {
 	$affilid = DEFAULT_AFFILID;
-	if(! is_numeric($id))
-		getAffilidAndLogin($id, $affilid);
+	if(! is_numeric($id)) {
+		$rc = getAffilidAndLogin($id, $affilid);
+		if($rc == -1)
+			return NULL;
+	}
 
 	$user = array();
 	$query = "SELECT u.unityid AS unityid, "