File zp-extensions/federated_logon.php

  1: <?php
  2: /**
  3:  * Interface to federated login handlers
  4:  *
  5:  * The plugin will use a federated login such as Google Accounts as a logon server.
  6:  * If the logon succeeds it will log that user onto Zenphoto. An attempt will be
  7:  * made to match the user to an existing Zenphoto user. If such is found, then the
  8:  * user is logged in as that Zenphoto user. If not, a Zenphoto user will be created
  9:  * and logged in.
 10:  *
 11:  * The default priviledges for a created user are obtained from the <i>viewers</i> group.
 12:  * (The user will belong to that group.) This will be the case whether or not the
 13:  * user_groups plugin is enabled. If you want to be able to specify unique default
 14:  * priviledges you will have to use the <i>user_groups</i> plugin at least until you have
 15:  * defined your default group.
 16:  *
 17:  * You may also find the <i>user_expiry</i> plugin useful in conjunction with this plugin.
 18:  * Since users may arbitrarily be created from those visitors who login with their
 19:  * federated credentials you may want to "age" these users and remove them after some
 20:  * period of time. That is done by the <i>user_expiry</i> plugin.
 21:  *
 22:  * Currently there is only one type of handler available. It is an OpenID handler based on the
 23:  * {@link http://www.janrain.com/openid-enabled Janrain OpenID Enabled library}. There are
 24:  * some server requirements for this library. To see if you server meets them run
 25:  * the script <var>zp-core/zp-extensions/federated_logon/OpenID_detect.php</var>. It will give
 26:  * you a report on what might need be done. You can ignore items about data stores as
 27:  * they are not used in this implementation.
 28:  *
 29:  * See also the Janrain Readme.txt file.
 30:  *
 31:  * Zenphoto provides handlers for <var>Google</var>, <var>Yahoo</var>, <var>Verisign</var>, and <var>MyOpenid</var>.
 32:  * Other handlers can be created and placed in the <var>plugins/federated_logon</var> folder.
 33:  * Integration with Zenphoto is fairly simple. The logon handler script should be
 34:  * named ending in <var>_logon.php</var>. The plugin will use the name up to that point as the
 35:  * selector on the logon form.
 36:  *
 37:  * You need to preserve the <var>$_GET['redirect']</var> parameter for use after the authentication
 38:  * is successful at which time you call the <var>federated_logon::credentials()</var> function passing a
 39:  * <i>user ID</i>, <i>e-mail</i> and <i>name</i> (if you have them) and the redirection link you saved above.
 40:  * For an example, the former is done at the beginning of the <var>OpenID_logon.php</var> script. The
 41:  * latter is done in the "run()" function of OpenID_finish_auth.php
 42:  *
 43:  *
 44:  * @author Stephen Billard (sbillard)
 45:  * @package plugins
 46:  * @subpackage users
 47:  */
 48: $plugin_is_filter = 900 | CLASS_PLUGIN;
 49: $plugin_description = gettext('Handles logon from <em>OpenID</em> credential providers.');
 50: $plugin_notice = sprintf(gettext('Run the <a href="%s">OpenID detect</a> script to check compatibility of your server configuration.'), FULLWEBPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/federated_logon/Auth/OpenID_detect.php?test_query=a%26b');
 51: $plugin_author = "Stephen Billard (sbillard)";
 52: 
 53: $plugin_disable = (getOption('federated_logon_detect')) ? false : sprintf(gettext('The <a href="%s">OpenID detect</a> script has not been run.'), FULLWEBPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/federated_logon/Auth/OpenID_detect.php?test_query=a%26b');
 54: if ($plugin_disable) {
 55:     enableExtension('federated_logon', 0);
 56: } else {
 57:     $option_interface = 'federated_logon';
 58:     zp_register_filter('theme_head', 'federated_logon::css');
 59:     zp_register_filter('alt_login_handler', 'federated_logon::alt_login_handler');
 60:     zp_register_filter('save_admin_custom_data', 'federated_logon::save_custom');
 61:     zp_register_filter('edit_admin_custom_data', 'federated_logon::edit_admin');
 62:     zp_register_filter('load_theme_script', 'federated_logon::verify');
 63: }
 64: 
 65: /**
 66:  * Option class
 67:  *
 68:  */
 69: class federated_logon {
 70: 
 71:     /**
 72:      * Option instantiation
 73:      */
 74:     function __construct() {
 75:         global $_zp_authority;
 76:         setOptionDefault('federated_login_group', 'viewers');
 77:         $mailinglist = $_zp_authority->getAdminEmail(ADMIN_RIGHTS);
 78:         if (count($mailinglist) == 0) { //  no one to send the notice to!
 79:             setOption('register_user_notify', 0);
 80:         } else {
 81:             setOptionDefault('register_user_notify', 1);
 82:         }
 83:         $files = getPluginFiles('*_logon.php', 'federated_logon');
 84:         foreach ($files as $key => $link) {
 85:             setOptionDefault('federated_logon_handler' . $key, 1);
 86:         }
 87:     }
 88: 
 89:     /**
 90:      * Provides option list
 91:      */
 92:     function getOptionsSupported() {
 93:         global $_zp_authority, $_common_notify_handler;
 94:         $admins = $_zp_authority->getAdministrators('groups');
 95:         $ordered = array();
 96:         foreach ($admins as $key => $admin) {
 97:             if ($admin['rights'] && !($admin['rights'] & ADMIN_RIGHTS)) {
 98:                 $ordered[$admin['user']] = $admin['user'];
 99:             }
100:         }
101:         $files = getPluginFiles('*_logon.php', 'federated_logon');
102:         foreach ($files as $key => $link) {
103:             $list[str_replace('_logon', '', $key)] = 'federated_logon_handler' . $key;
104:         }
105:         $options = array(gettext('Assign user to')   => array('key'              => 'federated_login_group', 'type'          => OPTION_TYPE_SELECTOR,
106:                                         'order'          => 0,
107:                                         'selections' => $ordered,
108:                                         'desc'           => gettext('The user group to which to map the federated login.')),
109:                         gettext('Handlers')              => array('key'              => 'federated_logon_handler', 'type'            => OPTION_TYPE_CHECKBOX_ARRAY,
110:                                         'checkboxes' => $list,
111:                                         'order'          => 1,
112:                                         'desc'           => gettext('Un-check any handler you do not want to support.')),
113:                         gettext('Notify*')               => array('key'          => 'register_user_notify', 'type'       => OPTION_TYPE_CHECKBOX,
114:                                         'disabled' => $_common_notify_handler,
115:                                         'order'      => 7,
116:                                         'desc'       => gettext('If checked, an e-mail will be sent to the gallery admin when a new user has verified his registration. (Verification is required only if the Federated Logon provider does not supply an e-mail address.)'))
117:         );
118:         $files = getPluginFiles('*_logon.php', 'federated_logon');
119: 
120:         $mailinglist = $_zp_authority->getAdminEmail(ADMIN_RIGHTS);
121:         if (count($mailinglist) == 0) { //  no one to send the notice to!
122:             $options[gettext('Notify*')]['disabled'] = true;
123:             $options[gettext('Notify*')]['desc'] .= ' ' . gettext('Of course there must be some Administrator with an e-mail address for this option to make sense!');
124:         }
125:         if ($_common_notify_handler) {
126:             $options['note'] = array('key'       => 'menu_truncate_note', 'type'     => OPTION_TYPE_NOTE,
127:                             'order'  => 8,
128:                             'desc'   => '<p class="notebox">' . $_common_notify_handler . '</p>');
129:         } else {
130:             $_common_notify_handler = gettext('* The option may be set via the <a href="javascript:gotoName(\'federated_logon\');"><em>register_user</em></a> plugin options.');
131:             $options['note'] = array('key'       => 'menu_truncate_note',
132:                             'type'   => OPTION_TYPE_NOTE,
133:                             'order'  => 8,
134:                             'desc'   => gettext('<p class="notebox">*<strong>Note:</strong> The setting of this option is shared with other plugins.</p>'));
135:         }
136:         return $options;
137:     }
138: 
139:     /**
140:      * Handles the custom option $option
141:      * @param $option
142:      * @param $currentValue
143:      */
144:     function handleOption($option, $currentValue) {
145: 
146:     }
147: 
148:     /**
149:      * Load the CSS for the logon buttons
150:      */
151:     static function css() {
152:         global $_zp_gallery;
153:         if (OFFSET_PATH) {
154:             $inTheme = false;
155:         } else {
156:             $inTheme = $_zp_gallery->getCurrentTheme();
157:         }
158:         $css = getPlugin('federated_logon/federated_logon_buttons.css', $inTheme, true);
159:         ?>
160:         <link rel="stylesheet" href="<?php echo $css; ?>" type="text/css" />
161:         <?php
162:     }
163: 
164:     /**
165:      * Provides a list of alternate handlers for logon
166:      * @param $handler_list
167:      */
168:     static function alt_login_handler($handler_list) {
169:         $files = getPluginFiles('*_logon.php', 'federated_logon');
170:         foreach ($files as $key => $link) {
171:             $option = getOption('federated_logon_handler' . $key);
172:             if ($option || is_null($option)) {
173:                 $link = str_replace(SERVERPATH, WEBPATH, str_replace('\\', '/', $link));
174:                 $name = str_replace('_', ' ', substr(basename($link), 0, -10));
175:                 $handler_list[$name] = array('script' => $link, 'params' => array());
176:             }
177:         }
178:         return $handler_list;
179:     }
180: 
181:     /**
182:      * Common logon handler.
183:      * Will log the user on if he exists. Otherwise it will create a user accoung and log
184:      * on that account.
185:      *
186:      * Redirects into Zenphoto on success presuming there is a redirect link.
187:      *
188:      * @param $user
189:      * @param $email
190:      * @param $name
191:      * @param $redirect
192:      */
193:     static function credentials($user, $email, $name, $redirect) {
194:         $userobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $user, '`valid`=' => 1));
195:         $more = false;
196:         if ($userobj) { //  update if changed
197:             $save = false;
198:             if (!empty($email) && $email != $userobj->getEmail()) {
199:                 $save = true;
200:                 $userobj->setEmail($email);
201:             }
202:             if (!empty($name) && $name != $userobj->getName()) {
203:                 $save = true;
204:                 $userobj->setName($name);
205:             }
206:             if ($save) {
207:                 $userobj->save();
208:             }
209:         } else { // User does not exist, create him
210:             $groupname = getOption('federated_login_group');
211:             $groupobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $groupname, '`valid`=' => 0));
212:             if ($groupobj) {
213:                 $group = NULL;
214:                 if ($groupobj->getName() != 'template') {
215:                     $group = $groupname;
216:                 }
217:                 $userobj = Zenphoto_Authority::newAdministrator('');
218:                 $userobj->transient = false;
219:                 $userobj->setUser($user);
220:                 $credentials = array('federated', 'user', 'email');
221:                 if ($name)
222:                     $credentials[] = 'name';
223:                 $userobj->setCredentials($credentials);
224:                 $userobj->setName($name);
225:                 $userobj->setPass($user . HASH_SEED . gmdate('d M Y H:i:s'));
226:                 $userobj->setObjects(NULL);
227:                 $userobj->setCustomData('');
228:                 $userobj->setLanguage(getUserLocale());
229:                 $userobj->setObjects($groupobj->getObjects());
230:                 if (is_valid_email_zp($email)) {
231:                     $userobj->setEmail($email);
232:                     if (getOption('register_user_create_album')) {
233:                         $userobj->createPrimealbum();
234:                     }
235:                 } else {
236:                     $groupobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => 'federated_verify', '`valid`=' => 0));
237:                     if (empty($groupobj)) {
238:                         $groupobj = Zenphoto_Authority::newAdministrator('federated_verify', 0);
239:                         $groupobj->setName('group');
240:                         $groupobj->setRights(NO_RIGHTS);
241:                         $groupobj->save();
242:                     }
243:                     $group = 'federated_verify';
244:                     $redirect = WEBPATH . '/' . ZENFOLDER . '/admin.php';
245:                 }
246:                 $userobj->setRights($groupobj->getRights());
247:                 $userobj->setGroup($group);
248:                 $userobj->save();
249:             } else {
250:                 $more = sprintf(gettext('Group %s does not exist.'), $groupname);
251:             }
252:         }
253:         if (!$more) {
254:             zp_apply_filter('federated_login_attempt', true, $user);
255:             Zenphoto_Authority::logUser($userobj);
256:             if ($redirect) {
257:                 header("Location: " . $redirect);
258:                 exitZP();
259:             }
260:         }
261:         return $more;
262:     }
263: 
264:     /**
265:      * Check if an e-mail address has been provided
266:      * @param $updated
267:      * @param $userobj
268:      * @param $i
269:      * @param $alter
270:      */
271:     static function save_custom($updated, $userobj, $i, $alter) {
272:         global $_notification_sent;
273:         if (($userobj->getGroup() == 'federated_verify') && is_valid_email_zp($userobj->getEmail())) {
274:             $userobj->save();
275:             $admin_e = $userobj->getEmail();
276:             $user = $userobj->getUser();
277:             $key = bin2hex(serialize(array('user' => $user, 'email' => $admin_e, 'date' => time())));
278:             $link = FULLWEBPATH . '/index.php?verify_federated_user=' . $key;
279:             $message = sprintf(gettext('Visit %s to validate your federated logon credentials.'), $link);
280:             zp_mail(get_language_string(gettext('Federated user confirmation')), $message, array($user => $admin_e));
281:         }
282:         return $updated;
283:     }
284: 
285:     /**
286:      * Enter Admin user tab handler
287:      * @param $html
288:      * @param $userobj
289:      * @param $i
290:      * @param $background
291:      * @param $current
292:      * @param $local_alterrights
293:      */
294:     static function edit_admin($html, $userobj, $i, $background, $current, $local_alterrights) {
295:         global $_zp_current_admin_obj;
296:         if (empty($_zp_current_admin_obj) || !$userobj->getValid())
297:             return $html;
298:         $federated = $userobj->getCredentials(); // came from federated logon, disable the e-mail field
299:         if (!in_array('federated', $federated)) {
300:             $federated = false;
301:         }
302: 
303:         if ($userobj->getID() == $_zp_current_admin_obj->getID()) { //  The current logged on user
304:             if (($userobj->getGroup() == 'federated_verify')) { //  pending email address verification
305:                 $email = $userobj->getEmail();
306:                 if (empty($email)) {
307:                     $msg = gettext('<strong>NOTE:</strong> Update your profile with a valid <em>e-mail</em> address and you will be sent a link to validate your access to the site.');
308:                     $myhtml = '<tr' . ((!$current) ? ' style="display:none;"' : '') . ' class="userextrainfo">
309:                             <td' . ((!empty($background)) ? ' style="' . $background . '"' : '') . ' valign="top" colspan="2">' . "\n" .
310:                                     '<p class="notebox">' . $msg . '</p>' . "\n" .
311:                                     '</td>
312:                         </tr>' . "\n";
313:                     $html = $myhtml . $html;
314:                 }
315:             }
316:         } else if ($federated) {
317:             $msg = gettext("<strong>NOTE:</strong> User’s credentials came from a Federated logon.");
318:             $myhtml = '<tr' . ((!$current) ? ' style="display:none;"' : '') . ' class="userextrainfo">
319:                     <td' . ((!empty($background)) ? ' style="' . $background . '"' : '') . ' valign="top" colspan="2">' . "\n" .
320:                             '<p class="notebox">' . $msg . '</p>' . "\n" .
321:                             '</td>
322:                 </tr>' . "\n";
323:             $html = $myhtml . $html;
324:         }
325:         return $html;
326:     }
327: 
328:     /**
329:      * Processes the verification POST tickets
330:      * @param string $script (we do not use this)
331:      * @return string
332:      */
333:     static function verify($script) {
334:         //process any verifications posted
335:         if (isset($_GET['verify_federated_user'])) {
336:             $params = unserialize(pack("H*", trim(sanitize($_GET['verify_federated_user']), '.')));
337:             if ((time() - $params['date']) < 2592000) {
338:                 $userobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $params['user'], '`email`=' => $params['email'], '`valid`>' => 0));
339:                 if ($userobj) {
340:                     $groupname = getOption('federated_login_group');
341:                     $groupobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $groupname, '`valid`=' => 0));
342:                     if ($groupobj) {
343:                         $userobj->setRights($groupobj->getRights());
344:                         $userobj->setGroup($groupname);
345:                         $userobj->setObjects($groupobj->getObjects());
346:                         if (getOption('register_user_create_album')) {
347:                             $userobj->createPrimealbum();
348:                         }
349:                         $userobj->save();
350:                     }
351:                     zp_apply_filter('register_user_verified', $userobj);
352:                     if (getOption('register_logon_user_notify')) {
353:                         zp_mail(gettext('Zenphoto Gallery registration'), sprintf(gettext('%1$s (%2$s) has registered for the zenphoto gallery providing an e-mail address of %3$s.'), $userobj->getName(), $userobj->getUser(), $userobj->getEmail()));
354:                     }
355:                     Zenphoto_Authority::logUser($userobj);
356:                     header("Location: " . FULLWEBPATH . '/' . ZENFOLDER . '/admin.php');
357:                     exitZP();
358:                 }
359:             }
360:         }
361:         return $script;
362:     }
363: 
364:     /**
365:      * Creates a list of logon buttons for federated logon handlers.
366:      * Note that it will use an image if one exists. The name of the image
367:      * should be cononical to the name of the logon handler, but without the "_logon'.
368:      * The image must be a PNG file.
369:      *
370:      * The styling of the buttons is done by the "federated_logon_buttons.css". If you do not like the
371:      * one provided place an alternate version in your theme folder or the plugins/federated_logon
372:      * folder.
373:      */
374:     static function buttons($redirect = NULL) {
375:         $alt_handlers = federated_logon::alt_login_handler('');
376:         ?>
377:         <ul class="logon_buttons">
378:             <?php
379:             foreach ($alt_handlers as $handler => $details) {
380:                 $script = $details['script'];
381:                 $authority = str_replace('_logon', '', stripSuffix(basename($script)));
382:                 if (is_null($redirect)) {
383:                     $details['params'][] = 'redirect=/' . ZENFOLDER . '/admin.php';
384:                 } else {
385:                     if (!empty($redirect)) {
386:                         $details['params'][] = 'redirect=' . $redirect;
387:                     }
388:                 }
389:                 If (count($details['params'])) {
390:                     $params = "'" . implode("','", $details['params']) . "'";
391:                 } else {
392:                     $params = '';
393:                 }
394:                 ?>
395:                 <li>
396:                     <span class="fed_buttons">
397:                         <a href="javascript:launchScript('<?php echo $script; ?>',[<?php echo $params; ?>]);" title="<?php echo $authority; ?>" >
398:                             <?php
399:                             $logo = ltrim(str_replace(WEBPATH, '', dirname($script)) . '/' . $authority . '.png', '/');
400:                             if (file_exists(SERVERPATH . '/' . $logo)) {
401:                                 ?>
402:                                 <img src="<?php echo WEBPATH . '/' . $logo; ?>" alt="<?php echo $authority; ?>" title="<?php printf(gettext('Login using %s'), $authority); ?>" />
403:                                 <?php
404:                             } else {
405:                                 echo $authority;
406:                             }
407:                             ?>
408:                         </a>
409:                     </span>
410:                 </li>
411:                 <?php
412:             }
413:             ?>
414:         </ul>
415:         <?php
416:     }
417: 
418: }
419: ?>
Packages

Classes

Exceptions

Functions
