From: Brion Vibber <brion@users.mediawiki.org>
Date: Fri, 3 Jun 2005 11:56:02 +0000 (+0000)
Subject: * (bug 814) Integrate AuthPlugin changes to support Ryan Lane's external
X-Git-Tag: 1.5.0alpha2~1
X-Git-Url: http://git.cyclocoop.org/%22%20.%20generer_url_ecrire%28%22auteur_infos%22%2C%20%22id_auteur=%24id%22%29%20.%20%22?a=commitdiff_plain;h=cfa06c17aede70ef8d6744bf80672ca36f6c977c;p=lhc%2Fweb%2Fwiklou.git

* (bug 814) Integrate AuthPlugin changes to support Ryan Lane's external
  LDAP authentication plugin
---

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 923c14ba17..765d769107 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -240,6 +240,8 @@ Various bugfixes, small features, and a few experimental things:
 * Removed -f parameter from mail() usage, likely to cause failures and bounces.
 * (bug 2130) Fixed interwiki links with fragments
 * (bug 684) Accept an attribute parameter array on parser hook tags
+* (bug 814) Integrate AuthPlugin changes to support Ryan Lane's external
+  LDAP authentication plugin
 
 
 === Caveats ===
diff --git a/includes/AuthPlugin.php b/includes/AuthPlugin.php
index 4f45f0f7fa..e6572e1e35 100644
--- a/includes/AuthPlugin.php
+++ b/includes/AuthPlugin.php
@@ -67,6 +67,56 @@ class AuthPlugin {
 		return false;
 	}
 	
+	/**
+	 * Modify options in the login template.
+	 *
+	 * @param UserLoginTemplate $template
+	 * @access public
+	 */
+	function modifyUITemplate( &$template ) {
+		# Override this!
+		$template->set( 'usedomain', false );
+	}
+
+	/**
+	 * Set the domain this plugin is supposed to use when authenticating.
+	 *
+	 * @param string $domain
+	 * @access public
+	 */
+	function setDomain( $domain ) {
+		$this->domain = $domain;
+	}
+
+	/**
+	 * Check to see if the specific domain is a valid domain.
+	 *
+	 * @param string $domain
+	 * @return bool
+	 * @access public
+	 */
+	function validDomain( $domain ) {
+		# Override this!
+		return true;
+	}
+
+	/**
+	 * When a user logs in, optionally fill in preferences and such.
+	 * For instance, you might pull the email address or real name from the
+	 * external user database.
+	 *
+	 * The User object is passed by reference so it can be modified; don't
+	 * forget the & on your function declaration.
+	 *
+	 * @param User $user
+	 * @access public
+	 */
+	function updateUser( &$user ) {
+		# Override this and do something
+		return true;
+	}
+
+
 	/**
 	 * Return true if the wiki should create a new local account automatically
 	 * when asked to login a user who doesn't exist locally but does in the
@@ -85,6 +135,54 @@ class AuthPlugin {
 		return false;
 	}
 	
+	/**
+	 * Set the given password in the authentication database.
+	 * Return true if successful.
+	 *
+	 * @param string $password
+	 * @return bool
+	 * @access public
+	 */
+	function setPassword( $password ) {
+		return true;
+	}
+
+	/**
+	 * Update user information in the external authentication database.
+	 * Return true if successful.
+	 *
+	 * @param User $user
+	 * @return bool
+	 * @access public
+	 */
+	function updateExternalDB( $user ) {
+		return true;
+	}
+
+	/**
+	 * Check to see if external accounts can be created.
+	 * Return true if external accounts can be created.
+	 * @return bool
+	 * @access public
+	 */
+	function canCreateAccounts() {
+		return false;
+	}
+
+	/**
+	 * Add a user to the external authentication database.
+	 * Return true if successful.
+	 *
+	 * @param User $user
+	 * @param string $password
+	 * @return bool
+	 * @access public
+	 */
+	function addUser( $user, $password ) {
+		return true;
+	}
+
+
 	/**
 	 * Return true to prevent logins that don't authenticate here from being
 	 * checked against the local database's password fields.
@@ -114,4 +212,4 @@ class AuthPlugin {
 	}
 }
 
-?>
\ No newline at end of file
+?>
diff --git a/includes/SpecialPreferences.php b/includes/SpecialPreferences.php
index 46b6d88644..56138e98b0 100644
--- a/includes/SpecialPreferences.php
+++ b/includes/SpecialPreferences.php
@@ -180,6 +180,8 @@ class PreferencesForm {
 		global $wgUser, $wgLang, $wgOut;
 		global $wgEnableUserEmail, $wgEnableEmail;
 		global $wgEmailAuthentication, $wgMinimalPasswordLength;
+		global $wgAuth;
+
 
 		if ( '' != $this->mNewpass ) {
 			if ( $this->mNewpass != $this->mRetypePass ) {
@@ -196,6 +198,10 @@ class PreferencesForm {
 				$this->mainPrefsForm( wfMsg( 'wrongpassword' ) );
 				return;
 			}
+			if (!$wgAuth->setPassword( $wgUser, $this->mNewpass )) {
+				$this->mainPrefsForm( wfMsg( 'externaldberror' ) );
+				return;
+			}
 			$wgUser->setPassword( $this->mNewpass );
 		}
 		$wgUser->setRealName( $this->mRealName );
@@ -233,6 +239,10 @@ class PreferencesForm {
 		foreach ( $this->mToggles as $tname => $tvalue ) {
 			$wgUser->setOption( $tname, $tvalue );
 		}
+		if (!$wgAuth->updateExternalDB($wgUser)) {
+			$this->mainPrefsForm( wfMsg( 'externaldberror' ) );
+			return;
+		}
 		$wgUser->setCookies();
 		$wgUser->saveSettings();
 		
diff --git a/includes/SpecialUserlogin.php b/includes/SpecialUserlogin.php
index b33b95395c..5bfa70601f 100644
--- a/includes/SpecialUserlogin.php
+++ b/includes/SpecialUserlogin.php
@@ -27,7 +27,7 @@ function wfSpecialUserlogin() {
 class LoginForm {
 	var $mName, $mPassword, $mRetype, $mReturnto, $mCookieCheck, $mPosted;
 	var $mAction, $mCreateaccount, $mCreateaccountMail, $mMailmypassword;
-	var $mLoginattempt, $mRemember, $mEmail;
+	var $mLoginattempt, $mRemember, $mEmail, $mDomain;
 	
 	/**
 	 * Constructor
@@ -35,10 +35,12 @@ class LoginForm {
 	 */
 	function LoginForm( &$request ) {
 		global $wgLang, $wgAllowRealName, $wgEnableEmail;
+		global $wgAuth;
 
 		$this->mName = $request->getText( 'wpName' );
 		$this->mPassword = $request->getText( 'wpPassword' );
 		$this->mRetype = $request->getText( 'wpRetype' );
+		$this->mDomain = $request->getText( 'wpDomain' );
 		$this->mReturnto = $request->getVal( 'returnto' );
 		$this->mCookieCheck = $request->getVal( 'wpCookieCheck' );
 		$this->mPosted = $request->wasPosted();
@@ -61,7 +63,12 @@ class LoginForm {
 		} else {
 		    $this->mRealName = '';
 		}
-	    
+		
+		if( !$wgAuth->validDomain( $this->mDomain ) ) {
+			$this->mDomain = 'invaliddomain';
+		}
+		$wgAuth->setDomain( $this->mDomain );
+ 
 		# When switching accounts, it sucks to get automatically logged out
 		if( $this->mReturnto == $wgLang->specialPage( 'Userlogout' ) ) {
 			$this->mReturnto = '';
@@ -155,6 +162,28 @@ class LoginForm {
 		global $wgMaxNameChars;
 		global $wgMemc, $wgAccountCreationThrottle, $wgDBname, $wgIP;
 		global $wgMinimalPasswordLength;
+		global $wgAuth;
+
+		// If the user passes an invalid domain, something is fishy
+		if( !$wgAuth->validDomain( $this->mDomain ) ) {
+			$this->mainLoginForm( wfMsg( 'wrongpassword' ) );
+			return false;
+		}
+
+		// If we are not allowing users to login locally, we should
+		// be checking to see if the user is actually able to
+		// authenticate to the authentication server before they
+		// create an account (otherwise, they can create a local account
+		// and login as any domain user). We only need to check this for
+		// domains that aren't local.
+		if( 'local' != $this->mDomain && '' != $this->mDomain ) {
+			if( !$wgAuth->canCreateAccounts() && ( !$wgAuth->userExists( $this->mName ) || !$wgAuth->authenticate( $this->mName, $this->mPassword ) ) ) {
+				$this->mainLoginForm( wfMsg( 'wrongpassword' ) );
+				return false;
+			}
+		}
+
+
 
 		if (!$wgUser->isAllowedToCreateAccount()) {
 			$this->userNotPrivilegedMessage();
@@ -205,6 +234,11 @@ class LoginForm {
 			}
 		}
 
+		if( !$wgAuth->addUser( $u, $this->mPassword ) ) {
+			$this->mainLoginForm( wfMsg( 'externaldberror' ) );
+			return false;
+		}
+
 		return $this->initUser( $u );
 	}
 	
@@ -238,6 +272,7 @@ class LoginForm {
 	 */
 	function processLogin() {
 		global $wgUser;
+		global $wgAuth;
 
 		if ( '' == $this->mName ) {
 			$this->mainLoginForm( wfMsg( 'noname' ) );
@@ -284,6 +319,8 @@ class LoginForm {
 		}
 		$u->setOption( 'rememberpassword', $r );
 
+		$wgAuth->updateUser( $u );
+
 		$wgUser = $u;
 		$wgUser->setCookies();
 
@@ -395,6 +432,7 @@ class LoginForm {
 	function mainLoginForm( $err ) {
 		global $wgUser, $wgOut, $wgLang;
 		global $wgDBname, $wgAllowRealName, $wgEnableEmail;
+		global $wgAuth;
 
 		if ( '' == $this->mName ) {
 			if ( $wgUser->isLoggedIn() ) {
@@ -418,6 +456,7 @@ class LoginForm {
 		$template->set( 'retype', $this->mRetype );
 		$template->set( 'email', $this->mEmail );
 		$template->set( 'realname', $this->mRealName );
+		$template->set( 'domain', $this->mDomain );
 
 		$template->set( 'action', $titleObj->getLocalUrl( $q ) );
 		$template->set( 'error', $err );
@@ -426,6 +465,7 @@ class LoginForm {
 		$template->set( 'userealname', $wgAllowRealName );
 		$template->set( 'useemail', $wgEnableEmail );
 		$template->set( 'remember', $wgUser->getOption( 'rememberpassword' ) or $this->mRemember  );
+		$wgAuth->modifyUITemplate( $template );
 		
 		$wgOut->setPageTitle( wfMsg( 'userlogin' ) );
 		$wgOut->setRobotpolicy( 'noindex,nofollow' );
diff --git a/includes/User.php b/includes/User.php
index 7fafeb79e6..f029cbc569 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -1377,8 +1377,17 @@ class User {
 	 * @return bool True if the given password is correct otherwise False.
 	 */
 	function checkPassword( $password ) {
-		global $wgAuth;
+		global $wgAuth, $wgMinimalPasswordLength;
 		$this->loadFromDatabase();
+
+		// Even though we stop people from creating passwords that
+		// are shorter than this, doesn't mean people wont be able
+		// to. Certain authentication plugins do NOT want to save
+		// domain passwords in a mysql database, so we should
+		// check this (incase $wgAuth->strict() is false).
+		if( strlen( $password ) < $wgMinimalPasswordLength ) {
+			return false;
+		}
 		
 		if( $wgAuth->authenticate( $this->getName(), $password ) ) {
 			return true;
diff --git a/includes/templates/Userlogin.php b/includes/templates/Userlogin.php
index 6188d88bc3..5fcd9154eb 100644
--- a/includes/templates/Userlogin.php
+++ b/includes/templates/Userlogin.php
@@ -49,6 +49,21 @@ class UserloginTemplate extends QuickTemplate {
 					value="<?php $this->msg('login') ?>" />
 			</td>
 		</tr>
+	<?php if( $this->data['usedomain'] ) {
+		$doms = "";
+		foreach( $this->data['domainnames'] as $dom ) {
+			$doms .= "<option>" . htmlspecialchars( $dom ) . "</option>";
+		}
+	?>
+		<tr>
+			<td align='right'><?php $this->msg( 'yourdomainname' ) ?>:</td>
+			<td align='left'>
+				<select tabindex='11' name="wpDomain" value="<?php $this->text( 'domain' ) ?>">
+					<?php echo $doms ?>
+				</select>
+			</td>
+		</tr>
+	<?php } ?>
 	<?php if( $this->data['create'] ) { ?>
 		<tr>
 			<td colspan='3'>&nbsp;</td>
@@ -110,4 +125,4 @@ class UserloginTemplate extends QuickTemplate {
 	}
 }
 
-?>
\ No newline at end of file
+?>
diff --git a/languages/Language.php b/languages/Language.php
index 2186247a16..541bc38250 100644
--- a/languages/Language.php
+++ b/languages/Language.php
@@ -570,6 +570,8 @@ Your account has been created. Don't forget to change your {{SITENAME}} preferen
 'yourpasswordagain' => 'Retype password',
 'newusersonly'	=> ' (new users only)',
 'remembermypassword' => 'Remember my password across sessions.',
+'yourdomainname'       => 'Your domain',
+'externaldberror'      => 'There was either an external authentication database error or you are not allowed to update your external account.',
 'loginproblem'	=> '<b>There has been a problem with your login.</b><br />Try again!',
 'alreadyloggedin' => "<font color=red><b>User $1, you are already logged in!</b></font><br />\n",