[module.cas] Now returns login if already validated by [api.core.auth-system-default]
[api.core.auth-system-default] implemented permission management with : 'cas_user', 'cas_admin' (cas_user is always here, cas_admin is added only if admin)
This commit is contained in:
xdrm-brackets
parent
3a2eaefd7f
commit
d7c6ac519c
|
|
@ -13,9 +13,68 @@
|
|||
|
||||
use \error\core\Err;
|
||||
use \error\core\Error;
|
||||
use \database\core\Repo;
|
||||
use \database\repo\professor;
|
||||
|
||||
class AuthSystemDefault implements AuthSystem{
|
||||
|
||||
|
||||
public function __construct(){
|
||||
|
||||
/* (1) Init session variables
|
||||
---------------------------------------------------------*/
|
||||
if( !isset($_SESSION['CAS']) || !is_array($_SESSION['CAS']) ) $_SESSION['CAS'] = [];
|
||||
if( !isset($_SESSION['AUTH']) || !is_array($_SESSION['AUTH']) ) $_SESSION['AUTH'] = [];
|
||||
|
||||
|
||||
/* (2) Check CAS
|
||||
---------------------------------------------------------*/
|
||||
if( isset($_SESSION['CAS']['login']) && isset($_SESSION['CAS']['ticket']) ){
|
||||
|
||||
/* (1) Get professor repo */
|
||||
/** @var professor $prof_repo */
|
||||
$prof_repo = Repo::getRepo('professor');
|
||||
|
||||
/* (2) Get professor with this login */
|
||||
$by_login = $prof_repo->getByLogin($_SESSION['CAS']['login']);
|
||||
|
||||
/* (3) If found -> store useful information */
|
||||
if( is_array($by_login) && isset($by_login['idProfesseur']) && isset($by_login['admin']) ){
|
||||
|
||||
$_SESSION['CAS']['admin'] = (bool) $by_login['admin'];
|
||||
$_SESSION['CAS']['id'] = (int) $by_login['idProfesseur'];
|
||||
|
||||
/* (4) If no login found -> remove CAS auth */
|
||||
}else
|
||||
$_SESSION['CAS'] = [];
|
||||
|
||||
}
|
||||
|
||||
|
||||
/* (3) Process AUTH
|
||||
---------------------------------------------------------*/
|
||||
/* (1) cas_admin | cas_user */
|
||||
if( isset($_SESSION['CAS']['admin']) && is_bool($_SESSION['CAS']['admin']) ){
|
||||
|
||||
// by default: cas_user
|
||||
$_SESSION['AUTH'] = ['cas_user'];
|
||||
|
||||
// if admin: cas_admin
|
||||
if( $_SESSION['CAS']['admin'] === true )
|
||||
$_SESSION['AUTH'][] = ['cas_admin'];
|
||||
|
||||
}
|
||||
|
||||
/* (2) Other permissions */
|
||||
// TODO
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
/* VERIFICATION DES ACCES EN FONCTION DE PERMISSIONS ATTENDUES
|
||||
*
|
||||
* @expected<array> Liste des permissions attendues
|
||||
|
|
@ -24,7 +83,51 @@
|
|||
*
|
||||
*/
|
||||
public static function permission($expected){
|
||||
return new Error(Err::Success);
|
||||
|
||||
/* (1) Check format -> if not array of array(s) -> ERROR
|
||||
---------------------------------------------------------*/
|
||||
/* (1) If not array -> ERROR */
|
||||
if( !is_array($expected) )
|
||||
return new Error(Err::FormatError);
|
||||
|
||||
/* (2) If not array of array(s) -> ERROR */
|
||||
foreach($expected as $permission_group)
|
||||
if( !is_array($permission_group) )
|
||||
return new Error(Err::FormatError);
|
||||
|
||||
|
||||
/* (2) For each OR group
|
||||
---------------------------------------------------------*/
|
||||
foreach($expected as $OR_group){
|
||||
|
||||
/* (1) By default suppose the group is valid */
|
||||
// -> an empty group will grant permission to all
|
||||
$valid_group = true;
|
||||
|
||||
/* (2) Check for each AND permission in the group */
|
||||
foreach($OR_group as $AND_perm){
|
||||
|
||||
/* (3) If not in session.auth -> invalidate the permission group */
|
||||
if( !in_array($AND_perm, $_SESSION['AUTH']) ){
|
||||
|
||||
$valid_group = false;
|
||||
break;
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/* (4) If valid group -> Success */
|
||||
if( $valid_group )
|
||||
return new Error(Err::Success);
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
/* (5) If no valid group -> permission error */
|
||||
return new Error(Err::PermissionError);
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -27,11 +27,11 @@ class casController{
|
|||
// login: https://sso.univ-pau.fr/cas/login?service=http://ptut.com:8080/api/v/1.0/cas
|
||||
// validate: https://sso.univ-pau.fr/cas/serviceValidate?ticket=***TICKET***&service=http://ptut.com:8080/api/v/1.0/cas
|
||||
|
||||
/* (1) Check validity
|
||||
/* (1) Check if already connected
|
||||
---------------------------------------------------------*/
|
||||
/* (1) Check origin */
|
||||
// TODO
|
||||
|
||||
/* (1) If already -> return @cas_login */
|
||||
if( in_array('cas_user', $_SESSION['AUTH']) )
|
||||
return ['cas_login' => $_SESSION['CAS']['login']];
|
||||
|
||||
/* (2) Fail if no ticket */
|
||||
if( !isset($_GET['ticket']) || !is_string($_GET['ticket']) || strlen($_GET['ticket']) < 1 )
|
||||
|
|
@ -68,6 +68,14 @@ class casController{
|
|||
return ['error' => new Error(Err::PermissionError, 'cannot find cas login')];
|
||||
|
||||
|
||||
/* (3) Store data in session
|
||||
---------------------------------------------------------*/
|
||||
$_SESSION['CAS'] = [
|
||||
'login' => $cas_login,
|
||||
'ticket' => $ticket
|
||||
];
|
||||
|
||||
|
||||
|
||||
return ['cas_login' => $cas_login ];
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue