GNUsocial/gnu-social
4
0
Fork 1
Code Issues Releases Wiki Activity
Files
3d8b776dc75eef86be72f648b23dda7c7a25f60c
gnu-social/plugins/OpenID/extlib/teams-extension.php
Brion Vibber 7c828ae5f8 OpenID access control options: trusted provider URL, Launchpad team restrictions. Added an admin panel for setting these and OpenID-only mode, off by default. 
To enable the admin panel:
    $config['admin']['panels'][] = 'openid';

Or to set them manually:
    $config['openid']['trusted_provider'] = 'https://login.ubuntu.net/';
    $config['openid']['required_team'] = 'my-project-cabal';
    $config['site']['openidonly'] = true;

OpenID-only mode can still be set from addPlugin() parameters as well for backwards compatibility.
Note: if it's set there, that value will override the setting from the database or config.php.

Note that team restrictions are only really meaningful if a trusted provider is set; otherwise,
any OpenID server could report back that users are members of the given team.

Restrictions are checked only at OpenID authentication time and will not kick off people currently
with a session open; existing remembered logins may also survive these changes.

Using code for Launchpad team support provided by Canonical under AGPLv3, pulled from r27 of
WordPress teams integration plugin:
    https://code.edge.launchpad.net/~canonical-isd-hackers/wordpress-teams-integration/trunk
2010-05-18 13:28:41 -07:00

176 lines
4.8 KiB
PHP
Raw Blame History

<?php
/*
* Wordpress Teams plugin
* Copyright (C) 2009-2010 Canonical Ltd.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/**
* Provides an example OpenID extension to query user team/group membership
*
* This code is based on code supplied with the openid library for simple
* registration data.
*/
/**
* Require the Message implementation.
*/
require_once 'Auth/OpenID/Message.php';
require_once 'Auth/OpenID/Extension.php';
/**
* The team/group extension base class
*/
class Auth_OpenID_TeamsExtension extends Auth_OpenID_Extension {
var $ns_uri = 'http://ns.launchpad.net/2007/openid-teams';
var $ns_alias = 'lp';
var $request_field = 'query_membership';
var $response_field = 'is_member';
/**
* Get the string arguments that should be added to an OpenID
* message for this extension.
*/
function getExtensionArgs() {
$args = array();
if ($this->_teams) {
$args[$this->request_field] = implode(',', $this->_teams);
}
return $args;
}
/**
* Add the arguments from this extension to the provided message.
*
* Returns the message with the extension arguments added.
*/
function toMessage(&$message) {
if ($message->namespaces->addAlias($this->ns_uri, $this->ns_alias) === null) {
if ($message->namespaces->getAlias($this->ns_uri) != $this->ns_alias) {
return null;
}
}
$message->updateArgs($this->ns_uri, $this->getExtensionArgs());
return $message;
}
/**
* Extract the team/group namespace URI from the given OpenID message.
* Handles OpenID 1 and 2.
*
* $message: The OpenID message from which to parse team/group data.
* This may be a request or response message.
*
* Returns the sreg namespace URI for the supplied message.
*
* @access private
*/
function _getExtensionNS(&$message) {
$alias = null;
$found_ns_uri = null;
// See if there exists an alias for the namespace
$alias = $message->namespaces->getAlias($this->ns_uri);
if ($alias !== null) {
$found_ns_uri = $this->ns_uri;
}
if ($alias === null) {
// There is no alias for this extension, so try to add one.
$found_ns_uri = Auth_OpenID_TYPE_1_0;
if ($message->namespaces->addAlias($this->ns_uri, $this->ns_alias) === null) {
// An alias for the string 'lp' already exists, but
// it's defined for something other than team/group membership
return null;
}
}
return $found_ns_uri;
}
}
/**
* The team/group extension request class
*/
class Auth_OpenID_TeamsRequest extends Auth_OpenID_TeamsExtension {
function __init($teams) {
if (!is_array($teams)) {
if (!empty($teams)) {
$teams = explode(',', $teams);
} else {
$teams = Array();
}
}
$this->_teams = $teams;
}
function Auth_OpenID_TeamsRequest($teams) {
$this->__init($teams);
}
}
/**
* The team/group extension response class
*/
class Auth_OpenID_TeamsResponse extends Auth_OpenID_TeamsExtension {
var $_teams = array();
function __init(&$resp, $signed_only=true) {
$this->ns_uri = $this->_getExtensionNS($resp->message);
if ($signed_only) {
$args = $resp->getSignedNS($this->ns_uri);
} else {
$args = $resp->message->getArgs($this->ns_uri);
}
if ($args === null) {
return null;
}
// An OpenID 2.0 response will handle the namespaces
if (in_array($this->response_field, array_keys($args)) && !empty($args[$this->response_field])) {
$this->_teams = explode(',', $args[$this->response_field]);
}
// Piggybacking on a 1.x request, however, won't so the field name will
// be different
elseif (in_array($this->ns_alias.'.'.$this->response_field, array_keys($args)) && !empty($args[$this->ns_alias.'.'.$this->response_field])) {
$this->_teams = explode(',', $args[$this->ns_alias.'.'.$this->response_field]);
}
}
function Auth_OpenID_TeamsResponse(&$resp, $signed_only=true) {
$this->__init($resp, $signed_only);
}
/**
* Get the array of teams the user is a member of
*
* @return array
*/
function getTeams() {
return $this->_teams;
}
}
?>
View Git Blame Copy Permalink