gnu-social/plugins/OpenID/openidlogin.php
Brion Vibber 7c828ae5f8 OpenID access control options: trusted provider URL, Launchpad team restrictions. Added an admin panel for setting these and OpenID-only mode, off by default.
To enable the admin panel:
    $config['admin']['panels'][] = 'openid';

Or to set them manually:
    $config['openid']['trusted_provider'] = 'https://login.ubuntu.net/';
    $config['openid']['required_team'] = 'my-project-cabal';
    $config['site']['openidonly'] = true;

OpenID-only mode can still be set from addPlugin() parameters as well for backwards compatibility.
Note: if it's set there, that value will override the setting from the database or config.php.

Note that team restrictions are only really meaningful if a trusted provider is set; otherwise,
any OpenID server could report back that users are members of the given team.

Restrictions are checked only at OpenID authentication time and will not kick off people currently
with a session open; existing remembered logins may also survive these changes.

Using code for Launchpad team support provided by Canonical under AGPLv3, pulled from r27 of
WordPress teams integration plugin:
    https://code.edge.launchpad.net/~canonical-isd-hackers/wordpress-teams-integration/trunk
2010-05-18 13:28:41 -07:00

154 lines
5.3 KiB
PHP

<?php
/*
* StatusNet - the distributed open-source microblogging tool
* Copyright (C) 2008, 2009, StatusNet, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
if (!defined('STATUSNET') && !defined('LACONICA')) { exit(1); }
require_once INSTALLDIR.'/plugins/OpenID/openid.php';
class OpenidloginAction extends Action
{
function handle($args)
{
parent::handle($args);
if (common_is_real_login()) {
$this->clientError(_m('Already logged in.'));
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$provider = common_config('openid', 'trusted_provider');
if ($provider) {
$openid_url = $provider;
} else {
$openid_url = $this->trimmed('openid_url');
}
oid_assert_allowed($openid_url);
# CSRF protection
$token = $this->trimmed('token');
if (!$token || $token != common_session_token()) {
$this->showForm(_m('There was a problem with your session token. Try again, please.'), $openid_url);
return;
}
$rememberme = $this->boolean('rememberme');
common_ensure_session();
$_SESSION['openid_rememberme'] = $rememberme;
$result = oid_authenticate($openid_url,
'finishopenidlogin');
if (is_string($result)) { # error message
unset($_SESSION['openid_rememberme']);
$this->showForm($result, $openid_url);
}
} else {
$openid_url = oid_get_last();
$this->showForm(null, $openid_url);
}
}
function getInstructions()
{
if (common_logged_in() && !common_is_real_login() &&
common_get_returnto()) {
// rememberme logins have to reauthenticate before
// changing any profile settings (cookie-stealing protection)
return _m('For security reasons, please re-login with your ' .
'[OpenID](%%doc.openid%%) ' .
'before changing your settings.');
} else {
return _m('Login with an [OpenID](%%doc.openid%%) account.');
}
}
function showPageNotice()
{
if ($this->error) {
$this->element('div', array('class' => 'error'), $this->error);
} else {
$instr = $this->getInstructions();
$output = common_markup_to_html($instr);
$this->elementStart('div', 'instructions');
$this->raw($output);
$this->elementEnd('div');
}
}
function showScripts()
{
parent::showScripts();
$this->autofocus('openid_url');
}
function title()
{
return _m('OpenID Login');
}
function showForm($error=null, $openid_url)
{
$this->error = $error;
$this->openid_url = $openid_url;
$this->showPage();
}
function showContent() {
$formaction = common_local_url('openidlogin');
$this->elementStart('form', array('method' => 'post',
'id' => 'form_openid_login',
'class' => 'form_settings',
'action' => $formaction));
$this->elementStart('fieldset');
$this->element('legend', null, _m('OpenID login'));
$this->hidden('token', common_session_token());
$this->elementStart('ul', 'form_data');
$this->elementStart('li');
$provider = common_config('openid', 'trusted_provider');
if ($provider) {
$this->element('label', array(), _m('OpenID provider'));
$this->element('span', array(), $provider);
$this->element('p', 'form_guide',
_m('You will be sent to the provider\'s site for authentication.'));
$this->hidden('openid_url', $provider);
} else {
$this->input('openid_url', _m('OpenID URL'),
$this->openid_url,
_m('Your OpenID URL'));
}
$this->elementEnd('li');
$this->elementStart('li', array('id' => 'settings_rememberme'));
$this->checkbox('rememberme', _m('Remember me'), false,
_m('Automatically login in the future; ' .
'not for shared computers!'));
$this->elementEnd('li');
$this->elementEnd('ul');
$this->submit('submit', _m('Login'));
$this->elementEnd('fieldset');
$this->elementEnd('form');
}
function showLocalNav()
{
$nav = new LoginGroupNav($this);
$nav->show();
}
}