diff options
Diffstat (limited to 'pkgs/mediawikiExtensions/Sproxy/Sproxy.php')
-rw-r--r-- | pkgs/mediawikiExtensions/Sproxy/Sproxy.php | 209 |
1 files changed, 209 insertions, 0 deletions
diff --git a/pkgs/mediawikiExtensions/Sproxy/Sproxy.php b/pkgs/mediawikiExtensions/Sproxy/Sproxy.php new file mode 100644 index 0000000..c16ac9e --- /dev/null +++ b/pkgs/mediawikiExtensions/Sproxy/Sproxy.php @@ -0,0 +1,209 @@ +<?php + +// This program is free software: you can redistribute it and/or modify it +// under the terms of the GNU General Public License as published by the Free +// Software Foundation, either version 2 of the License, or (at your option) +// any later version. +// +// This program is distributed in the hope that it will be useful, but WITHOUT +// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +// FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for +// more details. +// +// You should have received a copy of the GNU General Public License along with +// this program. If not, see <http://www.gnu.org/licenses/>. +// +// Copyright 2006 Otheus Shelling +// Copyright 2007 Rusty Burchfield +// Copyright 2009 James Kinsman +// Copyright 2010 Daniel Thomas +// Copyright 2010 Ian Ward Comfort +// Copyright 2013-2016 Zalora South East Asia Pte Ltd +// +// In 2009, the copyright holders determined that the original publishing of this code +// under GPLv3 was legally and logistically in error, and re-licensed it under GPLv2. +// +// See http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER +// +// Adapted by Rusty to be compatible with version 1.9 of MediaWiki +// Optional settings from Emmanuel Dreyfus +// Adapted by VibroAxe (James Kinsman) to be compatible with version 1.16 of MediaWiki +// Adapted by VibroAxe (James Kinsman) to allow domain substitution for Integrated Windows Authentication +// Adapted by drt24 (Daniel Thomas) to add the optional $wgAuthRemoteuserMailDomain and remove hardcoding +// of permissions for anonymous users. +// Adapted by Ian Ward Comfort to detect mismatches between the session user and REMOTE_USER +// Adapted to sproxy by Chris Forno +// Extension credits that show up on Special:Version + +$wgExtensionCredits['other'][] = array( + 'name' => 'Sproxy', + 'version' => '0.2.0', + 'author' => array( + 'Otheus Shelling', + 'Rusty Burchfield', + 'James Kinsman', + 'Daniel Thomas', + 'Ian Ward Comfort', + 'Chris Forno' + ) , + 'url' => '', + 'description' => 'Automatically authenticates users using sproxy HTTP headers.', +); + +// We must allow zero length passwords. This extension does not work in MW 1.16 without this. +$wgMinimalPasswordLength = 0; + +function sproxy_hook() +{ + global $wgUser, $wgRequest, $wgAuth; + + // For a few special pages, don't do anything. + $skipPages = array( + Title::makeName(NS_SPECIAL, 'UserLogin') , + Title::makeName(NS_SPECIAL, 'UserLogout') , + ); + + if (in_array($wgRequest->getVal('title') , $skipPages)) { + return; + } + + // Don't do anything if there's already a valid session. + $user = User::newFromSession(); + if (!$user->isAnon()) { + return; + } + + // If the login form returns NEED_TOKEN try once more with the right token + $trycount = 0; + $token = ''; + $errormessage = ''; + do { + $tryagain = false; + // Submit a fake login form to authenticate the user. + $params = new FauxRequest(array( + 'wpName' => sproxy_username() , + 'wpPassword' => '', + 'wpDomain' => '', + 'wpLoginToken' => $token, + 'wpRemember' => '', + )); + // Authenticate user data will automatically create new users. + $loginForm = new LoginForm($params); + $result = $loginForm->authenticateUserData(); + switch ($result) { + case LoginForm::SUCCESS: + $wgUser->setOption('rememberpassword', 1); + $wgUser->setCookies(); + break; + + case LoginForm::NEED_TOKEN: + $token = $loginForm->getLoginToken(); + $tryagain = ($trycount == 0); + break; + + default: + error_log("Unexpected sproxy authentication failure (code: $result)"); + break; + } + $trycount++; + } + while ($tryagain); +} + +$wgExtensionFunctions[] = 'sproxy_hook'; +function sproxy_email() +{ + return $_SERVER['HTTP_FROM']; +} + +function sproxy_username() +{ + return sproxy_email(); +} + +function sproxy_real_name() +{ + return $_SERVER['HTTP_X_GIVEN_NAME'] . ' ' . $_SERVER['HTTP_X_FAMILY_NAME']; +} + +class AuthSproxy extends AuthPlugin +{ + public function userExists($username) + { + // This does not mean does the user already exist in the Mediawiki database. + return true; + } + + public function authenticate($username, $password) + { + // All users are already authenticated. + return true; + } + + public function autoCreate() + { + // Automatically create Mediawiki users for sproxy users. + return true; + } + + function allowPasswordChange() + { + // This doesn't make any sense so don't allow it. + return false; + } + + public function strict() + { + // Don't check passwords against the Mediawiki database; + return true; + } + + public function initUser(&$user, $autocreate = false) + { + $user->setEmail(sproxy_email()); + $user->mEmailAuthenticated = wfTimestampNow(); + $user->setToken(); + $user->setRealName(sproxy_real_name()); + + // turn on e-mail notifications + if (isset($wgAuthRemoteuserNotify) && $wgAuthRemoteuserNotify) { + $user->setOption('enotifwatchlistpages', 1); + $user->setOption('enotifusertalkpages', 1); + $user->setOption('enotifminoredits', 1); + $user->setOption('enotifrevealaddr', 1); + } + $user->saveSettings(); + } +} + +$wgAuth = new AuthSproxy(); + +// Don't let anonymous people do things... +$wgGroupPermissions['*']['createaccount'] = false; +$wgGroupPermissions['*']['read'] = false; +$wgGroupPermissions['*']['edit'] = false; + +// see http://www.mediawiki.org/wiki/Manual:Hooks/SpecialPage_initList +// and http://www.mediawiki.org/w/Manual:Special_pages +// and http://lists.wikimedia.org/pipermail/mediawiki-l/2009-June/031231.html +// disable login and logout functions for all users +function LessSpecialPages(&$list) +{ + unset($list['ChangeEmail']); + unset($list['Userlogin']); + unset($list['Userlogout']); + return true; +} +$wgHooks['SpecialPage_initList'][] = 'LessSpecialPages'; + +// http://www.mediawiki.org/wiki/Extension:Windows_NTLM_LDAP_Auto_Auth +// remove login and logout buttons for all users +function StripLogin(&$personal_urls, &$wgTitle) +{ + unset($personal_urls["login"]); + unset($personal_urls["logout"]); + unset($personal_urls['anonlogin']); + return true; +} +$wgHooks['PersonalUrls'][] = 'StripLogin'; + |