. // // Copyright 2006 Otheus Shelling // Copyright 2007 Rusty Burchfield // Copyright 2009 James Kinsman // Copyright 2010 Daniel Thomas // Copyright 2010 Ian Ward Comfort // Copyright 2013-2016 Zalora South East Asia Pte Ltd // // In 2009, the copyright holders determined that the original publishing of this code // under GPLv3 was legally and logistically in error, and re-licensed it under GPLv2. // // See http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER // // Adapted by Rusty to be compatible with version 1.9 of MediaWiki // Optional settings from Emmanuel Dreyfus // Adapted by VibroAxe (James Kinsman) to be compatible with version 1.16 of MediaWiki // Adapted by VibroAxe (James Kinsman) to allow domain substitution for Integrated Windows Authentication // Adapted by drt24 (Daniel Thomas) to add the optional $wgAuthRemoteuserMailDomain and remove hardcoding // of permissions for anonymous users. // Adapted by Ian Ward Comfort to detect mismatches between the session user and REMOTE_USER // Adapted to sproxy by Chris Forno // Extension credits that show up on Special:Version $wgExtensionCredits['other'][] = array( 'name' => 'Sproxy', 'version' => '0.2.0', 'author' => array( 'Otheus Shelling', 'Rusty Burchfield', 'James Kinsman', 'Daniel Thomas', 'Ian Ward Comfort', 'Chris Forno' ) , 'url' => '', 'description' => 'Automatically authenticates users using sproxy HTTP headers.', ); // We must allow zero length passwords. This extension does not work in MW 1.16 without this. $wgMinimalPasswordLength = 0; function sproxy_hook() { global $wgUser, $wgRequest, $wgAuth; // For a few special pages, don't do anything. $skipPages = array( Title::makeName(NS_SPECIAL, 'UserLogin') , Title::makeName(NS_SPECIAL, 'UserLogout') , ); if (in_array($wgRequest->getVal('title') , $skipPages)) { return; } // Don't do anything if there's already a valid session. $user = User::newFromSession(); if (!$user->isAnon()) { return; } // If the login form returns NEED_TOKEN try once more with the right token $trycount = 0; $token = ''; $errormessage = ''; do { $tryagain = false; // Submit a fake login form to authenticate the user. $params = new FauxRequest(array( 'wpName' => sproxy_username() , 'wpPassword' => '', 'wpDomain' => '', 'wpLoginToken' => $token, 'wpRemember' => '', )); // Authenticate user data will automatically create new users. $loginForm = new LoginForm($params); $result = $loginForm->authenticateUserData(); switch ($result) { case LoginForm::SUCCESS: $wgUser->setOption('rememberpassword', 1); $wgUser->setCookies(); break; case LoginForm::NEED_TOKEN: $token = $loginForm->getLoginToken(); $tryagain = ($trycount == 0); break; default: error_log("Unexpected sproxy authentication failure (code: $result)"); break; } $trycount++; } while ($tryagain); } $wgExtensionFunctions[] = 'sproxy_hook'; function sproxy_email() { return $_SERVER['HTTP_FROM']; } function sproxy_username() { // We can't rely on X-Given-Name/X-Family name because they can be // set by the user. I've personally seen someone set their name to // "ZALORA". // // Instead, we'll try to extract the real name from the first part // of the email address. list($username, $_) = explode('@', sproxy_email()); // So we have something like firstname.lastname or firstname.l or // firstname. return $username; } function sproxy_real_name() { return $_SERVER['HTTP_X_GIVEN_NAME'] . ' ' . $_SERVER['HTTP_X_FAMILY_NAME']; } class AuthSproxy extends AuthPlugin { public function userExists($username) { // This does not mean does the user already exist in the Mediawiki database. return true; } public function authenticate($username, $password) { // All users are already authenticated. return true; } public function autoCreate() { // Automatically create Mediawiki users for sproxy users. return true; } function allowPasswordChange() { // This doesn't make any sense so don't allow it. return false; } public function strict() { // Don't check passwords against the Mediawiki database; return true; } public function initUser(&$user, $autocreate = false) { $user->setEmail(sproxy_email()); $user->mEmailAuthenticated = wfTimestampNow(); $user->setToken(); $user->setRealName(sproxy_real_name()); // turn on e-mail notifications if (isset($wgAuthRemoteuserNotify) && $wgAuthRemoteuserNotify) { $user->setOption('enotifwatchlistpages', 1); $user->setOption('enotifusertalkpages', 1); $user->setOption('enotifminoredits', 1); $user->setOption('enotifrevealaddr', 1); } $user->saveSettings(); } } $wgAuth = new AuthSproxy(); // Don't let anonymous people do things... $wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['*']['read'] = false; $wgGroupPermissions['*']['edit'] = false; // see http://www.mediawiki.org/wiki/Manual:Hooks/SpecialPage_initList // and http://www.mediawiki.org/w/Manual:Special_pages // and http://lists.wikimedia.org/pipermail/mediawiki-l/2009-June/031231.html // disable login and logout functions for all users function LessSpecialPages(&$list) { unset($list['ChangeEmail']); unset($list['Userlogin']); unset($list['Userlogout']); return true; } $wgHooks['SpecialPage_initList'][] = 'LessSpecialPages'; // http://www.mediawiki.org/wiki/Extension:Windows_NTLM_LDAP_Auto_Auth // remove login and logout buttons for all users function StripLogin(&$personal_urls, &$wgTitle) { unset($personal_urls["login"]); unset($personal_urls["logout"]); unset($personal_urls['anonlogin']); return true; } $wgHooks['PersonalUrls'][] = 'StripLogin';