[horde] _horde_hook_postauthenticate()

Chuck Hagenbuch chuck at horde.org
Mon Jun 23 16:14:20 UTC 2008


Quoting Liam Hoekenga <liamr at umich.edu>:

>> So is the hook not called on initial login? Or is that avoided  
>> because of your transparent authentication? Why can't you block  
>> them where you do transparent auth, then?
>
> Admittedly, some of the weirdness may be due to the transparent auth.
>
> I've got initial_app set to imp.. so, if I go to..
>
>    https://webmail.example.edu/horde/turba/
>
> I get redirected through IMP, and I see my error message.
>
> If I then go back to...
>
>    https://webmail.example.edu/horde/turba/
>
> I get dumped into turba with a last login message.

I think transparent auth was bypassing the postauthenticate hooks at  
least in some circumstances. Can you try this patch and see if it helps?

I'd be interested in hearing from anyone who uses postauth hooks if  
this works with your existing setup, btw.

-chuck
-------------- next part --------------
Index: Auth.php
===================================================================
RCS file: /repository/framework/Auth/Auth.php,v
retrieving revision 1.196
diff -u -r1.196 Auth.php
--- Auth.php	29 Feb 2008 23:43:24 -0000	1.196
+++ Auth.php	23 Jun 2008 16:08:48 -0000
@@ -159,21 +159,13 @@
             if (is_a($authenticated, 'PEAR_Error')) {
                 return false;
             }
-            if (!empty($GLOBALS['conf']['hooks']['postauthenticate'])) {
-                if (!Horde::callHook('_horde_hook_postauthenticate', array($userId, $credentials, $realm), 'horde', false)) {
-                    if ($this->_getAuthError() != AUTH_REASON_MESSAGE) {
-                        $this->_setAuthError(AUTH_REASON_FAILED);
-                    }
-                    return false;
-                }
-            }
 
             if ($login) {
-                $this->setAuth($this->_authCredentials['userId'],
-                               $this->_authCredentials['credentials'],
-                               $this->_authCredentials['realm'],
-                               $this->_authCredentials['changeRequested']);
-                $auth = true;
+                $auth = $this->setAuth(
+                    $this->_authCredentials['userId'],
+                    $this->_authCredentials['credentials'],
+                    $this->_authCredentials['realm'],
+                    $this->_authCredentials['changeRequested']);
             } else {
                 if (!$this->_checkSessionIP()) {
                     $this->_setAuthError(AUTH_REASON_SESSIONIP);
@@ -531,8 +523,7 @@
 
         // Try transparent authentication now.
         $auth = &Auth::singleton($GLOBALS['conf']['auth']['driver']);
-        if ($auth->hasCapability('transparent') &&
-            $auth->transparent()) {
+        if ($auth->hasCapability('transparent') && $auth->transparent()) {
             return Auth::isAuthenticated($realm);
         }
 
@@ -679,10 +670,19 @@
         $userId = trim($userId);
         $userId = Auth::addHook($userId);
 
+        if (!empty($GLOBALS['conf']['hooks']['postauthenticate'])) {
+            if (!Horde::callHook('_horde_hook_postauthenticate', array($userId, $credentials, $realm), 'horde', false)) {
+                if ($this->_getAuthError() != AUTH_REASON_MESSAGE) {
+                    $this->_setAuthError(AUTH_REASON_FAILED);
+                }
+                return false;
+            }
+        }
+
         /* If we're already set with this userId, don't continue. */
         if (isset($_SESSION['__auth']['userId']) &&
             $_SESSION['__auth']['userId'] == $userId) {
-            return;
+            return true;
         }
 
         /* Clear any existing info. */
@@ -766,6 +766,8 @@
                 exit;
             }
         }
+
+        return true;
     }
 
     /**
Index: Auth/auto.php
===================================================================
RCS file: /repository/framework/Auth/Auth/auto.php,v
retrieving revision 1.24
diff -u -r1.24 auto.php
--- Auth/auto.php	2 Jan 2008 11:11:50 -0000	1.24
+++ Auth/auto.php	23 Jun 2008 16:08:48 -0000
@@ -76,10 +76,9 @@
         $username = (!empty($this->_params['requestuser']) && isset($_REQUEST['username'])) ?
             $_REQUEST['username'] :
             $this->_params['username'];
-        $this->setAuth($username,
-                       array('transparent' => 1,
-                             'password' => isset($this->_params['password']) ? $this->_params['password'] : null));
-        return true;
+        return $this->setAuth($username,
+            array('transparent' => 1,
+                  'password' => isset($this->_params['password']) ? $this->_params['password'] : null));
     }
 
 }
Index: Auth/http.php
===================================================================
RCS file: /repository/framework/Auth/Auth/http.php,v
retrieving revision 1.35
diff -u -r1.35 http.php
--- Auth/http.php	2 Jan 2008 11:11:50 -0000	1.35
+++ Auth/http.php	23 Jun 2008 16:08:48 -0000
@@ -145,10 +145,9 @@
     {
         if (!empty($_SERVER['PHP_AUTH_USER']) &&
             !empty($_SERVER['PHP_AUTH_PW'])) {
-            $this->setAuth(Util::dispelMagicQuotes($_SERVER['PHP_AUTH_USER']),
-                           array('password' => Util::dispelMagicQuotes($_SERVER['PHP_AUTH_PW']),
-                                 'transparent' => 1));
-            return true;
+            return $this->setAuth(Util::dispelMagicQuotes($_SERVER['PHP_AUTH_USER']),
+                                  array('password' => Util::dispelMagicQuotes($_SERVER['PHP_AUTH_PW']),
+                                        'transparent' => 1));
         }
 
         $this->_setAuthError(AUTH_REASON_MESSAGE, _("HTTP Authentication not found."));
Index: Auth/ipbasic.php
===================================================================
RCS file: /repository/framework/Auth/Auth/ipbasic.php,v
retrieving revision 1.30
diff -u -r1.30 ipbasic.php
--- Auth/ipbasic.php	2 Jan 2008 11:11:50 -0000	1.30
+++ Auth/ipbasic.php	23 Jun 2008 16:08:48 -0000
@@ -81,8 +81,7 @@
         $client = $_SERVER['REMOTE_ADDR'];
         foreach ($this->_params['blocks'] as $cidr) {
             if ($this->_addressWithinCIDR($client, $cidr)) {
-                $this->setAuth($cidr, array('transparent' => 1));
-                return true;
+                return $this->setAuth($cidr, array('transparent' => 1));
             }
         }
 
Index: Auth/kolab.php
===================================================================
RCS file: /repository/framework/Auth/Auth/kolab.php,v
retrieving revision 1.15
diff -u -r1.15 kolab.php
--- Auth/kolab.php	16 Jun 2008 04:57:53 -0000	1.15
+++ Auth/kolab.php	23 Jun 2008 16:08:48 -0000
@@ -135,11 +135,11 @@
             $userMail = $db->mailForUidOrMail($userId);
             if (is_a($userMail, 'PEAR_Error')) {
                 Horde::logMessage('Error while fetching the Kolab ID', __FILE__, __LINE__, PEAR_LOG_ERR);
-                return;
+                return false;
             }
             $userId = $userMail;
         }
 
-        parent::setAuth($userId, $credentials, $realm, $changeRequested);
+        return parent::setAuth($userId, $credentials, $realm, $changeRequested);
     }
 }
Index: Auth/shibboleth.php
===================================================================
RCS file: /repository/framework/Auth/Auth/shibboleth.php,v
retrieving revision 1.4
diff -u -r1.4 shibboleth.php
--- Auth/shibboleth.php	14 Dec 2007 18:34:44 -0000	1.4
+++ Auth/shibboleth.php	23 Jun 2008 16:08:48 -0000
@@ -73,7 +73,9 @@
             $username = substr($username, 0, $pos);
         }
 
-        $this->setAuth($username, array('transparent' => 1));
+        if (!$this->setAuth($username, array('transparent' => 1))) {
+            return false;
+        }
 
         // Set password for hordeauth login.
         if ($this->_params['password_holder'] == 'header') {


More information about the horde mailing list