Author: acoburn
Date: Fri Sep 7 14:04:54 2012
New Revision: 1382034
URL: http://svn.apache.org/viewvc?rev=1382034&view=rev
Log:
VCL-608
Added support for delegated authentication over the XMLRPC API.
The background for this is that if VCL users are authenticated with Shibboleth,
there is no way for any external application
to access those user accounts over the remote API. Any such attempt would
always fail, since the VCL application has no
mechanism, internally, to validate these users' passwords.
This change introduces $apiValidateFunc, an affiliation-indexed array of
functions that can be defined to validate users
in these cases. These functions can (should?) be defined in the
.ht-inc/conf.php file.
Modified:
vcl/trunk/web/.ht-inc/utils.php
Modified: vcl/trunk/web/.ht-inc/utils.php
URL:
http://svn.apache.org/viewvc/vcl/trunk/web/.ht-inc/utils.php?rev=1382034&r1=1382033&r2=1382034&view=diff
==============================================================================
--- vcl/trunk/web/.ht-inc/utils.php (original)
+++ vcl/trunk/web/.ht-inc/utils.php Fri Sep 7 14:04:54 2012
@@ -325,7 +325,7 @@ function initGlobals() {
function checkAccess() {
global $mode, $user, $actionFunction, $authMechs;
global $itecsauthkey, $ENABLE_ITECSAUTH, $actions, $noHTMLwrappers;
- global $inContinuation, $docreaders;
+ global $inContinuation, $docreaders, $apiValidateFunc;
if($mode == 'xmlrpccall') {
// double check for SSL
if(! isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") {
@@ -439,6 +439,16 @@ function checkAccess() {
exit;
}
}
+ elseif($authMechs[$authtype]['type'] == 'redirect'){
+ $affilid = $authMechs[$authtype]['affiliationid'];
+ if(!(isset($apiValidateFunc) && is_array($apiValidateFunc) &&
+ array_key_exists($affilid, $apiValidateFunc) &&
+ $apiValidateFunc[$affilid]($xmluser, $xmlpass))){
+ printXMLRPCerror(3); # access denied
+ dbDisconnect();
+ exit;
+ }
+ }
else {
printXMLRPCerror(6); # unable to auth passed
in X-User
dbDisconnect();
