>From 0caef01a35d3d4ad976938fcf3a905fc39d322e7 Mon Sep 17 00:00:00 2001
From: unknown <Simon@.(none)>
Date: Tue, 18 Aug 2009 04:00:28 +0100
Subject: [PATCH] Two changes:
 1.  Make the CURL URL and SSL options configurable (to enable, copy config/personal_config.php to the Zikula config directory)
 2.  Ensure that the membership of the cmsadmin group is synced to any Zikula instance deploying AuthFAS

---
 AuthFAS/config/personal_config.php             |   14 ++++
 AuthFAS/pnuserapi.php                          |   54 +++++++++++---
 fedora/templates/config/master.ini             |   94 ++++++++++++------------
 fedora/templates/config/pageconfigurations.ini |   18 ++--
 4 files changed, 112 insertions(+), 68 deletions(-)
 create mode 100644 AuthFAS/config/personal_config.php

diff --git a/AuthFAS/config/personal_config.php b/AuthFAS/config/personal_config.php
new file mode 100644
index 0000000..f6111c2
--- /dev/null
+++ b/AuthFAS/config/personal_config.php
@@ -0,0 +1,14 @@
+<?php
+/**
+ * This file should be placed in Zikula's root /config directory
+ **/
+
+global $FedConfig;
+
+// PRODUCTION
+//$FedConfig['FAS']['URL'] = 'https://admin.fedoraproject.org/accounts/json/person_by_username?tg_format=json';
+//$FedConfig['FAS']['SSL_VERIFY'] = true;
+
+// PUBLICTEST
+$FedConfig['FAS']['URL'] = 'http://publictest3.fedoraproject.org/accounts/json/person_by_username?tg_format=json';
+$FedConfig['FAS']['SSL_VERIFY'] = false;
\ No newline at end of file
diff --git a/AuthFAS/pnuserapi.php b/AuthFAS/pnuserapi.php
index bd32c65..e1f2cc6 100644
--- a/AuthFAS/pnuserapi.php
+++ b/AuthFAS/pnuserapi.php
@@ -20,23 +20,19 @@ function AuthFAS_userapi_login($args)
 
     // As taken from MediaWiki Plugin
     $ch = curl_init();
-    curl_setopt($ch, CURLOPT_URL, 'https://admin.fedoraproject.org/accounts/json/person_by_username?tg_format=json');
+	
+	// These options are set in config/personal_config.php
+    curl_setopt($ch, CURLOPT_URL, $FedConfig['FAS']['URL']);
     curl_setopt($ch, CURLOPT_POST, 1);
     curl_setopt($ch, CURLOPT_USERAGENT, "Zikula FAS Auth 1.0");
     curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($username)."&user_name=".urlencode($username)."&password=".urlencode($password)."&login=Login");
     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
 
-    # WARNING: Never enable this line when running in production, as it will
-    # cause plaintext passwords to show up in error logs.
-    #curl_setopt($ch, CURLOPT_VERBOSE, TRUE);
-
-    # The following two lines need to be uncommented when using a test
-    # FAS with an invalid cert.  Otherwise they should be commented out (or set
-    # to True) for security.  (Perhaps this and the FAS URL can be made
-    # configurable?)
-    #curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
-    #curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
-
+	if ($FedConfig['FAS']['SSL_VERIFY']) {
+		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
+		curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
+	}
+    
     $response = json_decode(curl_exec($ch), true);
     curl_close ($ch);
 
@@ -47,11 +43,15 @@ function AuthFAS_userapi_login($args)
 
     $groups = $response["person"]["approved_memberships"];
     $found = false;
+	$admin = false;
     for ($i = 0, $cnt = count($groups); $i < $cnt; $i++) {
         if ($groups[$i]["name"] = "cla_done") {
             error_log("FAS auth succeeded for $username", 0);
             $found = true;
         }
+		if ($groups[$i]["name"] = "cmsadmin") {
+			$admin = true;
+        }
     }
 
     if (!$found) {
@@ -71,6 +71,8 @@ function AuthFAS_userapi_login($args)
         $uid = $user['uid'];
     }
 
+	pnModAPIFunc('AuthFAS', 'user', 'syncgroups', array('uid' => $uid, 'admin' = $admin));
+	
     pnUserSetVar('lastlogin', date("Y-m-d H:i:s", time()), $uid);
     return $uid;
 }
@@ -136,10 +138,38 @@ function AuthFAS_userapi_registerUser($args)
     if (!$res) {
         return false;
     }
+	
+	pnModAPIFunc('AuthFAS', 'user', 'addgroup', array('uid' => $uid, 'admin' => false));
 
     return $uid;
 }
 
+function AuthFAS_userapi_syncgroups($args) {
+	// Always in the user group
+	$gname = pnModGetVar('Groups', 'defaultgroup');
+	$group = DBUtil::selectObjectByID('groups', $gname, 'name');
+    if (!$group) {
+        return false;
+    }
+	$is_users_member = pnModAPIFunc('Groups', 'user', 'isgroupmember', array('gid' => $group['gid'], 'uid' => $args['uid']));
+	if (!$is_users_member) {
+	    pnModAPIFunc('Groups', 'user', 'adduser', array('gid' => $group['gid'], 'uid' => $args['uid']));
+	}
+	
+	// Maybe in the admin group
+	$group = DBUtil::selectObjectByID('groups', 'Administrators', 'name');
+    if (!$group) {
+        return false;
+    }
+	$is_admin_member = pnModAPIFunc('Groups', 'user', 'isgroupmember', array('gid' => $group['gid'], 'uid' => $args['uid']));
+	if (!$is_admin_member && $args['admin']) {
+	    pnModAPIFunc('Groups', 'user', 'adduser', array('gid' => $group['gid'], 'uid' => $args['uid']));
+	} else if ($is_admin_member && !$args['admin'] {
+		// We need to remove them, they are no longer in the admin group
+		pnModAPIFunc('Groups', 'user', 'removeuser', array('gid' => $group['gid'], 'uid' => $args['uid']));
+	}
+}
+
 /**
  * Logout a user using PN as the authentication source
  * @return bool true on success, false on failiure
diff --git a/fedora/templates/config/master.ini b/fedora/templates/config/master.ini
index 9575e51..f278906 100644
--- a/fedora/templates/config/master.ini
+++ b/fedora/templates/config/master.ini
@@ -1,47 +1,47 @@
-page = master.htm
-palette = 
-modulewrapper = 1
-blockwrapper = 1
-
-[blocktypes]
-adminnav = 
-messages = 
-text = 
-extmenu = 
-thelang = 
-menu = 
-finclude = 
-xslt = 
-html = 
-tags = 
-moduletags = 
-inline = 
-specificfiles = 
-newestfiles = 
-random = 
-menutree = 
-login = 
-list = 
-pnRender = 
-search = 
-themeswitcher = 
-online = 
-user = 
-
-[blockpositions]
-left = 
-right = 
-center = 
-
-[blockinstances]
-7 = 
-2 = 
-3 = 
-4 = 
-5 = 
-6 = 
-
-[filters]
-outputfilters = 
-prefilters = 
-postfilters = 
+page = master.htm
+palette = 
+modulewrapper = 1
+blockwrapper = 1
+
+[blocktypes]
+adminnav = 
+messages = 
+text = 
+extmenu = 
+thelang = 
+menu = 
+finclude = 
+xslt = 
+html = 
+tags = 
+moduletags = 
+inline = 
+specificfiles = 
+newestfiles = 
+random = 
+menutree = 
+login = 
+list = 
+pnRender = 
+search = 
+themeswitcher = 
+online = 
+user = 
+
+[blockpositions]
+left = 
+right = 
+center = 
+
+[blockinstances]
+7 = 
+2 = 
+3 = 
+4 = 
+5 = 
+6 = 
+
+[filters]
+outputfilters = 
+prefilters = 
+postfilters = 
diff --git a/fedora/templates/config/pageconfigurations.ini b/fedora/templates/config/pageconfigurations.ini
index 82e327d..6b39c50 100644
--- a/fedora/templates/config/pageconfigurations.ini
+++ b/fedora/templates/config/pageconfigurations.ini
@@ -1,9 +1,9 @@
-
-[*admin]
-file = master.ini
-
-[*home]
-file = home.ini
-
-[master]
-file = master.ini
+
+[*admin]
+file = master.ini
+
+[*home]
+file = home.ini
+
+[master]
+file = master.ini
-- 
1.6.4.msysgit.0