1<?php 2 3require_once('tiki-setup.php'); 4 5$access->check_feature('login_autologin'); 6 7if (empty($prefs['login_autologin_user'])) { 8 $access->display_error('', tra('Remote system user needs to be configured'), "500"); 9 die; 10} 11 12if (empty($prefs['login_autologin_group'])) { 13 $access->display_error('', tra('Remote system group for autologin need to be configured'), "500"); 14 die; 15} 16 17if (! empty($_REQUEST['uname'])) { 18 $uname = $_REQUEST['uname']; 19} else { 20 $access->display_error('', tra('User name needs to be specified'), "400"); 21 die; 22} 23 24if (! empty($_REQUEST['email'])) { 25 $email = $_REQUEST['email']; 26} else { 27 $email = ''; 28} 29 30if (! empty($_REQUEST['realName'])) { 31 $realName = $_REQUEST['realName']; 32} else { 33 $realName = ''; 34} 35 36if (! empty($_REQUEST['groups'])) { 37 $groups = $_REQUEST['groups']; 38} else { 39 $groups = []; 40} 41 42if (! empty($_REQUEST['page'])) { 43 $page = $_REQUEST['page']; 44} else { 45 $page = ''; 46} 47 48if (! empty($_REQUEST['base_url'])) { 49 $autologin_base_url = $_REQUEST['base_url']; 50} else { 51 $access->display_error('', tra('Base URL not received from remote system'), "500"); 52 die; 53} 54 55if ($user == $prefs['login_autologin_user']) { 56 // Attempted server-side login 57 if (! empty($prefs['login_autologin_allowedgroups'])) { 58 $allowedgroups = array_map('trim', explode(',', $prefs['login_autologin_allowedgroups'])); 59 if (! array_intersect($allowedgroups, $groups)) { 60 $access->display_error('', tra('Permission denied'), "401"); 61 die; 62 } 63 } 64 if ($prefs['login_autologin_createnew'] == 'y' && ! TikiLib::lib('user')->user_exists($uname)) { 65 $randompass = TikiLib::lib('user')->genPass(); 66 if (empty($email)) { 67 $access->display_error('', tra('Email needs to be specified'), "400"); 68 die; 69 } 70 TikiLib::lib('user')->add_user($uname, $randompass, $email); 71 } elseif (! TikiLib::lib('user')->user_exists($uname)) { 72 $access->display_error('', tra('Permission denied'), "401"); 73 die; 74 } elseif (! empty($email) && ($prefs['user_unique_email'] != 'y' || ! TikiLib::lib('user')->other_user_has_email($uname, $email))) { 75 TikiLib::lib('user')->change_user_email($uname, $email); 76 } 77 if (! empty($realName)) { 78 TikiLib::lib('tiki')->set_user_preference($uname, 'realName', $realName); 79 } 80 if (! empty($prefs['login_autologin_syncgroups']) && ! empty($groups)) { 81 $syncgroups = array_map('trim', explode(',', $prefs['login_autologin_syncgroups'])); 82 foreach ($syncgroups as $g) { 83 if (! in_array($g, $groups) && TikiLib::lib('user')->group_exists($g)) { 84 TikiLib::lib('user')->remove_user_from_group($uname, $g); 85 } 86 } 87 foreach ($groups as $g) { 88 if (in_array($g, $syncgroups) && TikiLib::lib('user')->group_exists($g)) { 89 TikiLib::lib('user')->assign_user_to_group($uname, $g); 90 } 91 } 92 } 93 // Generate token url to log the user in for real 94 require_once 'lib/auth/tokens.php'; 95 $tokenlib = AuthTokens::build($prefs); 96 $params['uname'] = $uname; 97 $params['page'] = $page; 98 $params['base_url'] = $autologin_base_url; 99 $url = $base_url . 'tiki-autologin.php' . '?' . http_build_query($params, '', '&'); 100 $url = $tokenlib->includeToken($url, [$prefs['login_autologin_group']], '', 30, 1); 101 echo $url; 102} else { 103 // Actual user attempt via token 104 if (! in_array($prefs['login_autologin_group'], Perms::get()->getGroups())) { 105 $access->display_error('', tra('Permission denied'), "401"); 106 die; 107 } 108 if ($user || TikiLib::lib('user')->autologin_user($uname)) { 109 if (! empty($autologin_base_url)) { 110 $_SESSION['autologin_base_url'] = $autologin_base_url; 111 } 112 if (! empty($_SESSION['loginfrom'])) { 113 TikiLib::lib('access')->redirect($_SESSION['loginfrom']); 114 } elseif (! empty($page)) { 115 $sefurl = TikiLib::lib('wiki')->sefurl($page); 116 TikiLib::lib('access')->redirect($sefurl); 117 } else { 118 TikiLib::lib('access')->redirect("tiki-index.php"); 119 } 120 } else { 121 $access->display_error('', tra('Permission denied'), "401"); 122 die; 123 } 124} 125