From b788b39a4c62c964a7d0a6310e0d5684a0d3adc6 Mon Sep 17 00:00:00 2001 From: "jacob.embree" Date: Wed, 11 Feb 2015 11:28:46 +0000 Subject: [PATCH] Issue #2423275 by jacob.embree: Regression fixes and coder review --- simplesamlphp_auth.inc | 80 +++++++++++++++-------------- simplesamlphp_auth.install | 13 ++--- simplesamlphp_auth.module | 97 +++++++++++++++++------------------- simplesamlphp_auth.pages.inc | 24 +++++---- 4 files changed, 112 insertions(+), 102 deletions(-) diff --git a/simplesamlphp_auth.inc b/simplesamlphp_auth.inc index b1f5c36..9699973 100644 --- a/simplesamlphp_auth.inc +++ b/simplesamlphp_auth.inc @@ -58,7 +58,8 @@ function _simplesaml_auth_user_register($authname) { global $user; global $_simplesamlphp_auth_as; - // First we check the admin settings for simpleSAMLphp and find out if we are allowed to register users. + // First we check the admin settings for simpleSAMLphp and find out if we are + // allowed to register users. if (variable_get('simplesamlphp_auth_registerusers', TRUE)) { // We are allowed to register new users. @@ -84,21 +85,21 @@ function _simplesaml_auth_user_register($authname) { _simplesaml_auth_debug(t('Registered [%authname] with uid @uid', array( '%authname' => $authname, - '@uid' => $user->uid + '@uid' => $user->uid, ))); if (!empty($user->uid)) { // Populate roles based on configuration setting. $roles = _simplesamlphp_auth_rolepopulation(variable_get('simplesamlphp_auth_rolepopulation', '')); $userinfo = array('roles' => $roles); - // @todo - Fjernet rolle-delen her da den gav en bra feilmelding når roller ikke finnes. $user = user_save($user, $userinfo); return $user; } else { // We were unable to register this new user on the site. - // We let the user know about this, log an error, and redirect to the home page. + // We let the user know about this, log an error, and redirect to the home + // page. drupal_set_message(t("We are sorry. While you have successfully authenticated, we were unable to create an account for you on this site. Please ask the site administrator to provision access for you.")); watchdog('simplesamlphp_auth', 'Unable to register %authname using simplesamlphp_auth', array('%authname' => $authname), WATCHDOG_ERROR); $_simplesamlphp_auth_as->logout(base_path()); @@ -107,13 +108,13 @@ function _simplesaml_auth_user_register($authname) { else { // We are not allowed to register new users on the site through simpleSAML. // We let the user know about this and redirect to the user/login page. - drupal_set_message(t("We are sorry. While you have successfully authenticated, you are not yet entitled to access this site. Please ask the site administrator to provision access for you.")); + drupal_set_message(t("We are sorry. Although you have successfully authenticated, you are not yet entitled to access this site. Please ask the site administrator to provide access for you.")); $_simplesamlphp_auth_as->logout(base_path()); } } /** - * Updates a SAML authenticated user's account with current username and email. + * Updates a SAML-authenticated user's account with current username and email. * * @param object $account * The user account object to update. @@ -129,7 +130,8 @@ function _simplesaml_auth_user_update($account) { // Get mail from default attribute. try { $mail_address = _simplesamlphp_auth_get_mail(); - } catch (Exception $e) { + } + catch (Exception $e) { drupal_set_message(t('Your e-mail address was not provided by your identity provider (IDP).'), "error"); watchdog('simplesamlphp_auth', $e->getMessage(), NULL, WATCHDOG_CRITICAL); } @@ -191,9 +193,10 @@ function simplesaml_auth_moderate_local_login() { if (!variable_get('simplesamlphp_auth_allowdefaultlogin', TRUE)) { // If the user has NOT been authenticated via simpleSAML... if (!$_simplesamlphp_auth_as->isAuthenticated()) { - // :FYI: Until Drupal issue #754560 is corrected this message will never be seen by the user. + // FYI: Until Drupal issue #754560 is corrected this message will never be + // seen by the user. drupal_set_message(t("We are sorry, users are not permitted to log in using local accounts.")); - // Destroy the user's session (log them out). + // Destroy the user's session (log out). _simplesamlphp_auth_destroy_drupal_session(); } } @@ -201,33 +204,37 @@ function simplesaml_auth_moderate_local_login() { else { // If the user has NOT been authenticated via simpleSAML. if (!$_simplesamlphp_auth_as->isAuthenticated()) { - // See if we limit this privilege to specified users - $strAllwDefLogUsers = variable_get('simplesamlphp_auth_allowdefaultloginusers', ''); - $arrAllwDefLogUsers = array(); + // See if we limit this privilege to specified users. + $str_users_allowed_local = variable_get('simplesamlphp_auth_allowdefaultloginusers', ''); // See if we limit this privilege to specified roles. - $arrAllwDefLogRoles = variable_get('simplesamlphp_auth_allowdefaultloginroles', FALSE); + $array_roles_allowed_local = variable_get('simplesamlphp_auth_allowdefaultloginroles', array()); - // If user IDs or roles are specified, we let them in, but everyone else gets logged out. - if (drupal_strlen($strAllwDefLogUsers) || $arrAllwDefLogRoles) { + // If user IDs or roles are specified, we let them in, but everyone else + // gets logged out. + if (drupal_strlen($str_users_allowed_local) || $array_roles_allowed_local) { // Convert the string into an array. - // @todo Perform a test to make sure that only numbers, spaces, or commas are in the string. - $arrAllwDefLogUsers = explode(',', $strAllwDefLogUsers); + // @todo Perform a test to make sure that only numbers, spaces, or + // commas are in the string. + $array_users_allowed_local = explode(',', $str_users_allowed_local); // If we still have something to work with. - if (0 < count($arrAllwDefLogUsers) || 0 < count($arrAllwDefLogRoles)) { - /* Log the user out of Drupal if: - 1) the current user's uid is NOT in the list of allowed uids... - 2) or their role does not match and allowed mixed mode role. */ - $matchRoles = array_intersect(array_keys($user->roles), $arrAllwDefLogRoles); - if (!in_array($user->uid, $arrAllwDefLogUsers) && count($matchRoles) == 0) { - // User is logged into Drupal, but may not be logged into simpleSAML. - // If this is the case we're supposed to log the user out of Drupal. - - // :FYI: Until Drupal issue #754560 is corrected this message will never be seen by the user. + if (0 < count($array_users_allowed_local) || 0 < count($array_roles_allowed_local)) { + // Log the user out of Drupal if: + // 1) the current user's uid is NOT in the list of allowed uids + // 2) or their role does not match and allowed mixed mode role. + $match_roles = array_intersect(array_keys($user->roles), $array_roles_allowed_local); + if (!in_array($user->uid, $array_users_allowed_local) && count($match_roles) == 0) { + // User is logged into Drupal, but may not be logged into + // simpleSAML. If this is the case we're supposed to log the user + // out of Drupal. + + // FYI: Until Drupal issue #754560 is corrected this message will + // never be seen by the user. drupal_set_message(t("We are sorry, you are not permitted to log in using a local account.")); - // The least we can do is write something to the watchdog so someone will know what's happening. + // The least we can do is write something to the watchdog so someone + // will know what's happening. watchdog('simplesamlphp_auth', 'User %name not authorized to log in using local account.', array('%name' => $user->name)); _simplesamlphp_auth_destroy_drupal_session(); @@ -246,8 +253,8 @@ function simplesaml_auth_moderate_local_login() { * Return any attributes provided by the SAML IDP. * * @param $attribute - * The attribute whose value to return. Can be skipped if all attribute - * values are requested. + * (optional) The attribute whose value to return. Can be skipped if all + * attribute values are requested. * * @return * If an attribute was provided, the value of the attribute is returned. @@ -263,10 +270,8 @@ function simplesamlphp_auth_get_attributes($attribute = NULL) { $result = NULL; // If the specified attribute is set, grab it. - if (isset($_simplesamlphp_auth_saml_attributes)) { - if (isset($_simplesamlphp_auth_saml_attributes[$attribute])) { - $result = $_simplesamlphp_auth_saml_attributes[$attribute]; - } + if (isset($_simplesamlphp_auth_saml_attributes[$attribute])) { + $result = $_simplesamlphp_auth_saml_attributes[$attribute]; } } @@ -282,14 +287,14 @@ function simplesamlphp_auth_get_attributes($attribute = NULL) { } } - // Return whatever we've got.` + // Return whatever we have. return $result; } /** * Determine if the current user is authenticated through SAML. * - * @return + * @return bool * TRUE if the current user is authenticated through SAML. FALSE otherwise. */ function simplesamlphp_auth_is_authenticated() { @@ -298,7 +303,8 @@ function simplesamlphp_auth_is_authenticated() { // Assume that the user isn't authenticated until proven otherwise. $authenticated = FALSE; - // If the associated global variable exists, and the auth flag is set, note it. + // If the associated global variable exists, and the auth flag is set, note + // it. if (isset($_simplesamlphp_auth_as) && $_simplesamlphp_auth_as->isAuthenticated()) { $authenticated = TRUE; } diff --git a/simplesamlphp_auth.install b/simplesamlphp_auth.install index 8d1191b..9168d78 100644 --- a/simplesamlphp_auth.install +++ b/simplesamlphp_auth.install @@ -2,7 +2,7 @@ /** * @file - * the install file for the simplesamlphp_auth module + * The install file for the simplesamlphp_auth module. */ /** @@ -51,6 +51,7 @@ function simplesamlphp_auth_uninstall() { * Implements hook_requirements(). */ function simplesamlphp_auth_requirements($phase) { + $t = get_t(); $requirements = array(); if ($phase == 'runtime') { @@ -58,9 +59,9 @@ function simplesamlphp_auth_requirements($phase) { $requirements['simplesamlphp_auth'] = array( 'severity' => REQUIREMENT_WARNING, 'title' => 'SimpleSAMLphp auth', - 'value' => t('SimpleSAMLphp authentication is NOT activated'), - 'description' => t('It can be activated on the !admin_page.', array('!admin_page' => l(t('configuration page'), 'admin/config/people/simplesamlphp_auth'))), - ); + 'value' => $t('SimpleSAMLphp authentication is NOT activated'), + 'description' => $t('It can be activated on the !admin_page.', array('!admin_page' => l($t('configuration page'), 'admin/config/people/simplesamlphp_auth'))), + ); } $basedir = variable_get('simplesamlphp_auth_installdir', '/var/simplesamlphp'); @@ -68,8 +69,8 @@ function simplesamlphp_auth_requirements($phase) { $requirements['simplesamlphp_auth'] = array( 'severity' => REQUIREMENT_ERROR, 'title' => 'SimpleSAMLphp auth', - 'value' => t('SimpleSAMLphp authentication is missing the required SimpleSAMLphp library'), - 'description' => t('Please download and install the !simplesamlphp library.', array('!simplesamlphp' => l(t('SimpeSAMLphp'), 'https://simplesamlphp.org/download'))), + 'value' => $t('SimpleSAMLphp authentication is missing the required SimpleSAMLphp library'), + 'description' => $t('Please download and install the !simplesamlphp library.', array('!simplesamlphp' => l($t('SimpeSAMLphp'), 'https://simplesamlphp.org/download'))), ); } } diff --git a/simplesamlphp_auth.module b/simplesamlphp_auth.module index ed2e688..af28867 100644 --- a/simplesamlphp_auth.module +++ b/simplesamlphp_auth.module @@ -5,7 +5,7 @@ * simpleSAMLphp authentication module for Drupal. * * This authentication module is based on the shibboleth authentication module, - * with changes to adopt to use simpleSAMLphp. + * with changes to adapt to use simpleSAMLphp. * * ISSUES and TODOs: * ISSUE: User is always dropped on user page after login, instead of where @@ -14,7 +14,7 @@ * be considerably increased if this were resolved. * FYI: Drupal now requires knowledge of the local user password in order to * change e-mail address, etc. This could be an issue for users of - * accounts that are autoprovisioned by this module, though Drupal does + * accounts that are auto-provisioned by this module, though Drupal does * give users the ability to reset their password to something they know * via the Request new password feature. * KLUDGE: Drupal does not kill the session on logout, even with @@ -62,8 +62,7 @@ function simplesamlphp_auth_menu() { function simplesamlphp_auth_help($path, $arg) { switch ($path) { case 'admin/config/people/simplesamlphp_auth': - $output = t('

This module integrates Drupal with a SimpleSAMLphp Service Point (SP), effectively federating Drupal.

'); - + $output = '

' . t('This module integrates Drupal with a SimpleSAMLphp Service Point (SP), effectively federating Drupal.') . '

'; return $output; } } @@ -144,7 +143,7 @@ function simplesamlphp_auth_init() { $user_allowed_default_login = TRUE; } - // Logs out user if not SAML authenticated and not allowed default login. + // Logs out user if not SAML authenticated and not allowed default login. if (!$_simplesamlphp_auth_as->isAuthenticated() && !$user_allowed_default_login) { module_load_include('pages.inc', 'user'); user_logout(); @@ -166,12 +165,12 @@ function simplesamlphp_auth_user_insert(&$edit, $account, $category = NULL) { if ($category == 'account') { // If user registration has a valid session... if ($_simplesamlphp_auth_as->isAuthenticated() && _simplesamlphp_auth_get_authname() == $account->init) { - // Get name from default attributes. try { _simplesaml_auth_debug(t('Registering user [%acctname]', array('%acctname' => $account->name))); $account->name = _simplesamlphp_auth_get_default_name($account->uid); - } catch (Exception $e) { + } + catch (Exception $e) { drupal_set_message(t('Your user name was not provided by your identity provider (IDP).'), "error"); watchdog('simplesamlphp_auth', $e->getMessage(), NULL, WATCHDOG_CRITICAL); } @@ -208,7 +207,8 @@ function simplesamlphp_auth_user_logout($account) { $config = SimpleSAML_Configuration::getInstance(); - // :KLUDGE: for some reason Drupal is not killing the session, even if I were to call drupal_session_destroy_uid() here. + // KLUDGE: for some reason Drupal is not killing the session, even if I + // were to call drupal_session_destroy_uid() here. session_destroy(); $gotourl = base_path(); @@ -241,7 +241,6 @@ function simplesamlphp_auth_form_alter(&$form, $form_state, $form_id) { } $link = l(t('Federated Log In'), 'saml_login'); - // Add SAML login link to user login form. if ($form_id == 'user_login_block' || $form_id == 'user_account_form') { $links = $form['links']['#markup']; @@ -262,15 +261,18 @@ function simplesamlphp_auth_form_alter(&$form, $form_state, $form_id) { $form['#submit'][] = 'simplesaml_auth_user_profile_form_submit'; } - // If the user has a simplesamlphp_auth authmap record, then don't require them to know their Drupal password. - // This will allow them to change their e-mail address, and set a Drupal password if they want to (and are allowed). + // If the user has a simplesamlphp_auth authmap record, then don't require + // them to know their Drupal password. This will allow them to change their + // e-mail address, and set a Drupal password if they want to (and are + // allowed). if ((isset($form['#user']->init) && $form['#user']->init) && (_simplesaml_auth_user_has_authmap($form['#user']->init) && $form_id == 'user_profile_form')) { unset($form['account']['current_pass']); unset($form['account']['current_pass_required_values']); $form['#validate'] = array_diff($form['#validate'], array('user_validate_current_pass')); - // If the user is a simplesamlphp_auth user and is NOT allowed to set their Drupal password, remove the fields from the form. + // If the user is a simplesamlphp_auth user and is NOT allowed to set their + // Drupal password, remove the fields from the form. if (!variable_get('simplesamlphp_auth_allowsetdrupalpwd')) { unset($form['account']['pass']); } @@ -309,21 +311,20 @@ function simplesaml_auth_user_profile_form_submit(&$form, $form_state) { * Implements hook_block_view(). */ function simplesamlphp_auth_block_view($delta = '') { - if (!_simplesaml_auth_autoload()) { // Exit without executing. return; } + $block = array(); switch ($delta) { case 0: $block = array( 'subject' => t('simpleSAMLphp login'), - 'content' => _simplesamlphp_auth_generate_block_text() + 'content' => _simplesamlphp_auth_generate_block_text(), ); break; } - return $block; } @@ -335,9 +336,8 @@ function simplesamlphp_auth_block_info() { array( 'info' => t('simpleSAMLphp authentication'), 'cache' => DRUPAL_NO_CACHE, - ) + ), ); - return $block; } @@ -346,28 +346,26 @@ function simplesamlphp_auth_block_info() { ****************************************************************************/ /** - * Checks to see if authentication via SimpleSAMLphp should be activated + * Checks if authentication via SimpleSAMLphp should be activated. * - * @param bool bShowInactiveMsg + * @param bool $show_inactive_msg * Whether to display the "module not activated" message * * @return bool - * TRUE is simplesamlphp_auth is enabled. + * TRUE if simplesamlphp_auth is enabled. */ -function _simplesamlphp_auth_isEnabled($bShowInactiveMsg = FALSE) { - GLOBAL $user; +function _simplesamlphp_auth_isEnabled($show_inactive_msg = FALSE) { + global $user; $failure = NULL; - $isActivated = variable_get('simplesamlphp_auth_activate'); + $is_activated = variable_get('simplesamlphp_auth_activate'); $basedir = variable_get('simplesamlphp_auth_installdir', '/var/simplesamlphp'); - if ($isActivated) { + if ($is_activated) { // Make sure we know where SimpleSAMLphp is. if (!file_exists($basedir)) { $failure = t('SimpleSAMLphp could not be found at %basedir . The simplesamlphp_auth module cannot function until the path to the local SimpleSAMLphp instance is configured.', array('%basedir' => $basedir)); - watchdog('simplesamlphp_auth', $failure, NULL, WATCHDOG_WARNING); - } } @@ -381,14 +379,12 @@ function _simplesamlphp_auth_isEnabled($bShowInactiveMsg = FALSE) { } else { - // communicate but don't be too annoying - if ($bShowInactiveMsg && (1 == $user->uid || user_access('access administration pages')) && (preg_match('/admin\/people/', request_uri()) || preg_match('/admin\/modules/', request_uri()) || preg_match('/admin\/config/', request_uri()))) { + // Communicate but don't be too annoying. + if ($show_inactive_msg && (1 == $user->uid || user_access('access administration pages')) && (preg_match('/admin\/people/', request_uri()) || preg_match('/admin\/modules/', request_uri()) || preg_match('/admin\/config/', request_uri()))) { drupal_set_message($failure); } } - return FALSE; - } /** @@ -422,7 +418,7 @@ function _simplesamlphp_auth_get_authname() { /** * Gets the default name attribute from the SAML assertion. * - * @return + * @return string * The name attribute. */ function _simplesamlphp_auth_get_default_name($account) { @@ -453,7 +449,7 @@ function _simplesamlphp_auth_get_default_name($account) { /** * Gets the mail attribute. * - * @return + * @return string * The mail attribute. */ function _simplesamlphp_auth_get_mail() { @@ -515,25 +511,25 @@ function _simplesamlphp_auth_generate_block_text() { * * The rules work as follows: * = does an exact match on an attribute and will iterate over array values if - * the array is multivalued. + * the array is multivalued. * @= matches the domain portion of an email address. It assumes the attribute - * is a string, and will not iterate over an array (but take the first value). - * ~= does a partial string match on the attribute, and does iterate over multiple - * values, returning true if any of the values match. + * is a string, and will not iterate over an array (but take the first value). + * ~= does a partial string match on the attribute, and does iterate over + * multiple values, returning true if any of the values match. * - * @param $roleruleevaluation + * @param array $roleruleevaluation * An array containing the role rule to evaluate. - * @param $attributes + * @param array $attributes * An array containing the identity attributes. * - * @return + * @return array * An array containing role value and the attribute, or FALSE. */ function _simplesamlphp_auth_evaulaterolerule($roleruleevaluation, $attributes) { _simplesaml_auth_debug(t('Evaluate rule (key=%key,operator=%op,value=%val)', array( '%key' => $roleruleevaluation[0], '%op' => $roleruleevaluation[1], - '%val' => $roleruleevaluation[2] + '%val' => $roleruleevaluation[2], ))); if (!array_key_exists($roleruleevaluation[0], $attributes)) { @@ -542,16 +538,17 @@ function _simplesamlphp_auth_evaulaterolerule($roleruleevaluation, $attributes) $attribute = $attributes[$roleruleevaluation[0]]; switch ($roleruleevaluation[1]) { - case '=' : + case '=': return in_array($roleruleevaluation[2], $attribute); - case '@=' : + case '@=': $dc = explode('@', $attribute[0]); if (count($dc) != 2) { return FALSE; } - return ($dc[1] == $roleruleevaluation[2]); + return $dc[1] == $roleruleevaluation[2]; + case '~=': foreach ($attribute as $subattr) { $pos = strpos($subattr, $roleruleevaluation[2]); @@ -568,10 +565,10 @@ function _simplesamlphp_auth_evaulaterolerule($roleruleevaluation, $attributes) /** * Performs role population. * - * @param $rolemap + * @param array $rolemap * A string containing the role map. * - * @return + * @return array * An array containing user's roles. */ function _simplesamlphp_auth_rolepopulation($rolemap) { @@ -589,7 +586,7 @@ function _simplesamlphp_auth_rolepopulation($rolemap) { $rolerules = explode('|', $rolemap); - foreach ($rolerules AS $rolerule) { + foreach ($rolerules as $rolerule) { _simplesaml_auth_debug(t('Evaluate role rule: %rolerule', array('%rolerule' => $rolerule))); $roleruledecompose = explode(':', $rolerule); @@ -598,7 +595,7 @@ function _simplesamlphp_auth_rolepopulation($rolemap) { $roleruleevaluations = explode(';', $roleruledecompose[1]); $addnew = TRUE; - foreach ($roleruleevaluations AS $roleruleevaluation) { + foreach ($roleruleevaluations as $roleruleevaluation) { _simplesaml_auth_debug(t('Evaluate role evaulation: %roleruleeval', array('%roleruleeval' => $roleruleevaluation))); @@ -621,7 +618,7 @@ function _simplesamlphp_auth_rolepopulation($rolemap) { } /** - * See if the user has an authmap record for simplesamlphp_auth + * See if the user has an authmap record for simplesamlphp_auth. */ function _simplesaml_auth_user_has_authmap($authname) { $authmaps = user_get_authmaps($authname); @@ -637,14 +634,14 @@ function _simplesaml_auth_user_has_authmap($authname) { } /** - * This helper function is used by developers to debug the form API workflow in this module. + * Debugs for developers the form API workflow in this module. */ function _simplesaml_auth_debug($message) { watchdog('simplesamlphp', $message, NULL, WATCHDOG_DEBUG); } /** - * Helper function for logging out a user that is has a active session in Drupal but not with simpleSAML. + * Logs out a user who has an active Drupal session but not with simpleSAML. */ function _simplesamlphp_auth_destroy_drupal_session() { module_load_include('pages.inc', 'user'); diff --git a/simplesamlphp_auth.pages.inc b/simplesamlphp_auth.pages.inc index d959ad0..1192529 100644 --- a/simplesamlphp_auth.pages.inc +++ b/simplesamlphp_auth.pages.inc @@ -6,7 +6,10 @@ */ /** - * Represents the Drupal page (saml_login), which triggers user authentication against the SimpleSAMLphp service provider. + * Returns markup for SimpleSAMLphp login page. + * + * Represents the Drupal page (saml_login), which triggers user authentication + * against the SimpleSAMLphp service provider. */ function simplesamlphp_auth_loginpage() { @@ -50,7 +53,8 @@ function simplesamlphp_auth_loginpage() { $fail = TRUE; } - // There was a problem, we can't go on, but we don't want to tell the user any specifics either. + // There was a problem, we can't go on, but we don't want to tell the user any + // specifics either. if ($fail) { drupal_set_message(t("We're sorry. There was a problem attempting login. The issue has been logged for the administrator."), 'error'); drupal_goto('user/login'); @@ -60,13 +64,15 @@ function simplesamlphp_auth_loginpage() { // Support for deep linking. - // See if a URL has been explicitly provided in ReturnTo. If so, use it (as long as it points to this site). + // See if a URL has been explicitly provided in ReturnTo. If so, use it (as + // long as it points to this site). if ((isset($_REQUEST['ReturnTo']) && $_REQUEST['ReturnTo']) && (valid_url($_REQUEST['ReturnTo']) && stristr($_REQUEST['ReturnTo'], $base_url))) { $return_to = $_REQUEST['ReturnTo']; - // If not, see if a REFERER URL is available. If so, use it (as long as it points to this site). + // If not, see if a REFERER URL is available. If so, use it (as long as it + // points to this site). } elseif ((isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER']) && (valid_url($_SERVER['HTTP_REFERER']) && stristr($_SERVER['HTTP_REFERER'], $base_url)) @@ -75,18 +81,18 @@ function simplesamlphp_auth_loginpage() { $return_to = $_SERVER['HTTP_REFERER']; } - // If the user is anonymous, set the cookie (if we can) and require authentication. + // If the user is anonymous, set the cookie (if we can) and require + // authentication. if ($user->uid == 0) { if ($return_to) { - // Set the cookie so we can deliver the user to the place they started + // Set the cookie so we can deliver the user to the place they started. setrawcookie('simplesamlphp_auth_returnto', $return_to, time() + 60 * 60); } // Require the user to be authenticated. $_simplesamlphp_auth_as->requireAuth(); - // If the user is authenticated, send them along. } else { @@ -95,10 +101,10 @@ function simplesamlphp_auth_loginpage() { // Check to see if we've set a cookie. If there is one, give it priority. if (isset($_COOKIE['simplesamlphp_auth_returnto']) && $_COOKIE['simplesamlphp_auth_returnto']) { - // use the cookie for the ReturnTo + // Use the cookie for the ReturnTo. $go_to_url = $_COOKIE['simplesamlphp_auth_returnto']; - // unset the cookie + // Unset the cookie. setrawcookie('simplesamlphp_auth_returnto', ''); }