The password cannot be blank. So, we define a universal password for all accounts. The code below will automatically login for accounts that I manually create. It is not yet automatically creating accounts.
You should use a randomly created password, or blank the password out later in the authentication plugin's initUser() function. It is possible for people to manually log in using SpecialUserlogin and the authenticate function. This would allow people to log in as anyone. To get an idea of how to do this, look at the SSLAuthentication plugin, the Shibboleth plugin, or my plugin. The former two create a random password, the latter blanks out the password.
function Auth_remote_user_hook() {
global $wgUser; global $wgRequest; global $_REQUEST;
// Universal Password for all users $pass = "1Some2Secret3Password4"; // 1Some2Secret3Password4
// HTTP refer to login page $httprefer = "Location: http" . (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on" ? "s" : "") . "://" . $_SERVER['SERVER_NAME'] . ":" . $_SERVER['SERVER_PORT'] . ( isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : "/" . ( isset($_SERVER['URL']) ? $_SERVER['PATH_INFO'] . ( $_SERVER['QUERY_STRING'] ? "?" . $_SERVER['QUERY_STRING'] : "" ) : "" ) );
I don't really see the need for the httprefer variable, more on that below.
// For a few special pages, don't do anything. $title = $wgRequest->getVal('title') ; if ($title == 'Special:Userlogout' || $title == 'Special:Userlogin') { return; }
// Do nothing if session is valid $wgUser = User::loadFromSession(); if ($wgUser->isLoggedIn()) { return; }
// Do little if user already exists // (set the _REQUEST variable so that Login knows we're authenticated) $username = get_current_user(); $u = User::newFromName( $username ); if (is_null($u)) { # Invalid username or some other error -- force login, just return return; }
$wgUser = $u; if ($u->getId() != 0) {
// Populate the userlogin form's username and password(Userlogin.php)
$_REQUEST['wpName'] = $username; $_REQUEST['wpPassword'] = $pass; header($httprefer);
I don't get this part... Why are you changing request variables and sending out headers? I don't think you should be doing this.
// Make call to load session name, otherwise can't save if( !isset($wgCommandLineMode) && !isset($_COOKIE[session_name()] ) ) { User::SetupSession(); }
// Set the cookies, save the settings, and return$wgUser->setCookies(); $wgUser->saveSettings(); return; }
// Ok, now we need to create a user.
$wgUser->setPassword=$pass;
include 'includes/SpecialUserlogin.php'; $form = new LoginForm( $wgRequest ); $form->initUser( $wgUser );
$form->mName = $username; $form->mPassword = $pass; $form->mRetype = $pass; $form->mCreateaccount = true; $form->mRemember = true; $form->mRealName = $username;
Why are you setting this stuff after you create the user (form->initUser)? And why aren't you doing it through the authentication plugin's initUser() function? Normally all of this stuff is set before the user is created.
header($httprefer);
Again. It is a little strange to be sending out headers here.
$wgUser->setCookies(); $wgUser->saveSettings();
return;
}
You aren't setting up a session for the new user... Call $wgUser->setupSession(); before you call setCookies().
V/r,
Ryan Lane