/**
* Processes and outputs the Add Dir Auth user form.
* @return void
*/
function wpDirAuth_add_user_panel()
{
_log('WPDIRAUTH - function ' . __FUNCTION__ . ' activated. ');
/**
* Still needed?
*/
global $id;
/**
* get_current_screen()->id = site-users-network will let us know if we are on the sites,edit,user tab
*/
$strScreenID = get_current_screen()->id;
/**
* Are we running in a wordpress network and in the network area?
*/
$boolIsNetworkAdminScreen = is_network_admin() && $strScreenID != 'site-users-network' ? true : false;
/**
* How do we refer to their SSOID?
*/
$strMarketingSSOID = get_site_option('dirAuthMarketingSSOID', 'Username');
$strReferer = wpDirAuth_get_referer();
/**
* defaults
*/
$strWpDirAuthSSOID = '';
$strWpDirAuthRole = '';
$boolConfirmationEmail = true;
$objErrors = new WP_Error();
$strSuccess = '';
if ($boolIsNetworkAdminScreen) {
$arySitesData = wpDirAuth_retrieve_multisite_blog_data();
}
if ($_POST) {
if (wp_verify_nonce($_POST['_wpnonce_add-da-user'], 'add-da-user')) {
/**
* We gots a problem.... if they've checked all the boxes and chosen roles but forgot to enter the pawprint (it happens, you did
* it yourself!) then we cant rebuild the list of which sites were checked/not checked later because we're jumping out before
* we get to the point where we build that data.
*/
if (isset($_POST['ssoid']) && $_POST['ssoid'] == '') {
$objErrors->add('blank_ssoid', __('<p>' . $strMarketingSSOID . ' can not be left blank.</p>'));
} else {
$strWpDirAuthSSOID = wpDirAuth_sanitize($_POST['ssoid']);
if ($boolIsNetworkAdminScreen && $strReferer != 'site-users.php') {
$arySitesAndRoles = array();
$aryValidSiteIDs = array_keys($arySitesData);
$aryValidRoles = array_keys(get_editable_roles());
_log('contents of the post in function ' . __FUNCTION__ . ' at line ' . __LINE__ . ':' . PHP_EOL . var_export($_POST, true));
//we SHOULD have at least one site set.
for ($i = 0; $i < count($arySitesData); ++$i) {
$strPostSite = 'site' . $i;
$intCountPostSite = count($_POST[$strPostSite]);
/**
* We need to make sure that the site param is set, that it's an array and that it contains at least one element, but no more than
* two
*/
if (isset($_POST[$strPostSite]) && is_array($_POST[$strPostSite]) && $intCountPostSite > 0 && $intCountPostSite < 3) {
if ($intCountPostSite == 1 && is_string(current($_POST[$strPostSite]))) {
/**
* If the array has only one element, then this site wasnt selected as one we want to add the user to. but we
* need, for simplicity sake, to make the array contain two elements before we do input validation
*/
$_POST[$strPostSite] = array('', current($_POST[$strPostSite]));
/**
* Since we know that the array has two elements, we'll test to make sure the siteid is valid'
*/
} elseif (!is_numeric($_POST[$strPostSite][0]) || !in_array($_POST[$strPostSite][0], $aryValidSiteIDs)) {
$_POST[$strPostSite][0] = '';
}
/**
*
*/
if (!in_array($_POST[$strPostSite][1], $aryValidRoles)) {
$_POST[$strPostSite][1] = '';
}
/**
* If we now have non-empty values for both elements, we'll add them to our array to be used for inserting the user into sites
*/
if ($_POST[$strPostSite][0] != '' && $_POST[$strPostSite][1] != '') {
$arySitesAndRoles[$i] = array('blog_id' => $_POST[$strPostSite][0], 'role' => $_POST[$strPostSite][1]);
}
}
}
}
$strWpDirAuthRole = isset($_POST['role']) && in_array($_POST['role'], array_keys(get_editable_roles())) ? $_POST['role'] : get_site_option('default_role');
$intBlogID = isset($_POST['id']) && is_numeric($_POST['id']) ? intval($_POST['id']) : '';
if (isset($_POST['noconfirmation']) && $_POST['noconfirmation'] == 1) {
$boolConfirmationEmail = false;
}
if (!isset($arySitesAndRoles) || !$boolIsNetworkAdminScreen) {
$aryUserData = wpDirAuth_add_new_user($strWpDirAuthSSOID, $strWpDirAuthRole, $intBlogID);
_log('adding a standard user (' . $strWpDirAuthSSOID . ')from either inside a site, or from the edit section of a site');
_log('user data from newly added user is : ' . PHP_EOL . var_export($aryUserData, true) . PHP_EOL);
} elseif (count($arySitesAndRoles) < 1) {
$aryUserData = new WP_Error('no_site_role_selected', '<p>You will need to select at least one site to add this user to.</p>');
} else {
$aryUserData = wpDirAuth_add_new_user_to_multi_sites($strWpDirAuthSSOID, $arySitesAndRoles);
_log('adding a user (' . $strWpDirAuthSSOID . ')from the network Add Dir Auth user section');
}
if (is_wp_error($aryUserData)) {
//foreach($objErrors->)
//$mxdErrors = $aryUserData;
$objErrors->add($aryUserData->get_error_code(), $aryUserData->get_error_message(), $aryUserData->get_error_data());
} else {
$arySitesAddedTo = array();
if (isset($arySitesAndRoles) && count($arySitesAndRoles) != 0) {
foreach ($arySitesAndRoles as $arySiteData) {
$arySitesAddedTo[] = array('blogname' => $arySitesData[$arySiteData['blog_id']], 'aoran' => wpDirAuth_determine_A_or_An($arySiteData['role']), 'role' => $arySiteData['role'], 'siteurl' => get_site_url($arySiteData['blog_id'], '', 'https'));
}
} else {
$arySitesAddedTo[] = array('blogname' => get_site_option('blogname'), 'aoran' => wpDirAuth_determine_A_or_An($strWpDirAuthRole), 'role' => $strWpDirAuthRole, 'siteurl' => site_url());
}
/**
* ok, the admin has just successfully added a user to a site from the sites->edit->users tab. Since we cant seem to
* redirect them back to the screen automatically, let's give them a link to go back.'
*/
if ($strReferer == 'site-users.php' && $boolIsNetworkAdminScreen) {
$strReturnToURL = wp_get_referer();
$strExtraMessage = '<a href="' . $strReturnToURL . '">Return to the User tab</a> of the ' . $arySitesData[$intBlogID] . ' site.';
} else {
$strExtraMessage = '';
}
$strSuccess = wpDirAuth_construct_success_msg($strWpDirAuthSSOID, $aryUserData['ID'], $arySitesAddedTo, $strExtraMessage);
_log('for user ' . $strWpDirAuthSSOID . ', added them to ' . var_export($arySitesAddedTo, true) . '.');
if ($boolConfirmationEmail) {
foreach ($arySitesAddedTo as $arySiteAddedToData) {
$strMsg = sprintf(WPDIRAUTH_EMAIL_NEWUSER_NOTIFY, $arySiteAddedToData['blogname'], $arySiteAddedToData['aoran'], $arySiteAddedToData['role'], $strMarketingSSOID, $strWpDirAuthSSOID, $arySiteAddedToData['siteurl'] . '/wp-login.php');
wp_mail($aryUserData['email'], '[' . $arySiteAddedToData['blogname'] . '] You\'ve been added!', $strMsg);
}
}
//reset back to defaults
$strWpDirAuthSSOID = '';
$strWpDirAuthRole = '';
$boolConfirmationEmail = true;
}
}
} else {
$objErrors->add('invalid-nonce', __('Invalid nonce value'));
}
}
?>
<h3>Add New Directory Authentication User</h3>
<?php
if (count($objErrors->errors) != 0) {
wpDirAuth_print_error_messages($objErrors);
} elseif ($strSuccess != '') {
echo $strSuccess;
}
?>
<p><?php
_e('Add a directory authenticated user to this site/network');
?>
</p>
<p><?php
_e('Please note: Your LDAP/AD instance must allow anonymous profile searches, or you must provide a pre-bind account/password in the <a href="options-general.php?page=' . basename(__FILE__) . '">Directory Auth settings page.</a>');
?>
</p>
<form action="<?php
if (isset($strScreenID) && $strScreenID == 'site-users-network') {
echo 'users.php?page=wpDirAuth';
}
?>
" method="post" name="adddauser" id="createuser" class="add:users: validate"<?php
do_action('user_new_form_tag');
?>
>
<?php
if (isset($id) && $id != '' && is_multisite()) {
echo '<input type="hidden" name="id" value="', $id, '" />', PHP_EOL;
}
?>
<input name="action" type="hidden" value="add-da-user" />
<?php
wp_nonce_field('add-da-user', '_wpnonce_add-da-user');
?>
<table class="form-table">
<tr class="form-field form-required">
<th scope="row">
<label for="ssoid"><?php
_e($strMarketingSSOID . '/SSOID');
?>
<span class="description"><?php
_e('(required)');
?>
</span></label>
</th>
<td>
<input name="ssoid" type="text" id="ssoid" value="<?php
echo esc_attr($strWpDirAuthSSOID);
?>
" aria-required="true" />
</td>
</tr>
<?php
if ($boolIsNetworkAdminScreen) {
?>
<tr class="form-field">
<th scope="row"><label for="blogs"><?php
_e('Site');
?>
</label></th>
<th><label for="role"><?php
_e('Role');
?>
</label></th>
</tr>
<?php
$i = 0;
foreach ($arySitesData as $intSiteID => $strSiteName) {
$boolChecked = false;
if (isset($arySitesAndRoles[$i])) {
$aryFormSiteData = $arySitesAndRoles[$i];
} elseif (isset($_POST['site' . $i])) {
$aryFormSiteData = $_POST['site' . $i];
} else {
$aryFormSiteData = array();
}
_log('aryFormSiteData at line ' . __LINE__ . ': ' . var_export($aryFormSiteData, true));
/**
* We are working on the assumption that there are either ALWAYS two elements in aryformSiteData or the array is empty.
* If the first element in the array isnt empty, then the current site needs to be checked
*/
if (reset($aryFormSiteData) != '') {
$boolChecked = true;
}
/**
* If the last element (eg second, role) isnt empty, then we want to select it from the list
*/
$strRoleSelected = end($aryFormSiteData) != '' ? current($aryFormSiteData) : '';
echo '<tr>
<td>
<input name="site' . $i . '[]" value="' . $intSiteID . '" id="blog_' . $intSiteID . '" type="checkbox"';
if ($boolChecked) {
echo ' checked="checked"';
}
echo ' /> ' . $strSiteName . '
</td>
<td>
<select name="site' . $i . '[]" id="role_' . $intSiteID . '">';
wp_dropdown_roles($strRoleSelected);
echo PHP_EOL, '</select>
</td>
</tr>';
++$i;
}
?>
<?php
} else {
?>
<tr class="form-field">
<th scope="row"><label for="role"><?php
_e('Role');
?>
</label></th>
<td><select name="role" id="role">
<?php
$strCurrentRole = empty($strWpDirAuthRole) ? get_site_option('default_role') : $strWpDirAuthRole;
wp_dropdown_roles($strCurrentRole);
?>
</select>
</td>
</tr>
<?php
}
?>
<tr>
<th scope="row"><label for="noconfirmation"><?php
_e('Skip Confirmation Email');
?>
</label></th>
<td><label for="noconfirmation"><input type="checkbox" name="noconfirmation" id="noconfirmation" value="1" <?php
checked(!$boolConfirmationEmail);
?>
/> <?php
_e('Add the user without sending them a confirmation email.');
?>
</label></td>
</tr>
</table>
<?php
submit_button(__('Add New User '), 'primary', 'createuser', true, array('id' => 'createusersub'));
?>
</form>
<?php
}
/**
* wpDirAuth plugin configuration panel.
* Processes and outputs the wpDirAuth configuration form.
*
* @return void
*
* @uses WPDIRAUTH_DEFAULT_FILTER
* @uses WPDIRAUTH_DEFAULT_LOGINSCREENMSG
* @uses WPDIRAUTH_DEFAULT_CHANGEPASSMSG
* @uses WPDIRAUTH_ALLOWED_TAGS
* @uses wpDirAuth_makeCookieMarker
* @uses wpDirAuth_sanitize
*/
function wpDirAuth_optionsPanel()
{
global $userdata;
$wpDARef = WPDIRAUTH_SIGNATURE;
$allowedHTML = htmlentities(WPDIRAUTH_ALLOWED_TAGS);
$curUserIsDirUser = get_usermeta($userdata->ID, 'wpDirAuthFlag');
if ($curUserIsDirUser) {
echo <<<____________EOS
<div class="wrap">
<h2>Directory Authentication Options</h2>
<p>
Because any changes made to directory authentication
options can adversly affect your session when logged in
as a directory user, you must be logged in as a
WordPress-only administrator user to update these settings.
</p>
<p>
If such a user no longer exists in the database, please
<a href="./users.php#add-new-user">create a new one</a>
using the appropriate WordPress admin tool.
</p>
<p>{$wpDARef}</p>
</div>
____________EOS;
return;
}
if ($_POST) {
// Booleans
$enable = intval($_POST['dirAuthEnable']) == 1 ? 1 : 0;
$enableSsl = intval($_POST['dirAuthEnableSsl']) == 1 ? 1 : 0;
$requireSsl = intval($_POST['dirAuthRequireSsl']) == 1 ? 1 : 0;
$TOS = intval($_POST['dirAuthTOS']) == 1 ? 1 : 0;
// Strings, no HTML
$controllers = wpDirAuth_sanitize($_POST['dirAuthControllers']);
$baseDn = wpDirAuth_sanitize($_POST['dirAuthBaseDn']);
$preBindUser = wpDirAuth_sanitize($_POST['dirAuthPreBindUser']);
$preBindPassword = wpDirAuth_sanitize($_POST['dirAuthPreBindPassword']);
$preBindPassCheck = wpDirAuth_sanitize($_POST['dirAuthPreBindPassCheck']);
$accountSuffix = wpDirAuth_sanitize($_POST['dirAuthAccountSuffix']);
$filter = wpDirAuth_sanitize($_POST['dirAuthFilter']);
$institution = wpDirAuth_sanitize($_POST['dirAuthInstitution']);
// Have to be allowed to contain some HTML
$loginScreenMsg = wpDirAuth_sanitize($_POST['dirAuthLoginScreenMsg'], true);
$changePassMsg = wpDirAuth_sanitize($_POST['dirAuthChangePassMsg'], true);
update_option('dirAuthEnable', $enable);
update_option('dirAuthEnableSsl', $enableSsl);
update_option('dirAuthRequireSsl', $requireSsl);
update_option('dirAuthControllers', $controllers);
update_option('dirAuthBaseDn', $baseDn);
update_option('dirAuthPreBindUser', $preBindUser);
update_option('dirAuthAccountSuffix', $accountSuffix);
update_option('dirAuthFilter', $filter);
update_option('dirAuthInstitution', $institution);
update_option('dirAuthLoginScreenMsg', $loginScreenMsg);
update_option('dirAuthChangePassMsg', $changePassMsg);
update_option('dirAuthTOS', $TOS);
// Only store/override the value if a new one is being sent a bind user is set.
if ($preBindUser && $preBindPassword && $preBindPassCheck == $preBindPassword) {
update_option('dirAuthPreBindPassword', $preBindPassword);
} elseif (!$preBindUser) {
update_option('dirAuthPreBindPassword', '');
}
if (get_option('dirAuthEnable') && !get_option('dirAuthCookieMarker')) {
wpDirAuth_makeCookieMarker();
}
echo '<div id="message" class="updated fade"><p>Your new settings were saved successfully.</p></div>';
// Be sure to clear $preBindPassword, not to be displayed onscreen or in source
unset($preBindPassword);
} else {
// Booleans
$enable = intval(get_option('dirAuthEnable')) == 1 ? 1 : 0;
$enableSsl = intval(get_option('dirAuthEnableSsl')) == 1 ? 1 : 0;
$requireSsl = intval(get_option('dirAuthRequireSsl')) == 1 ? 1 : 0;
$TOS = intval(get_option('dirAuthTOS')) == 1 ? 1 : 0;
// Strings, no HTML
$controllers = wpDirAuth_sanitize(get_option('dirAuthControllers'));
$baseDn = wpDirAuth_sanitize(get_option('dirAuthBaseDn'));
$preBindUser = wpDirAuth_sanitize(get_option('dirAuthPreBindUser'));
$accountSuffix = wpDirAuth_sanitize(get_option('dirAuthAccountSuffix'));
$filter = wpDirAuth_sanitize(get_option('dirAuthFilter'));
$institution = wpDirAuth_sanitize(get_option('dirAuthInstitution'));
// Have to be allowed to contain some HTML
$loginScreenMsg = wpDirAuth_sanitize(get_option('dirAuthLoginScreenMsg'), true);
$changePassMsg = wpDirAuth_sanitize(get_option('dirAuthChangePassMsg'), true);
}
$controllers = htmlspecialchars($controllers);
$baseDn = htmlspecialchars($baseDn);
$preBindUser = htmlspecialchars($preBindUser);
$accountSuffix = htmlspecialchars($accountSuffix);
$filter = htmlspecialchars($filter);
$institution = htmlspecialchars($institution);
$loginScreenMsg = htmlspecialchars($loginScreenMsg);
$changePassMsg = htmlspecialchars($changePassMsg);
if ($enable) {
$tEnable = "checked";
} else {
$fEnable = "checked";
}
$defaultFilter = WPDIRAUTH_DEFAULT_FILTER;
if (!$filter) {
$filter = $defaultFilter;
}
if (!$institution) {
$institution = '[YOUR INSTITUTION]';
}
if (!$loginScreenMsg) {
$loginScreenMsg = sprintf(WPDIRAUTH_DEFAULT_LOGINSCREENMSG, $institution);
}
if (!$changePassMsg) {
$changePassMsg = sprintf(WPDIRAUTH_DEFAULT_CHANGEPASSMSG, $institution);
}
if ($enableSsl) {
$tSsl = "checked";
} else {
$fSsl = "checked";
}
if ($requireSsl) {
$tWpSsl = "checked";
} else {
$fWpSsl = "checked";
}
if ($TOS) {
$tTOS = "checked";
} else {
$fTOS = "checked";
}
$wpDAV = WPDIRAUTH_VERSION;
echo <<<________EOS
<div class="wrap">
<h2>Directory Authentication Options</h2>
<form method="post" id="dir_auth_options">
<p class="submit"><input type="submit" name="dirAuthOptionsSave" value="Update Options »" /></p>
<fieldset class="options">
<legend>WordPress Settings</legend>
<ul>
<li>
<label for="dirAuthEnable"><strong>Enable Directory Authentication?</strong></label>
<br />
<input type="radio" name="dirAuthEnable" value="1" {$tEnable} /> Yes
<input type="radio" name="dirAuthEnable" value="0" {$fEnable} /> No
<br />
<strong>Note 1</strong>: Users created in WordPress are not affected by your directory authentication settings.
<br />
<strong>Note 2</strong>: You will still be able to login with standard WP users if the LDAP server(s) go offline.
</li>
<li>
<label for="dirAuthRequireSsl"><strong>Require SSL Login?</strong></label>
<br />
<input type="radio" name="dirAuthRequireSsl" value="1" {$tWpSsl}/> Yes
<input type="radio" name="dirAuthRequireSsl" value="0" {$fWpSsl}/> No
<br />
<em>Force the WordPress login screen to require encryption (SSL, https:// URL)?</em>
</li>
</ul>
</fieldset>
<fieldset class="options">
<legend>Directory Settings</legend>
<ul>
<li>
<label for="dirAuthEnableSsl"><strong>Enable SSL Connectivity?</strong></label>
<br />
<input type="radio" name="dirAuthEnableSsl" value="1" {$tSsl}/> Yes
<input type="radio" name="dirAuthEnableSsl" value="0" {$fSsl}/> No
<br />
<em>Use encryption (SSL, ldaps:// URL) when WordPress connects to the directory server(s)?</em>
</li>
<li>
<label for="dirAuthControllers"><strong>Directory Servers (Domain Controllers)</strong></label>
<br />
<input type="text" name="dirAuthControllers" value="{$controllers}" size="40"/><br />
<em>The DNS name or IP address of the directory server(s).</em><br />
<strong>NOTE:</strong> Separate multiple entries by a comma and/or alternate ports with a colon (eg: my.server1.org, my.server2.edu:387).
Unfortunately, alternate ports will be ignored when using LDAP/SSL, because of <a href="http://ca3.php.net/ldap_connect">the way</a> PHP handles the protocol.
</li>
<li>
<label for="dirAuthFilter"><strong>Account Filter</strong></label>
<br />
<input type="text" name="dirAuthFilter" value="{$filter}" size="40"/>
(Defaults to <em>{$defaultFilter}</em>)
<br />
<em>What LDAP field should we search the username against to locate the user's profile after successful login?</em>
</li>
<li>
<label for="dirAuthAccountSuffix"><strong>Account Suffix</strong></label>
<br />
<input type="text" name="dirAuthAccountSuffix" value="{$accountSuffix}" size="40" /><br />
<em>Suffix to be automatically appended to the username if desired. e.g. @domain.com</em><br />
<strong>NOTE:</strong> Changing this value will cause your existing directory users to have new accounts created the next time they login.
</li>
<li>
<label for="dirAuthBaseDn"><strong>Base DN</strong></label>
<br />
<input type="text" name="dirAuthBaseDn" value="{$baseDn}" size="40"/><br />
<em>The base DN for carrying out LDAP searches.</em>
</li>
<li>
<label for="dirAuthPreBindUser"><strong>Bind DN</strong></label>
<br />
<input type="text" name="dirAuthPreBindUser" value="{$preBindUser}" size="40"/><br />
<em>Enter a valid user account/DN to pre-bind with if your LDAP server does not allow anonymous profile searches, or requires a user with specific privileges to search.</em>
</li>
<li>
<label for="dirAuthPreBindPassword"><strong>Bind Password</strong></label>
<br />
<input type="password" name="dirAuthPreBindPassword" value="" size="40"/><br />
<em>Enter a password for the above Bind DN if a value is needed.</em><br />
<strong>Note 1</strong>: this value will be stored in clear text in your WordPress database.<br />
<strong>Note 2</strong>: Simply clear the Bind DN value if you wish to delete the stored password altogether.
</li>
<li>
<label for="dirAuthPreBindPassCheck"><strong>Confirm Password</strong></label>
<br />
<input type="password" name="dirAuthPreBindPassCheck" value="" size="40"/><br />
<em>Confirm the above Bind Password if you are setting a new value.</em>
</li>
</ul>
</fieldset>
<fieldset class="options">
<legend>Branding Settings</legend>
<ul>
<li>
<label for="dirAuthInstitution"><strong>Institution Name</strong></label>
<br />
<input type="text" name="dirAuthInstitution" value="{$institution}" size="40" />
<br />
<em>Name of your institution/company. Displayed on the login screen.</em>
</li>
<li>
<label for="dirAuthLoginScreenMsg"><strong>Login Screen Message</strong></label>
<br />
<textarea name="dirAuthLoginScreenMsg" cols="40" rows="3">{$loginScreenMsg}</textarea>
<br />
<em>Displayed on the login screen, underneath the username/password fields.</em><br />
<strong>Note</strong>: Some HTML allowed: {$allowedHTML}
</li>
<li>
<label for="dirAuthChangePassMsg"><strong>Password Change Message</strong></label>
<br />
<textarea name="dirAuthChangePassMsg" cols="40" rows="3">{$changePassMsg}</textarea>
<br />
<em>Displayed wherever user passwords can be changed, for directory users only.</em><br />
<strong>Note</strong>: Some HTML allowed: {$allowedHTML}
</li>
<li>
<label for="dirAuthTOS"><strong>Terms of Services Agreement</strong></label>
<br />
<input type="radio" name="dirAuthTOS" value="1" {$tTOS}/> Yes
<input type="radio" name="dirAuthTOS" value="0" {$fTOS}/> No
<br />
<em>Ask directory users to agree to terms of services that you link to in the message above?</em><br />
<strong>Note</strong>: Checkbox disappears once checked, date of agreement is stored and users are no longer prompted.
</li>
</ul>
</fieldset>
<p class="submit"><input type="submit" name="dirAuthOptionsSave" value="Update Options »" /></p>
</form>
<p>Powered by {$wpDARef}.</p>
</div>
________EOS;
}
