/** * Attempts to log the authenticated CAS user into Drupal. * * This method should be used to login a user after they have successfully * authenticated with the CAS server. * * @param CasPropertyBag $property_bag * CasPropertyBag containing username and attributes from CAS. * * @throws CasLoginException */ public function loginToDrupal(CasPropertyBag $property_bag, $ticket) { $this->eventDispatcher->dispatch(CasHelper::CAS_PROPERTY_ALTER, new CasPropertyEvent($property_bag)); $account = $this->userLoadByName($property_bag->getUsername()); if (!$account) { $config = $this->settings->get('cas.settings'); if ($config->get('user_accounts.auto_register') === TRUE) { if (!$property_bag->getRegisterStatus()) { $_SESSION['cas_temp_disable'] = TRUE; throw new CasLoginException("Cannot register user, an event listener denied access."); } $account = $this->registerUser($property_bag->getUsername()); } else { throw new CasLoginException("Cannot login, local Drupal user account does not exist."); } } $this->eventDispatcher->dispatch(CasHelper::CAS_USER_ALTER, new CasUserEvent($account, $property_bag)); $account->save(); if (!$property_bag->getLoginStatus()) { $_SESSION['cas_temp_disable'] = TRUE; throw new CasLoginException("Cannot login, an event listener denied access."); } $this->userLoginFinalize($account); $this->storeLoginSessionData($this->sessionManager->getId(), $ticket); }
/** * {@inheritdoc}. */ public function buildForm(array $form, FormStateInterface $form_state) { // Start a manual session for anonymous users. if ($this->currentUser->isAnonymous() && !isset($_SESSION['multistep_form_holds_session'])) { $_SESSION['multistep_form_holds_session'] = true; $this->sessionManager->start(); } $form = array(); $form['actions']['#type'] = 'actions'; $form['actions']['submit'] = array('#type' => 'submit', '#value' => $this->t('Submit'), '#button_type' => 'primary', '#weight' => 10); return $form; }
/** * {@inheritdoc} */ public function execute() { /** * @var $user \Drupal\user\UserInterface */ $user = $this->getContextValue('user'); // Do nothing if user is anonymous or already blocked. if ($user->isAuthenticated() && $user->isActive()) { $user->block(); $this->sessionManager->delete($user->id()); // Set flag that indicates if the entity should be auto-saved later. $this->saveLater = TRUE; } }
/** * {@inheritdoc} */ public function destroy($sid) { global $user; // Nothing to do if we are not allowed to change the session. if (!$this->sessionManager->isEnabled()) { return TRUE; } $is_https = $this->requestStack->getCurrentRequest()->isSecure(); // Delete session data. $this->connection->delete('sessions')->condition($is_https ? 'ssid' : 'sid', Crypt::hashBase64($sid))->execute(); // Reset $_SESSION and $user to prevent a new session from being started // in \Drupal\Core\Session\SessionManager::save(). $_SESSION = array(); $user = new AnonymousUserSession(); // Unset the session cookies. $this->deleteCookie($this->getName()); if ($is_https) { $this->deleteCookie($this->sessionManager->getInsecureName(), FALSE); } elseif ($this->sessionManager->isMixedMode()) { $this->deleteCookie('S' . $this->getName(), TRUE); } // Remove obsolete sessions. $this->cleanupObsoleteSessions(); return TRUE; }
/** * {@inheritdoc} */ public function run() { // Allow execution to continue even if the request gets cancelled. @ignore_user_abort(TRUE); // Prevent session information from being saved while cron is running. $original_session_saving = $this->sessionManager->isEnabled(); $this->sessionManager->disable(); // Force the current user to anonymous to ensure consistent permissions on // cron runs. $original_user = $this->currentUser->getAccount(); $this->currentUser->setAccount(new AnonymousUserSession()); // Try to allocate enough time to run all the hook_cron implementations. drupal_set_time_limit(240); $return = FALSE; // Try to acquire cron lock. if (!$this->lock->acquire('cron', 900.0)) { // Cron is still running normally. $this->logger->warning('Attempting to re-run cron while it is already running.'); } else { $this->invokeCronHandlers(); $this->setCronLastTime(); // Release cron lock. $this->lock->release('cron'); // Return TRUE so other functions can check if it did run successfully $return = TRUE; } // Process cron queues. $this->processQueues(); // Restore the user. $this->currentUser->setAccount($original_user); if ($original_session_saving) { $this->sessionManager->enable(); } return $return; }
/** * Controller for meteor.overview. */ public function siteInfo() { $result = ['cookieName' => $this->sessionManager->getName(), 'anonymousName' => $this->userSettings->get('anonymous')]; $result = $this->serializer->serialize($result, 'json'); $response = new Response($result, Response::HTTP_OK); $response->headers->set('Content-type', 'application/json'); return $response; }
/** * Test execute() method for blocked and anonymous users. * * @covers ::execute */ public function testBlockUserWithBlockedAnonymousUser() { $user = $this->getUserMock(self::BLOCKED, self::ANONYMOUS); $user->block()->shouldNotBeCalled(); $this->sessionManager->delete()->shouldNotBeCalled(); $this->action->setContextValue('user', $user->reveal()); $this->action->execute(); $this->assertEquals($this->action->autoSaveContext(), [], 'Action returns nothing for auto saving since the user has not been altered.'); }
/** * Switches to a different user. * * We don't call session_save_session() because we really want to change users. * Usually unsafe! * * @param string $name * The username to switch to, or NULL to log out. * * @return \Symfony\Component\HttpFoundation\RedirectResponse * A redirect response object. * * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException */ public function switchUser($name = NULL) { if (empty($name) || !($account = $this->userStorage->loadByProperties(['name' => $name]))) { throw new AccessDeniedHttpException(); } $account = reset($account); // Call logout hooks when switching from original user. $this->moduleHandler->invokeAll('user_logout', [$this->account]); // Regenerate the session ID to prevent against session fixation attacks. $this->sessionManager->regenerate(); // Based off masquarade module as: // https://www.drupal.org/node/218104 doesn't stick and instead only // keeps context until redirect. $this->account->setAccount($account); $this->session->set('uid', $account->id()); // Call all login hooks when switching to masquerading user. $this->moduleHandler->invokeAll('user_login', [$account]); return $this->redirect('<front>'); }
/** * Switching back to previous user. * * @return bool * TRUE when switched back, FALSE otherwise. */ public function switchBack() { if (empty($_SESSION['masquerading'])) { return FALSE; } $new_user = $this->entityTypeManager->getStorage('user')->load($_SESSION['masquerading']); // Ensure the flag is cleared. unset($_SESSION['masquerading']); if (!$new_user) { return FALSE; } $account = $this->currentUser; // Call logout hooks when switching from masquerading user. $this->moduleHandler->invokeAll('user_logout', [$account]); // Regenerate the session ID to prevent against session fixation attacks. // @todo Maybe session service migrate. $this->sessionManager->regenerate(); $this->currentUser->setAccount($new_user); \Drupal::service('session')->set('uid', $new_user->id()); // Call all login hooks when switching back to original user. $this->moduleHandler->invokeAll('user_login', [$new_user]); $this->logger->info('User %username stopped masquerading as %old_username.', array('%username' => $new_user->getDisplayName(), '%old_username' => $account->getDisplayName(), 'link' => $this->l($this->t('view'), $new_user->toUrl()))); return TRUE; }
/** * Set header for session testing. * * @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event * The Event to process. */ public function onKernelRequestSessionTest(GetResponseEvent $event) { $this->emptySession = (int) (!$this->sessionManager->start()); }
/** * {@inheritdoc} */ public function cleanup(Request $request) { $this->sessionManager->save(); }