Closed (fixed)
Project:
CAS Attributes
Version:
6.x-3.x-dev
Component:
CAS Attributes
Priority:
Normal
Category:
Support request
Assigned:
Unassigned
Reporter:
Created:
11 Jan 2012 at 02:42 UTC
Updated:
25 Mar 2012 at 00:41 UTC
Jump to comment: Most recent file
Comments
Comment #1
redndahead commentedComment #2
bfroehle commentedDo I need to match the role id or the role name?
Could this be done more simply as:
explode(SEP, token_replace(['cas:attribute:' . $name . ':join:' . SEP . ']'))for a proper separator?
Comment #3
bfroehle commentedAdd
to remove an irrelevant option.
Also access to this whole fieldset should be restricted via:
Comment #4
redndahead commentedHere are the changes. Won't be able to test them until tomorrow when I'm back at work.
Comment #5
redndahead commentedA fix for if no roles are selected.
Comment #6
bfroehle commentedRather than this, I think we should go back and rethink the array handling. For example, maybe we should add an option to the token handler which will return the raw array? The we could do something like
Thoughts?
Comment #7
redndahead commentedI thought I tried to return the raw array and it returned an empty string. So I thought token was doing something, but that was early on and I could have been doing something wrong.
Unfortunately I'm in a bind to get this working really quickly, but I do want to do it right. So let's try to figure it out. Right now it's kind of special casing [cas:attribute:xxx] and instead of getting 1 value it's getting all. It would be nice to have an option to pull a raw array as it would make things a whole lot easier.
Comment #8
bfroehle commentedThis is clearly difficult to architect correctly --- in particular we're using the token system for things it is not designed to do.
I see two paths forward:
1. Avoid the token system
Instead, just provide a simple UI:
Then just do
$attributes = cas_phpcas_attributes($cas_name);, avoiding the token system completely.2. Use the token replacement system:
Which do you think is better?
Comment #9
redndahead commentedSorry for some reason I got logged out of d.o. and no new issues were showing up.
So here are my thoughts. Number 1 sounds best although it doesn't fit any of the other options on the page.
I'm thinking of adding a hook_cas_attributes_attribute_alter that will allow someone to manipulate the attributes returned from cas before we do the compare. So that you can return a single result only or if it's in a form of cn=tomato, ou=soup, dc=dinner, dc=food they can parse it and return soup as the group.
Right now with the array patch we special case [cas:attribute:xxxx] to be the first item in the array where in normal tokens it would be a comma separated value of the arrays. So doing that might not be best anyway.
What do you think?
Comment #10
bfroehle commentedYes, but it'd be easiest to implement on a deadline.
A few Q's regarding the hook:
(1): Would we first loop through the attributes to ensure that each one is an array?
(2): Would we have a similar hook for LDAP attributes? i.e. hook_cas_attributes_ldap_alter?
Otherwise I think this sounds brilliant!
Comment #11
redndahead commentedI think we can hold off on my deadline. It's best if we can get this right. Here is a patch that implements #1.
1) No we'll just handle it when building the array of attribute values. Have a look at the patch.
2) Yes we should. I think we can get away with using the same hook. But tell me if there are problems if we do. I don't have it in this patch, but you can see how it would be done with this patch.
Comment #12
redndahead commentedI'm starting to really need this now. Anything I can do to help continue this?
Comment #13
bfroehle commentedSorry, this totally fell off my radar. :(
Is the patch in #11 ready to go? If you think so, I'll just go ahead and commit it.
Comment #14
redndahead commentedJust tested this again and it's working as expected. One thing I think we need is to maybe remove the word tokens in the description of the field. It's misleading in thinking that it uses the token module. Maybe replace with attributes
Comment #15
bfroehle commentedYes. Also it'd be good if the description gave an example of the type of string by which we mean "attribute". Can you whip that up?
Comment #16
achantrill commentedCould you post a more complete description of what sort of CAS response you are expecting?
For instance, it looks like you can return a set of Role Names within a single attribute as a comma separated list, but I'm not getting that to work. I am finding a reference to [cas:attribute:$name:count] which makes me think you are looking for something like
Using MultiRowJdbcPersonAttributeDao, you should get something like this:
but I'm not sure what exactly you are doing, and since attributes in CAS are non-standard (unless you are using SAML, which I don't think you are) I could really use a concrete authenticationSuccess response example.
Thanks!
Comment #17
redndahead commentedHere is a new patch
Comment #18
redndahead commented@achantrill This module doesn't expect the attributes in any format. Since the cas module uses the phpCAS library that's how it gets it's attributes. You would have to ask the phpCAS library maintainers how they are handling the attributes.
Comment #19
bfroehle commentedI think we'll need to be clearer that it isn't the token syntax. For example.
Otherwise I think this is ready to go. Do you concur?
Comment #20
redndahead commentedThe clearer the better. :)
Comment #21
bfroehle commentedIn the interest of moving things along I've committed the patch in #20. Put follow-up things in new issues, I'll change this issue into a potential backport to 6.x if folks are interested.
Thanks for all the hard work (and patience!).
Comment #22
redndahead commentedI don't think there are any differences in the code between d6 and d7. So I have just created a patch for d6. This hasn't been tested.
Comment #23
redndahead commentedI tested it out and it works great. I think you can commit this.
Comment #24
bfroehle commentedThanks for the report. I've committed this to 6.x-3.x.