Posted by lastobelus on August 18, 2008 at 11:47pm
Jump to:
| Project: | CAS |
| Version: | 5.x-3.0 |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
How would I go about integrating CAS with content_access? Has anyone else done this? Out of the box, the CAS module only allows hardcoding a list of pages to require login.
I am tasked with adding CAS to an existing site that uses content_access to decide which nodes can be viewed by anonymous users and which require logged in users.
Comments
#1
Not sure how to do this, so what you're asking for, nor am I familiiar iwth content access, but if the page redirects you to user/login, you might consider simply setting this page to require cas auth. Otherwise we might consider an approach that is simliar to the auth_filter approach taken in the module. That is, provide a "require_login" hook that get's used by other modules to allow them to influence whether the cas module requires auth. I'd be willing to consider such a patch if submitted.
Does that make sense?
#2
Thanks for your feedback. A require_login hook makes a lot of sense.
I am brand new to drupal (but an experienced web app developer), so please forgive any mistakes I currently have in my understanding of how things work. How would I go about adding a hook that other modules can use? Is there a way to register a hook with the dispatcher (or whatever it is called in drupal)?
I've looked through content_access and have an idea how it works to decide whether a mode is accessible or not. What I don't really get is how that information is then consolidated later on. IE, what I haven't been able to figure out yet is where the drupal app (before installing cas) decides whether a page needs login or not...content_access will have returned permissions for each of the nodes on the page, but where are these checked?
We did thing of setting cas to target user/login, but it did not do the trick. Sometimes the app redirects to user/login, but sometimes it draws the login block in place and there is no cas redirect. Haven't figured out yet what the difference is. Also we lose the intended destination of the user, and there was another issue which I disremember...I'll set it up that way again so I can describe it.
I'm going to try to find out from the team how they setup the authentication, but there are some communication barriers.
#3
The following function illustrates calling a hook in the modules that returns data. You basically iterate the module list, see if that module has a function according to the naming convention and then call it, doing what you will with the results.
function cas_invoke_auth_filter($cas_name) {foreach (module_list() as $module) {
$function = $module .'_auth_filter';
if (function_exists($function)) {
if (($return = $function('cas', $cas_name)) === FALSE) {
return FALSE;
}
}
}
return TRUE;
}
Drupal does not normally prompt users for login when they don't have access to a page, but rather it just displays an access denied message, so you're in a bit of new territory here for drupal. The login block simply is there when you're not logged in.
If it's a list of nodes it's done in the select statement which is joined based on the node_access table. If you've got a list of nodes and one's private it's unclear as to whether you'd decide to prompt for login. In the individual page load case you can check the node access table yourself and return whether or not the page requires auth.
Come to think of it, maybe a better approach would be to have cas check this and force login for pages that fail this check for node access based on the normal node access tables. You might be able to tie into the node_access system and call those hooks instead to determine wether cas should require login. You'll need to sprinkle in some debug messages to find out whether this can be done within a node_load hook fire, or whether it's best done within the init hook (or menu hook in d5).
#4
Since 5.x-3.x is very old, and this issue hasn't been touched in a very long time, I'm going to mark this as 'fixed'.
The easy way to do this in future versions is to create a 'CAS user' roles, set up CAS to automatically assign CAS users to that role, and then set up content_access to allow access to that role.
You'll have to work out a custom 'access denied' page that encourages users to log in if they do not have the requisite permissions (see a module like custom error).
#5
Automatically closed -- issue fixed for 2 weeks with no activity.