Restrict registration to users authenticated via CAS
| Project: | CAS |
| Version: | HEAD |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Not sure what to do here, but since you've created a project, I wanted to open a queue to think about how the cas auth code might integrate here, rather than having two drupal modules that might conflict.
A couple of ideas:
* Cas provides an auth_filter hook that would make sure that users who were not in the list would never get accounts created via cas. So you could create the invite page, and implement this hook to validate whether accounts get on your list.
* What would happen if you configured cas to require auth for specific pages (your invite page), but turned off the create accounts feature for the site. Wouldn't cas require auth then, but still allow your users to work.?
We might consider creating a hook that would let modules dynamically decide whether cas_auth was required. That avoids configuring the specific pages idea.
I'm also open to the idea of co-maintaining the cas module and commiting this project as part of the cas suite, but maybe its best on its own.
I wanted you to know that I've implemented a drupal cas_server module that will be in the cas project, and I'm seriously considering removing the dependency on the phpCAS libraries, and coding up a Drupal specific cas client so that I can use the drupal database store for Proxy Granting tickets, without mucking with phpCAS. So if we integrate, Your module users won't need to download the phpCAS module.
#1
I would be most happy to integrate with the cas module. I'm particularly interested in your efforts to create a native Drupal cas client. Longer-term I'd like to integrate this with the invite module as well.
I'm on a time crunch right now so I'm scrambling to put this together as quickly as possible. Once I've got this working based on my current plan, I'd be happy to start working on a module to be included with the cas module that accomplishes the same thing, but right now I can't have another developer as a dependency.
Please keep integration ideas/tips coming!
#2
I ended up deciding on a different approach. Rather than bothering with invites, I've modified access to the registration form and modified the form and validation such that only anonymous users that have authenticated via CAS (such that a Drupal account is not created) can access the registration form. For my purposes, I have also forced the username in the registration form to be the CAS username and have implemented some basic validation on the email address to ensure that it is not a ".edu" address. The user registration form will also redirect users who have already registered with the CAS username they just logged into CAS with to the retrieve password page.
I'm moving this over to the CAS project as I can see this simplified functionality being integrated into the CAS project much more easily than my previous scheme. I attach my module verbatim. It is specific to one of my websites and needs to be generalized and absorbed by cas.module. I might eventually get to that, but it is very unlikely that I will do so before September 2009 so for the moment, I leave it here for whoever wants to tackle that.
Apologies for my code not being the cleanest and for being all over the place with regard to this functionality. I'd be happy to answer any questions about my code, which is basically the CAS module cut down and added to.