Skip to content

Commit

Permalink
Provide login hook, phpcs linting
Browse files Browse the repository at this point in the history
  • Loading branch information
jules0x committed Sep 10, 2021
1 parent 70aabc7 commit d6d1f88
Showing 1 changed file with 16 additions and 5 deletions.
21 changes: 16 additions & 5 deletions src/Control/SAMLController.php
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@
namespace SilverStripe\SAML\Control;

use Exception;

use function gmmktime;

use OneLogin\Saml2\Auth;
use OneLogin\Saml2\Constants;
use OneLogin\Saml2\Utils;
Expand All @@ -23,6 +25,7 @@
use SilverStripe\Security\IdentityStore;
use SilverStripe\Security\Member;
use SilverStripe\Security\Security;

use function uniqid;

/**
Expand Down Expand Up @@ -158,7 +161,8 @@ public function acs()
// Write a rudimentary member with basic fields on every login, so that we at least have something
// if there is no further sync (e.g. via LDAP)
$member = Member::get()->filter('GUID', $guid)->limit(1)->first();
if (!($member && $member->exists())
if (
!($member && $member->exists())
&& Config::inst()->get(SAMLConfiguration::class, 'allow_insecure_email_linking')
&& isset($fieldToClaimMap['Email'])
) {
Expand Down Expand Up @@ -200,6 +204,9 @@ public function acs()
// Both SAML and LDAP identify Members by the same GUID field.
$member->write();

// Hook for modifying login behaviour
$this->extend('updateLogin');

/** @var IdentityStore $identityStore */
$identityStore = Injector::inst()->get(IdentityStore::class);
$identityStore->logIn($member, false, $this->getRequest());
Expand Down Expand Up @@ -241,14 +248,18 @@ public function metadata()
protected function getRedirect()
{
// Absolute redirection URLs may cause spoofing
if ($this->getRequest()->getSession()->get('BackURL')
&& Director::is_site_url($this->getRequest()->getSession()->get('BackURL'))) {
if (
$this->getRequest()->getSession()->get('BackURL')
&& Director::is_site_url($this->getRequest()->getSession()->get('BackURL'))
) {
return $this->redirect($this->getRequest()->getSession()->get('BackURL'));
}

// Spoofing attack, redirect to homepage instead of spoofing url
if ($this->getRequest()->getSession()->get('BackURL')
&& !Director::is_site_url($this->getRequest()->getSession()->get('BackURL'))) {
if (
$this->getRequest()->getSession()->get('BackURL')
&& !Director::is_site_url($this->getRequest()->getSession()->get('BackURL'))
) {
return $this->redirect(Director::absoluteBaseURL());
}

Expand Down

0 comments on commit d6d1f88

Please sign in to comment.