From f7a93ff33f4c2f41702950e9258faa09894afcd1 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Rapha=C3=ABl=20Barrois?= <raphael.barrois@polytechnique.org>
Date: Sun, 4 Mar 2012 00:58:29 +0100
Subject: [PATCH] Automatically disconnect after auth-groupe-x authentication.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Signed-off-by: Raphaël Barrois <raphael.barrois@polytechnique.org>
---
 classes/xorgsession.php            |  7 +++++++
 modules/auth.php                   | 11 ++++++++++-
 templates/core/password_prompt.tpl |  7 +++++--
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/classes/xorgsession.php b/classes/xorgsession.php
index af7cd9e..8406007 100644
--- a/classes/xorgsession.php
+++ b/classes/xorgsession.php
@@ -183,6 +183,13 @@ class XorgSession extends PlSession
                 $this->setAccessCookie(false, S::i('auth_by_cookie') != $user->id());
             } else {
                 $this->killAccessCookie();
+
+                // If login for an external website and not activating cookie,
+                // mark that we want to disconnect once external auth checks
+                // have been performed.
+                if (Post::b('external_auth')) {
+                    S::set('external_auth_exit', true);
+                }
             }
         }
 
diff --git a/modules/auth.php b/modules/auth.php
index 8f71fda..d510da3 100644
--- a/modules/auth.php
+++ b/modules/auth.php
@@ -119,7 +119,7 @@ class AuthModule extends PLModule
     function handler_groupex($page, $charset = 'utf8')
     {
         if (!S::logged()) {
-            $page->assign('referer', true);
+            $page->assign('external_auth', true);
             $page->setTitle('Authentification');
             $page->setDefaultSkin('group_login');
 
@@ -223,6 +223,15 @@ class AuthModule extends PLModule
                         $page->kill("Le site demandé est réservé aux polytechniciens.");
                     }
 
+                    // If we logged in specifically for this 'external_auth' request
+                    // and didn't want to "keep access to services", we kill the session
+                    // just before returning.
+                    // See classes/xorgsession.php:startSessionAs
+                    if (S::b('external_auth_exit')) {
+                        S::logger()->log('decconnexion', @$_SERVER['HTTP_REFERER']);
+                        Platal::session()->killAccessCookie();
+                        Platal::session()->destroy();
+                    }
                     http_redirect($returl);
                 } else if (S::admin()) {
                     $page->kill("La requête d'authentification a échoué (url de retour invalide).");
diff --git a/templates/core/password_prompt.tpl b/templates/core/password_prompt.tpl
index 9bab8e9..8dc634d 100644
--- a/templates/core/password_prompt.tpl
+++ b/templates/core/password_prompt.tpl
@@ -20,7 +20,7 @@
 {*                                                                        *}
 {**************************************************************************}
 
-{if t($referer) || $platal->pl_self() neq 'login'}
+{if t($external_auth) || $platal->pl_self() neq 'login'}
 <h1>
   Accès restreint
 </h1>
@@ -31,7 +31,7 @@
   {else}
     la page que vous avez demandée
   {/if}
-  (<strong>{if t($referer)}{$smarty.server.HTTP_REFERER|truncate:120:"...":false}{else}{$globals->baseurl}/{$platal->pl_self()}{/if}</strong>)
+  (<strong>{if t($external_auth)}{$smarty.server.HTTP_REFERER|truncate:120:"...":false}{else}{$globals->baseurl}/{$platal->pl_self()}{/if}</strong>)
   nécessite une authentification.
 </p>
 {else}
@@ -153,6 +153,9 @@
     <input type="hidden" name="xorpass"   value="" />
     <input type="hidden" name="username"  value="" />
     <input type="hidden" name="remember"  value="" />
+    {if t($external_auth)}
+      <input type="hidden" name="external_auth" value="1" />
+    {/if}
   </div>
 </form>
 
-- 
2.1.4