150 lines
5.1 KiB
PHP
150 lines
5.1 KiB
PHP
<?php
|
|
if ( ! defined( 'ABSPATH' ) ) exit;
|
|
|
|
/**
|
|
* Findet oder erstellt einen WordPress-User anhand der Authentik-Userinfo.
|
|
*/
|
|
function authentik_find_or_create_user( $userinfo ) {
|
|
$s = authentik_get_settings();
|
|
$subject = $userinfo['sub'] ?? '';
|
|
$email = $userinfo['email'] ?? '';
|
|
$username = $userinfo['preferred_username'] ?? $userinfo['name'] ?? '';
|
|
$groups = $userinfo['groups'] ?? [];
|
|
|
|
if ( empty( $subject ) ) {
|
|
return new WP_Error( 'no_sub', 'Kein Subject im Token.' );
|
|
}
|
|
|
|
// 1. Suche per gespeicherter Subject-ID (zuverlässigste Methode)
|
|
$user = authentik_find_user_by_subject( $subject );
|
|
|
|
// 2. Verknüpfe bestehenden User per E-Mail
|
|
if ( ! $user && $s['link_existing'] && $email ) {
|
|
$user = get_user_by( 'email', $email );
|
|
if ( $user ) {
|
|
update_user_meta( $user->ID, 'authentik_subject', $subject );
|
|
}
|
|
}
|
|
|
|
// 3. Verknüpfe bestehenden User per Benutzername
|
|
if ( ! $user && $s['link_existing'] && $username ) {
|
|
$user = get_user_by( 'login', $username );
|
|
if ( $user ) {
|
|
update_user_meta( $user->ID, 'authentik_subject', $subject );
|
|
}
|
|
}
|
|
|
|
// 4. Neuen User erstellen
|
|
if ( ! $user ) {
|
|
if ( ! $s['create_users'] ) {
|
|
return new WP_Error( 'user_not_found', 'Kein passender WordPress-Account gefunden.' );
|
|
}
|
|
|
|
$user_login = sanitize_user( $username ?: explode( '@', $email )[0] );
|
|
// Sicherstellen dass Benutzername einzigartig ist
|
|
if ( username_exists( $user_login ) ) {
|
|
$user_login = $user_login . '_' . substr( $subject, 0, 6 );
|
|
}
|
|
|
|
$user_id = wp_insert_user( [
|
|
'user_login' => $user_login,
|
|
'user_email' => $email,
|
|
'user_pass' => wp_generate_password( 32 ),
|
|
'display_name' => $userinfo['name'] ?? $user_login,
|
|
'role' => $s['default_role'],
|
|
] );
|
|
|
|
if ( is_wp_error( $user_id ) ) {
|
|
return $user_id;
|
|
}
|
|
|
|
update_user_meta( $user_id, 'authentik_subject', $subject );
|
|
$user = get_user_by( 'ID', $user_id );
|
|
}
|
|
|
|
// 5. Rollen synchronisieren
|
|
if ( $s['sync_roles'] && $user ) {
|
|
authentik_sync_roles( $user, $groups, $s );
|
|
}
|
|
|
|
return $user;
|
|
}
|
|
|
|
function authentik_find_user_by_subject( $subject ) {
|
|
$users = get_users( [
|
|
'meta_key' => 'authentik_subject',
|
|
'meta_value' => $subject,
|
|
'number' => 1,
|
|
] );
|
|
return ! empty( $users ) ? $users[0] : null;
|
|
}
|
|
|
|
function authentik_sync_roles( $user, $groups, $s ) {
|
|
$admin_group = $s['admin_group'];
|
|
|
|
if ( $admin_group && in_array( $admin_group, $groups, true ) ) {
|
|
$user->set_role( 'administrator' );
|
|
} else {
|
|
// Mappe Authentik-Gruppen auf WordPress-Rollen
|
|
$role_map = [
|
|
'wordpress_editor' => 'editor',
|
|
'wordpress_author' => 'author',
|
|
'wordpress_contributor' => 'contributor',
|
|
'wordpress_subscriber' => 'subscriber',
|
|
];
|
|
|
|
$assigned = false;
|
|
foreach ( $role_map as $group => $role ) {
|
|
if ( in_array( $group, $groups, true ) ) {
|
|
$user->set_role( $role );
|
|
$assigned = true;
|
|
break;
|
|
}
|
|
}
|
|
|
|
if ( ! $assigned ) {
|
|
// Behalte aktuelle Rolle wenn keine Gruppe passt
|
|
}
|
|
}
|
|
}
|
|
|
|
// Profilseite: Verknüpfungsstatus anzeigen
|
|
add_action( 'show_user_profile', 'authentik_show_link_status' );
|
|
add_action( 'edit_user_profile', 'authentik_show_link_status' );
|
|
function authentik_show_link_status( $user ) {
|
|
$subject = get_user_meta( $user->ID, 'authentik_subject', true );
|
|
?>
|
|
<h3>Authentik-Verknüpfung</h3>
|
|
<table class="form-table">
|
|
<tr>
|
|
<th>Status</th>
|
|
<td>
|
|
<?php if ( $subject ) : ?>
|
|
<span style="color:green;">✓ Verknüpft</span>
|
|
<p class="description">Subject: <code><?php echo esc_html( $subject ); ?></code></p>
|
|
<a href="<?php echo esc_url( wp_nonce_url( admin_url( 'admin-post.php?action=authentik_unlink&user_id=' . $user->ID ), 'authentik_unlink_' . $user->ID ) ); ?>" class="button button-small">Verknüpfung aufheben</a>
|
|
<?php else : ?>
|
|
<span style="color:orange;">✗ Nicht verknüpft</span>
|
|
<p class="description">Beim nächsten Authentik-Login wird dieser Account automatisch verknüpft (wenn E-Mail oder Benutzername übereinstimmt).</p>
|
|
<?php endif; ?>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
<?php
|
|
}
|
|
|
|
// Verknüpfung aufheben
|
|
add_action( 'admin_post_authentik_unlink', 'authentik_handle_unlink' );
|
|
function authentik_handle_unlink() {
|
|
$user_id = (int) $_GET['user_id'];
|
|
check_admin_referer( 'authentik_unlink_' . $user_id );
|
|
|
|
if ( ! current_user_can( 'edit_user', $user_id ) ) {
|
|
wp_die( 'Keine Berechtigung.' );
|
|
}
|
|
|
|
delete_user_meta( $user_id, 'authentik_subject' );
|
|
wp_redirect( admin_url( 'user-edit.php?user_id=' . $user_id . '&authentik_unlinked=1' ) );
|
|
exit;
|
|
}
|