=== modified file 'webserver_auth.info'
--- webserver_auth.info	2008-06-13 19:48:41 +0000
+++ webserver_auth.info	2008-06-13 19:55:48 +0000
@@ -1,8 +1,5 @@
-; $Id: webserver_auth.info,v 1.1 2008/03/10 21:43:42 weitzman Exp $
+; $Id$
 name = Webserver authentication
-description = Rely on the web server authentication instead of Drupal.
-; Information added by drupal.org packaging script on 2008-04-22
-version = "HEAD"
-project = "webserver_auth"
-datestamp = "1208823409"
+description = "Rely on the web server authentication instead of Drupal."
+core = 6.x
 

=== added file 'webserver_auth.install'
--- webserver_auth.install	1970-01-01 00:00:00 +0000
+++ webserver_auth.install	2008-06-18 17:31:24 +0000
@@ -0,0 +1,12 @@
+<?php
+// $Id$
+
+/**
+ * Implementation of hook_install()
+ */
+function webserver_auth_install() {
+  // For 6.x: module weights in core: webserver_auth_init() after user.module is
+  // loaded. Lifted from devel.module.
+  db_query("UPDATE {system} SET weight=1 WHERE name = 'webserver_auth'");
+}
+

=== modified file 'webserver_auth.module'
--- webserver_auth.module	2008-06-13 19:48:41 +0000
+++ webserver_auth.module	2008-07-07 20:59:56 +0000
@@ -1,118 +1,141 @@
 <?php
-// $Id: webserver_auth.module,v 1.20 2008/04/21 16:43:26 weitzman Exp $
+// $Id$
 
-function webserver_auth_menu($may_cache) {
-  if ($may_cache) {
-    $items[] = array(
-      'title' => t('Webserver authentication'),
-      'path' => "admin/settings/webserver_auth",
-      'callback' => "drupal_get_form",
-      'callback arguments' => array('webserver_auth_settings'),
-      'description' => t('Configure a domain for generating email addresses. Optional.'),
-    );
-  }
+function webserver_auth_menu() {
+  $items = array();
+  $items['admin/settings/webserver_auth'] = array(
+    'title' => t('Webserver authentication'),
+    'description' => t('Configure a domain for generating email addresses. Optional.'),
+    'page callback' => 'drupal_get_form',
+    'page arguments' => array('webserver_auth_settings'),
+    'access arguments' => array('administer site configuration'),
+  );
   return $items;
-
 }
 
 function webserver_auth_init() {
-  global $user, $account;
-
-  $remote_user = "";
-
-  //lets make sure we get the remote user whichever way it is available
-  if (isset($_SERVER["REDIRECT_REMOTE_USER"])) {
-     $remote_user = $_SERVER["REDIRECT_REMOTE_USER"];
-  } elseif (isset($_SERVER["REMOTE_USER"])) {
-     $remote_user = $_SERVER["REMOTE_USER"];
-  }
-
-  // two ways to get $name 
-  if ($name != $remote_user) {
-    //this might be something to add as an admin panel function later
-    //$name = strtolower($remote_user);
-    $name = $remote_user;
-  }
-  
-  if (isset($user) && $user->id && $user->name === $name) {
-    //do nothing because user is already logged into Drupal, and hasn't presented different credentials vis web server
+  global $user;
+
+  $authname = '';
+
+  // Make sure we get the remote user whichever way it is available.
+  if (isset($_SERVER['REDIRECT_REMOTE_USER'])) {
+    $authname = $_SERVER['REDIRECT_REMOTE_USER'];
+  }
+  elseif (isset($_SERVER['REMOTE_USER'])) {
+    $authname = $_SERVER['REMOTE_USER'];
+  }
+
+  // Perform some cleanup so plaintext passwords aren't available under
+  // mod_auth_kerb.
+  unset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
+
+  // Retrieve user credentials
+  $result = db_query("SELECT uid FROM {authmap} WHERE authname = '%s' AND module = 'webserver_auth'", $authname);
+  $expected = db_fetch_array($result);
+
+  if (isset($user) && $user->uid === $expected['uid']) {
+    // Do nothing: user is already logged into Drupal with session data matching
+    // HTTP authentication.
   }
   else {
-    if ($name) {
-      // user is logged into webserver.
-      $account->name = $name;
-      //modules get to change the user bits before saving. use a global $account to do so.
-      // only loaded modules will see this hook
-      module_invoke_all("webserver_auth");
-      // if we are in bootstrap, load user.module ourselves
-      if (!module_exists('user')) {
-       drupal_load('module', 'user');
-      }
-
-      // try to log into Drupal. if unsuccessful, register the user
-      $test_user = user_external_load($account->name);
-      if (!$test_user->uid) {
-        if (variable_get("user_register", 1) == 1) {
-          $user_default = array("name" => $account->name, "pass" => "cyan", "init" => db_escape_string($name), "authname_webserver_auth" => $account->name, "status" => 1, "roles" => array(DRUPAL_AUTHENTICATED_RID));
-          // TODO - the hook_user('register') will fire but only for loaded modules. could be a problem for sites using page cache and that hook+operation
-          $user = user_save("", array_merge($user_default, (array)$account));
-          watchdog("user", "new user: $user->name (webserver_auth)", l(t("edit user"), "admin/user/edit/$user->uid"));
-        }
-      }
-      else{
-        $user = $test_user;
-      }
-    }
-    else {
-      // do nothing. user isn't logged into web server
-    }
-  }
-}
-
-// using a global to change your bits. module_invoke_all miffs me.
-function webserver_auth_webserver_auth() {
-  global $account;
-
-  $account->name = trim($account->name);
-  // pretties up the username for NTLM authentication (i.e. Windows)
-  if ($_SERVER["AUTH_TYPE"] == "NTLM" || $_SERVER["AUTH_TYPE"] == 'Negotiate') {
-    if (!(strpos($account->name, "\\") === false)) {
-      $account->name = substr($account->name, strrpos($account->name, "\\")+1);
-	}
-    if (!(strpos($account->name, "@") === false)) {
-      $account->name = substr($account->name, 0, strrpos($account->name, "@"));
-	}
-  }
-
-  if ($domain = variable_get("webserver_auth_domain", "")) {
-    if ($account->name) {
-      $account->mail = $account->name. "@$domain";
-    }
-  }
-}
-
+    if (!empty($authname)) {
+      // User is logged into webserver via HTTP authentication.
+      // Try to log into Drupal. 
+      $user = user_external_load($authname);
+
+      if (!$user) {
+        // If unsuccessful, register the user. This will trigger
+        // webserver_auth_user() and any other _user() hooks.
+        user_external_login_register($authname, 'webserver_auth');
+      }
+    }
+  }
+}
+
+/**
+ * Implementation of hook_user().
+ */
+function webserver_auth_user($op, &$edit, &$account, $category = NULL) {
+  if ($op == 'insert' && $category = 'account') {
+    $account->name = trim($account->name);
+    // Pretty up the username for NTLM authentication (i.e. Windows)
+    if (variable_get('webserver_auth_strip_prefix', TRUE)) {
+      // Get 'bar' from 'foo1\foo2\bar'
+      $account->name = array_pop(explode("\\", $account->name));
+    }
+    if (variable_get('webserver_auth_strip_domain', TRUE)) {
+      // Get 'foo' from 'foo@bar'
+      $account->name = array_shift(explode('@', $account->name));
+    }
+    db_query("UPDATE {users} SET name = '%s' WHERE uid = %d", $account->name, $account->uid);
+    // Generate an e-mail address automagically
+    if ($domain = variable_get('webserver_auth_email_domain', '')) {
+      if ($account->name) {
+        db_query("UPDATE {users} SET mail = '%s@%s' WHERE uid = %d", $account->name, $domain, $account->uid);
+      }
+    }
+    // run some custom code to modify the user object at creation time
+    if ($code = variable_get('webserver_auth_insert', '')) {
+      eval('?>'. $code);
+    }
+  }
+  elseif ($op == 'logout') {
+    global $base_url;
+    // kick user out of a secure session so they aren't automatically logged back in
+    $base_url = str_replace('https://', 'http://', $base_url);
+  }
+}
+
+/**
+ * Implementation of hook_settings().
+ */
 function webserver_auth_settings() {
-  $form["webserver_auth_domain"] = array(
+  $form['webserver_auth_email_domain'] = array(
     '#type' => 'textfield',
-    '#title' => t("Email Domain"),
-    '#default_value' => variable_get("webserver_auth_domain", ""),
+    '#title' => t('Email domain'),
+    '#default_value' => variable_get('webserver_auth_email_domain', ''),
     '#size' => 30,
     '#maxlength' => 55,
-    '#description' => t("Append this domain name to each new user in order generate his email address. Currently only used for NTLM authentication."),
-    );
-  return system_settings_form($form);	
+    '#description' => t('Append this domain name to each new user in order generate his email address.'),
+  );
+  $form['advanced'] = array(
+    '#type' => 'fieldset',
+    '#title' => t('Advanced settings'),
+    '#collapsible' => TRUE,
+    '#collapsed' => TRUE,
+    'webserver_auth_strip_prefix' => array(
+      '#type' => 'checkbox',
+      '#title' => t('Strip prefix'),
+      '#default_value' => variable_get('webserver_auth_strip_prefix', TRUE),
+      '#description' => t("Strip NTLM-style prefixes (e.g. 'foo1\foo2') from the login name ('foo1\foo2\bar') to generate the username ('bar')."),
+    ),
+    'webserver_auth_strip_domain' => array(
+      '#type' => 'checkbox',
+      '#title' => t('Strip domain'),
+      '#default_value' => variable_get('webserver_auth_strip_domain', TRUE),
+      '#description' => t("Strip a domain name (e.g. '@EXAMPLE.COM') from the login name ('newuser@EXAMPLE.COM') to generate the username ('newuser')."),
+    ),
+    'webserver_auth_insert' => array(
+      '#type' => 'textarea',
+      '#title' => 'User account modification',
+      '#default_value' => variable_get('webserver_auth_insert', ''),
+      '#description' => t("Modify user accounts at the time of creation. Use PHP code (enclosed in <code>&lt;?php</code> and <code>?&gt;</code>). The variable <code>\$account</code> is available as in <a href=\"http://api.drupal.org/api/function/hook_user/6\">hook_user('insert',...)</a>. Changes to the user object must be explicitly saved to the database to be made permanent."),
+    ),
+  );
+  return system_settings_form($form);
 }
 
-function webserver_auth_help($section) {
-  $output ="";
-
-  switch ($section) {
+/**
+ * Implementation of hook_help().
+ */
+function webserver_auth_help($path) {
+  switch ($path) {
     case 'admin/help#webserver_auth':
       break;
+
     case 'admin/modules#description':
-      $output .= t("Use web server authentication instead of Drupal");
+      return t('Use web server authentication instead of Drupal');
       break;
   }
-
-  return $output;
 }

