I'm writing an authentication back end to work with our home-made authentication system. It *almost* works.
I'm using trustExternal, and after the user name and password are validated, I have some code that looks like this:
if ($returnvalue == 200) {
$userdata = json_decode($result);
$USERINFO['name'] = utf8_encode($userdata->fname . ' ' . $userdata->lname);
$USERINFO['mail'] = $userdata->email;
$USERINFO['grps'] = array('user');
$_SERVER['REMOTE_USER'] = $userdata->gemsid;
$_SESSION[DOKU_COOKIE]['auth']['user'] = $userdata->gemsid;
$_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
return true;
} else {
auth_logoff();
msg($lang['badlogin'],-1);
return false;
}
The problem I have is that after the user provides the correct user name and password, he's redirected to the login page along with the message "Sorry, you don't have enough rights to continue. Perhaps you forgot to log in?" He does *not* see the badlogin message, and I know from our authentication server that the user name and password were successfully authenticated.
The odd thing is that if I provide a bogus group for the user, i.e. I change the code to:
$USERINFO['grps'] = array('kjhjkasdio');
then the user is logged in successfully (he isn't redirected to the login page), except that he can't do anything because he's not a member of a valid group. He also sees the "Sorry, you don't have enough rights..." message, but now he's actually been logged in, where he wasn't when I provided an actual valid group. I can see that $USERINFO has been set successfully because his real name and username are displayed on the page.
If I switch to auth_plain and the user is in the 'user' group, then all is well. But with my own auth code, I can only log someone in if I provide a bogus group, and then he doesn't have permission to do anything.
Is there something blindingly obvious that I'm doing wrong? Is there something I'm not setting that needs setting?