diff --git a/lib/AccountManager/App.pm b/lib/AccountManager/App.pm
index 63f6f47f08cced4a27f8edc9a0a52a7fc19f7e78..4a3575d606c5790f7fc9410ccc182cd57b5a094e 100644
--- a/lib/AccountManager/App.pm
+++ b/lib/AccountManager/App.pm
@@ -250,6 +250,8 @@ sub abort {
sub req_select_federation {
my ($self, %args) = @_;
+ $self->check_authentication(action => 'select_federation');
+
my $federations = $self->{configuration}->{federations}->{list};
my @federations = split(/, */, $federations);
@@ -276,6 +278,8 @@ sub req_select_federation {
sub req_select_sp {
my ($self, %args) = @_;
+ $self->check_authentication(action => 'select_sp');
+
my $federation = $self->{cgi}->param('federation'); # not mandatory
my @federations = $federation ?
@@ -314,6 +318,8 @@ sub req_select_sp {
sub req_select_email {
my ($self, %args) = @_;
+ $self->check_authentication(action => 'select_email');
+
my $entityid = $self->get_parameter(name => 'entityid');
my $federation = $self->{cgi}->param('federation'); # not mandatory
@@ -396,6 +402,8 @@ sub req_select_email {
sub req_complete_challenge {
my ($self, %args) = @_;
+ $self->check_authentication(action => 'complete_challenge');
+
my $entityid = $self->get_parameter(name => 'entityid');
my $email = $self->get_parameter(name => 'email');
@@ -573,6 +581,8 @@ sub req_complete_challenge {
sub req_create_accounts {
my ($self, %args) = @_;
+ $self->check_authentication(action => 'create_accounts');
+
my $entityid = $self->get_parameter(name => 'entityid');
my $token = $self->get_parameter(name => 'token');
my $email = $self->get_parameter(name => 'email');
@@ -675,6 +685,8 @@ sub req_create_accounts {
sub req_download_accounts {
my ($self) = @_;
+ $self->check_authentication(action => 'download_accounts');
+
my $entityid = $self->get_parameter(name => 'entityid');
my $token = $self->get_parameter(name => 'token');
my $key = $self->get_parameter(name => 'key');
@@ -812,4 +824,14 @@ sub check_token {
}
}
+sub check_authentication {
+ my $self = shift;
+ my %args = @_;
+
+ $self->abort(
+ log => "unauthenticated user for action $args{action}",
+ user => "unauthenticated"
+ ) if !$ENV{HTTP_SHIB_IDENTITY_PROVIDER};
+}
+
1;
diff --git a/lib/AccountManager/L10N/fr.pm b/lib/AccountManager/L10N/fr.pm
index 954d94422f0442e1fd35161ef8a6aa8c99303bd5..4321058492b17ba09591ad2d750eb96f6c23fc83 100644
--- a/lib/AccountManager/L10N/fr.pm
+++ b/lib/AccountManager/L10N/fr.pm
@@ -327,3 +327,7 @@ msgstr "nom d'utilisateur:"
#: templates/web/edugain/create_accounts.tt2.html:67 templates/web/renater/create_accounts.tt2.html:69
msgid "value dynamically generated by the SP"
msgstr "valeur générée dynamiquement par le SP"
+
+#: templates/web/edugain/errors.tt2.html:27
+msgid "you need to authenticate to access this page"
+msgstr "vous devez vous authentifier pour accéder à cette page"
diff --git a/templates/web/edugain/errors.tt2.html b/templates/web/edugain/errors.tt2.html
index 3dbb3b136e2db18fe69dcd75a52501d3b948d870..fd888e319adff0dbb1ee77fa801db100a8227e4b 100644
--- a/templates/web/edugain/errors.tt2.html
+++ b/templates/web/edugain/errors.tt2.html
@@ -23,6 +23,8 @@
[% ELSIF err == 'wrong_token_for_sp' %]
[% lh.maketext("the validation token you provided cannot be used for this service provider ([_1])", entityid) %]
+ [% ELSIF err == 'unauthenticated' %]
+ [% lh.maketext("you need to authenticate to access this page") %]
[% ELSIF (matches = err.match('missing_(\w+)')) %]
[% lh.maketext("missing parameter '[_1]'", matches.0) %]
diff --git a/templates/web/renater/errors.tt2.html b/templates/web/renater/errors.tt2.html
index 84303f349e8753e2ef53c9182b39fa57bb450b0f..34143afa09f4b2c859986b7c57298a7949255fba 100644
--- a/templates/web/renater/errors.tt2.html
+++ b/templates/web/renater/errors.tt2.html
@@ -23,6 +23,8 @@
[% ELSIF err == 'wrong_token_for_sp' %]
[% lh.maketext("the validation token you provided cannot be used for this service provider ([_1])", entityid) %]
+ [% ELSIF err == 'unauthenticated' %]
+ [% lh.maketext("you need to authenticate to access this page") %]
[% ELSIF (matches = err.match('missing_(\w+)')) %]
[% lh.maketext("missing parameter '[_1]'", matches.0) %]