==Problem with sysop/bureaucrat permissions after creating account with '''UserLoadFromSession''' hook==
* OS: Solaris 10
* MediaWiki version: 1.13.0
* PHP version: 5.2.6 (apache2handler)
* MySQL version: 5.0.67
* URL: http://ntm-igdev02.nott.ime.reuters.com/wiki/index.php/Main_Page (internal)
Apologies for the length of this post, but I'm utterly stymied after working on this for ages.

I am setting up 1.13.0 as a new system and will soon (I hope!) be migrating the content from an older version to it. This migration includes using our company SSO and I've successfully used the '''UserLoadFromSession''' hook to implement this. However, there is one glitch: I currently have two IDs, one original one (SS) for use without the hook and another (Sam.Sexton) that was created and is authenticated by the hook. Both of these are assigned as Sysop and Bureaucrat, but these permissions are only effective for the original user (SS) - as the other one (Sam.Sexton), I don't see the restricted special pages.

<pre>
(first | last) View (previous 50) (next 50) (20 | 50 | 100 | 250 | 500)

* SS ?(bureaucrat, sysop)
* Sam.Sexton ?(bureaucrat, sysop)
* WikiSysop ?(bureaucrat, sysop)

(first | last) View (previous 50) (next 50) (20 | 50 | 100 | 250 | 500)
</pre>

I have made the following observations and investigations. 

# The database records I create with the hook differ from the original (SS) record in that:
## user_touched is initially nulls (\0\0\0 rather than NULL) despite my setting it - but this is corrected by later activity.
## user_email_token and user_email_token_expires for Sam.Sexton are NULL, but I've copied values from SS and that made no difference.

I've looked at Skin.php and added this hack to see what was going on:

<pre>
		/* Hack to see what's going on. Sam 090108 */
		wfDebugBacktrace;
		$rpages = SpecialPage::getRestrictedPages();
		wfDebug("Restricted pages for $wgUser->mName\n");
		foreach ( $rpages as $rpage) {
			wfDebug("  $rpage\n");
		}
		/* end hack */
</pre>

:but nothing was added to the debug file, which is receiving other debug info. [I've since deduced that this isn't used!]

* I have even resorted to running truss on navigating to Special Pages as both users. There was a rather curious difference between the two - the one for Sam.Sexton (created with the hook) contained several calls to ''resolvepath'' that weren't in the truss for SS. This relates to symbolic link resolution - not unreasonably, as ''htdocs/wiki'' is a link to the files in my home dir for easy maintenance - and I've not seen any problems related to that arrangement. However, as I didn't get those calls for SS, I copied the files so that the link was removed and all files native - but that made no difference.

* My suspicions are that there's something I'm missing in the new account creation process, but for the life of me I can't see what! I suspect that there must be another criterion other than sysop/bureaucrat group membership required to see the restricted pages, but it's escaped my investigations so far. I'd be grateful for any illumination or suggestions on what else to check. Below is the code for the hook and a sample of the log for the db entry creation. Thanks in advance! Any constructive comments on the code will be welcomed - this is not an area in which I am overburdened with experience! ;-)

<pre>
<?php 
function fnUserAuthTGST($user, &$result) {

/*	This function performs the user authentication for TGSTWiki and D3000Wiki.
		It requires the following fields to be added to the default {prefix}_user table in the database:
		
		user_employee_id	tinytext
		user_market_group	tinytext		

		Ref:	http://www.mediawiki.org/wiki/Manual:Hooks/UserLoadFromSession
					http://svn.wikimedia.org/doc/classUser.html
		
 */
 
$fname   = "UserAuthTGST::fnUserAuthTGST";
$SAFE    = "https://safeqa.thomson.com/login/sso/SSOService?app=tgstwiki&returnURL=";
$errpage = "http://ntm-igdev02.nott.ime.reuters.com/wikiaccess.php";
$allowed = 300; # Five minutes diff is allowed.
	
	logTGST("Page: " . $_SERVER['REQUEST_URI']);
	if (isset($_COOKIE['TGSTWiki'])) {
		$tgstcookie = $_COOKIE['TGSTWiki'];
		logTGST("TGSTWiki cookie found");

		if (isset($_REQUEST['digest'])) {
			logTGST("digest exists as well - ignoring it.");
		}

		loadFromDatabaseTGST($user, $tgstcookie);
		$result = 1; // This causes the rest of the authentication process to be skipped.
		return(false);   // As should this, according to the internal error report:
		// Detected bug in an extension! Hook fnUserAuthTGST failed to return a value; should return true to continue hook processing or false to abort.

	} elseif (isset($_REQUEST['digest'])) {
		# Just back from SAFE - validate the result.
		
		$digest      = $_REQUEST['digest'];
		$empid       = $_REQUEST['uid'];
		$email       = $_REQUEST['email'];
		$firstname   = $_REQUEST['firstname'];
		$lastname    = $_REQUEST['lastname'];
		$marketgroup = $_REQUEST['marketgroup'];
		$intime      = $_REQUEST['time'];
		$returnurl   = $_REQUEST['returnURL'];
		$thispage    = curPageURL();
		$mytime      = date("Y:m:d:H:i:s", time());

		// Get the secret ...
		$file = fopen("/usr/local/apache2/htdocs/wiki/TGST/conf/.SAFEkey", "r") or exit("Unable to open file!");
		$secret = chop(fgets($file),"\n"); # Drop trailing LF
		fclose($file);

		$md5string = "$empid$intime$secret";
		$mydigest = md5($md5string);
		if ( "$digest" != "$mydigest" ) {
			// Problem! Log secure info to file:
			logTGST("Digests don't match for $email - unable to proceed.");
			logTGST("  digest=$digest");
			logTGST("  mydigest=$mydigest");
			logTGST("  md5string=$md5string");			
			// ... and tell the user something interesting:
			$errpage .= "?error=Digest%20mismatch";
			$errpage .= "&digest=$digest&empid=$empid&email=$email&first=$firstname&last=$lastname&mg=$marketgroup&intime=$intime";
			$errpage .= "&mytime=$mytime&returnurl=$returnurl";
			// redirect to report error ...
			http_redirect($errpage, array(), true, HTTP_REDIRECT);
		}

		$diff = valtime($intime);
		if ( $diff > $allowed ) {
			logTGST("Time difference ($diff) is too great for $email");
			logTGST("  intime=$intime");
			logTGST("  mytime=$mytime");
			// ... and tell the user something interesting:
			$errpage .= "?error=Time%20difference%20too%20great.";
			$errpage .= "&digest=$digest&empid=$empid&email=$email&first=$firstname&last=$lastname&mg=$marketgroup&intime=$intime";
			$errpage .= "&mytime=$mytime&returnurl=$returnurl";
			$errpage .= "&timediff=&diff";
			// redirect to report error ...
			http_redirect($errpage, array(), true, HTTP_REDIRECT);
			// $result not set so that authentication continues - and should fail.
			return(true); // This should have the same effect.
		}
		
		logTGST("SAFE validation successful for $email");
		
		# Validation successful - create cookie with all SAFE fields.
		$tgstcookie = "$empid|$email|$firstname|$lastname|$marketgroup"; 
		$tgstcookie = str_replace(' ', '%20', $tgstcookie); 
		# We'll start with a week and perhaps extend to a year....?
		if ( setrawcookie("TGSTWiki", $tgstcookie, time()+7*24*60*60, '/', $_SERVER['SERVER_NAME']) ) {
			logTGST("  cookie set successfully.");
		} else {
			logTGST("  cookie setting failed.");
		}
		// Now see if the user is already in the database ...
		
		$user = loadFromDatabaseTGST($user, $tgstcookie);
		$result = 1; // This causes the rest of the authentication process to be skipped.
		return(false); // Ditto (see above)
		
	} else {	// No cookie, so we go to SAFE.
		logTGST("TGSTWiki cookie not found - redirecting to SAFE.");

		$SAFE .= curPageURL(); // Append this page's name
		http_redirect($SAFE, array(), true, HTTP_REDIRECT);
	}	// No cookie
}

function loadFromDatabaseTGST($user, $tgstcookie) {
	$fname   = "UserAuthTGST::loadFromDatabaseTGST";
	
	// Check whether user is in the database - if so, complete User.
	logTGST("Entering $fname ...");
	// Explode the cookie:
	list ($empid, $email, $first, $last, $marketgroup) = explode("|", $tgstcookie, 5);
	logTGST("Cookie exploded: $empid, $email, $first, $last, $marketgroup");
	
	// Now see if the user is known ...
	
	$dbr =& wfGetDB( DB_SLAVE );
	$s = $dbr->selectRow( 'user', array('user_id'), array('user_employee_id' => $empid), $fname);
	if ($s === false) {
		logTGST("No entry found in db for employee id $empid - creating one ...");
		$user = new User();
		// MediaWiki requires names to start with a capital, so we have a stab at a reasonably formed name:
		$temp = explode(".", substr($email,0,strpos($email,'@')));
		$i   = 0;
		$lim = sizeof($temp);
		while ( $i < $lim) {
			$temp[$i] = ucwords($temp[$i]);
			$i++;
		}
		$userName = implode(".", $temp);
		$user->loadDefaults($userName);         // Added as it's done this way in CentralAuth.
		
		$user->mEmail              = $email;
		$user->mName               = $userName; // Redundant given use of loadDefaults...?
		$user->mEmployeeId         = $empid;
		$user->mRealName           = "$first $last";
		$user->mMarketGroup        = $marketgroup;
		$user->mEmailAuthenticated = wfTimestamp();
		$user->mTouched            = wfTimestamp();
		
		logTGST("  mName               = $user->mName");
		logTGST("  mEmployeeId         = $user->mEmployeeId");
		logTGST("  mRealName           = $user->mRealName");
		logTGST("  mMarketGroup        = $user->mMarketGroup");
		logTGST("  mEmailAuthenticated = $user->mEmailAuthenticated");
		logTGST("  mTouched            = $user->mTouched");
		
		$user->addToDatabase(); // No longer returns mId - it never did, but Roddy thought so!
		logTGST("User added to database with ID $user->mId.");
		
	} else {
		$user->mId = $s->user_id;
		logTGST("DB entry found for employee id $empid with user id $user->mId");
	} 
	
	// Load the existing or newly-created user from the database ...
	
	if ( !$user->loadFromDatabase() ) {
		logTGST("loadFromDatabase failed for user ID $user-mId");
	}
	return $user;
}

function curPageURL() {
 $pageURL = 'http';
 if (isset($_SERVER['HTTPS'])) {$pageURL .= "s";}
 $pageURL .= "://";
 if ($_SERVER['SERVER_PORT'] != "80") {
  $pageURL .= $_SERVER['SERVER_NAME'].':'.$_SERVER['SERVER_PORT'].$_SERVER['REQUEST_URI'];
 } else {
  $pageURL .= $_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
 }
 return $pageURL;
}

function curPageName() {
 return substr($_SERVER['SCRIPT_NAME'],strrpos($_SERVER['SCRIPT_NAME'],'/')+1);
}

function valtime($intime) {

	// Check whether supplied time is within five minutes of now.

	$time1   = implode(explode(":", $intime)); // Colonic irrigation!

	// Play at being a Time Lord here for testing.

	$inepoch = strtotime($time1); // Convert to epoch
	$myepoch = time();

	$diff = $myepoch - $inepoch;
	return($diff);
}

function logTGST($message) {

	// Log significant events during authentication if the log file exists.

	$day = gmdate("Ymd");
	$authlog = "/reuters/radt/local/log/TGSTWiki.authlog.$day";
	$now = gmdate("Y-m-d H:i:s ");
	
	if (file_exists($authlog)) {
		if ($file = fopen($authlog, "a")) {
			fputs($file, $now . $message . "\n");
			fclose($file);
			return(true);
		} else {
			return(false);
		}
	} else {
		return(true);
	}
}
?>
</pre>
<pre>
2009-01-13 15:08:39 Page: /wiki/index.php?title=Special:RecentChanges&feed=rss
2009-01-13 15:08:39 TGSTWiki cookie found
2009-01-13 15:08:39 Entering UserAuthTGST::loadFromDatabaseTGST ...
2009-01-13 15:08:39 Cookie exploded: 8009449, sam.sexton {at} thomsonreuters.com, Sam, Sexton, 11929
2009-01-13 15:08:39 No entry found in db for employee id 8009449 - creating one ...
2009-01-13 15:08:39   mName               = Sam.Sexton
2009-01-13 15:08:39   mEmployeeId         = 8009449
2009-01-13 15:08:39   mRealName           = Sam Sexton
2009-01-13 15:08:39   mMarketGroup        = 11929
2009-01-13 15:08:39   mEmailAuthenticated = 1231859319
2009-01-13 15:08:39   mTouched            = 1231859319
2009-01-13 15:08:39 User added to database with ID 15.
</pre>