Commit 396c6dce authored by Nigel McNie's avatar Nigel McNie
Browse files

Add an option - usersuniquebyusername - that allows users from multiple...

Add an option - usersuniquebyusername - that allows users from multiple institutions to SSO in to one Mahara account. Tentative fix for #2243.

If this option is turned on (only in config.php), then when users SSO in from any XMLRPC authentication instance, they will be considered the same user if they have the same username. This differs from current behaviour, in that if the users' authinstances are different then they are considered different users.

If this option is turned on, no institution in the system is allowed to have self registration turned on. Also, users must be able to belong to multiple institutions.

This option added thanks to Howard Miller/Glasgow University.
parent b52014a2
......@@ -123,6 +123,40 @@ class User {
return $this;
}
/**
* Populates this object with the user record identified by the given
* username
*
* @throws AuthUnknownUserException If the user cannot be found. Note that
* deleted users _can_ be found
*/
public function find_by_username($username) {
if (!is_string($username)) {
throw new InvalidArgumentException('username parameter must be a string to create a User object');
}
$sql = 'SELECT
*,
' . db_format_tsfield('expiry') . ',
' . db_format_tsfield('lastlogin') . ',
' . db_format_tsfield('suspendedctime') . '
FROM
{usr}
WHERE
username = ?';
$user = get_record_sql($sql, $username);
if (false == $user) {
throw new AuthUnknownUserException("User with username \"$username\" is not known");
}
$this->populate($user);
$this->reset_institutions();
return $this;
}
/**
* Finds details for a user given a username and their authentication
* instance.
......@@ -169,8 +203,7 @@ class User {
)'
. $parentwhere
. '
)
AND u.deleted = 0';
)';
$user = get_record_sql($sql, array($username, $instanceid));
}
else {
......@@ -183,7 +216,6 @@ class User {
{usr}
WHERE
LOWER(username) = ? AND
u.deleted = 0 AND
authinstance = ' . db_quote($instanceid);
$user = get_record_sql($sql, array($username));
}
......
......@@ -130,10 +130,50 @@ class AuthXmlrpc extends Auth {
// Retrieve a $user object. If that fails, create a blank one.
try {
$user = new User;
$user->find_by_instanceid_username($this->instanceid, $remoteuser->username, true);
if (get_config('usersuniquebyusername')) {
// When turned on, this setting means that it doesn't matter
// which other application the user SSOs from, they will be
// given the same account in Mahara.
//
// This setting is one that has security implications unless
// only turned on by people who know what they're doing. In
// particular, every system linked to Mahara should be making
// sure that same username == same person. This happens for
// example if two Moodles are using the same LDAP server for
// authentication.
//
// If this setting is on, it must NOT be possible to self
// register on the site for ANY institution - otherwise users
// could simply pick usernames of people's accounts they wished
// to steal.
if ($institutions = get_column('institution', 'name', 'registerallowed', '1')) {
log_warn("usersuniquebyusername is turned on but registration is allowed for an institution. "
. "No institution can have registration allowed for it, for security reasons.\n"
. "The following institutions have registration enabled:\n " . join("\n ", $institutions));
throw new AccessDeniedException();
}
if (!get_config('usersallowedmultipleinstitutions')) {
log_warn("usersuniquebyusername is turned on but usersallowedmultipleinstitutions is off. "
. "This makes no sense, as users will then change institution every time they log in from "
. "somewhere else. Please turn this setting on in Site Options");
throw new AccessDeniedException();
}
$user->find_by_username($remoteuser->username);
}
else {
$user->find_by_instanceid_username($this->instanceid, $remoteuser->username, true);
}
if ($user->get('deleted')) {
die_info(get_string('accountdeleted', 'mahara'));
}
if ($user->get('suspendedcusr')) {
die_info(get_string('accountsuspended', 'mahara', strftime(get_string('strftimedaydate'), $user->get('suspendedctime')), $user->get('suspendedreason')));
}
if ('1' == $this->config['updateuserinfoonlogin']) {
$update = true;
}
......@@ -231,6 +271,11 @@ class AuthXmlrpc extends Auth {
$user->commit();
}
if (get_config('usersuniquebyusername')) {
// Add them to the institution they have SSOed in by
$user->join_institution($peer->institution);
}
// See if we need to create/update a profile Icon image
if ($create || $update) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment