Commit 3f529b3e authored by Richard Mansfield's avatar Richard Mansfield Committed by Gerrit Code Review
Browse files

Merge "Add SAML config error for autocreation & registerallowed (bug #1003980)"

parents 4a579718 5c578a38
......@@ -39,6 +39,7 @@ $string['errorbadconfig'] = 'SimpleSAMLPHP config directory %s is incorrect.';
$string['errorbadcombo'] = 'You can only choose user auto creation if you have not selected remoteuser';
$string['errorbadinstitutioncombo'] = 'There is already an existing authinstance with this institutionattribute and institutionvalue combination';
$string['errormissinguserattributes1'] = 'You seem to be authenticated but we did not receive the required user attributes. Please check that your Identity Provider releases the First Name, Surname, and Email fields for SSO to %s, or inform the administrator.';
$string['errorregistrationenabledwithautocreate'] = 'An institution has registration enabled, for security reasons this excludes user auto-creation.';
$string['errorremoteuser'] = 'Matching on remoteuser is mandatory if usersuniquebyusername is turned off';
$string['institutionattribute'] = 'Institution attribute (contains "%s")';
$string['institutionvalue'] = 'Institution value to check against attribute';
......
......@@ -496,6 +496,19 @@ class PluginAuthSaml extends PluginAuth {
if ($values['weautocreateusers'] && $values['remoteuser']) {
$form->set_error('weautocreateusers', get_string('errorbadcombo', 'auth.saml'));
}
// Autocreation cannot be enabled unless no institutions have registration enabled.
// This seems like a weird rule, but consider the following:
// - weautocreateusers = 1 requires remoteuser = 0 (from the test immediately above this one)
// - remoteuser = 0 requires usersuniquebyusername = 1 (from the test above that)
// - usersuniquebyusername = 1 requires registerallowed = 0 on all institutions
// (for security reasons - see the comments in the request_user_authorise function above).
// So weautocreateusers = 1 requires registerallowed = 0 on all institutions, and we might
// as well display an error to that effect right away, without forcing the user to enable
// usersuniquebyusername.
if (($institutions = get_column('institution', 'name', 'registerallowed', '1')) && ($values['weautocreateusers'])) {
$form->set_error('weautocreateusers', get_string('errorregistrationenabledwithautocreate', 'auth.saml'));
}
$dup = get_records_sql_array('SELECT COUNT(instance) AS instance FROM {auth_instance_config}
WHERE ((field = \'institutionattribute\' AND value = ?) OR
(field = \'institutionvalue\' AND value = ?)) AND
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment