Commit 5c578a38 authored by Simon Story's avatar Simon Story Committed by Richard Mansfield
Browse files

Add SAML config error for autocreation & registerallowed (bug #1003980)

Display an error if a user tries to enable auto-creation at the same
time as having registration enabled for an instition.

Change-Id: I22cf0df27c5e4edc3d7f71e8870fe84620419279
Signed-off-by: default avatarRichard Mansfield <>
parent 4a579718
......@@ -39,6 +39,7 @@ $string['errorbadconfig'] = 'SimpleSAMLPHP config directory %s is incorrect.';
$string['errorbadcombo'] = 'You can only choose user auto creation if you have not selected remoteuser';
$string['errorbadinstitutioncombo'] = 'There is already an existing authinstance with this institutionattribute and institutionvalue combination';
$string['errormissinguserattributes1'] = 'You seem to be authenticated but we did not receive the required user attributes. Please check that your Identity Provider releases the First Name, Surname, and Email fields for SSO to %s, or inform the administrator.';
$string['errorregistrationenabledwithautocreate'] = 'An institution has registration enabled, for security reasons this excludes user auto-creation.';
$string['errorremoteuser'] = 'Matching on remoteuser is mandatory if usersuniquebyusername is turned off';
$string['institutionattribute'] = 'Institution attribute (contains "%s")';
$string['institutionvalue'] = 'Institution value to check against attribute';
......@@ -496,6 +496,19 @@ class PluginAuthSaml extends PluginAuth {
if ($values['weautocreateusers'] && $values['remoteuser']) {
$form->set_error('weautocreateusers', get_string('errorbadcombo', 'auth.saml'));
// Autocreation cannot be enabled unless no institutions have registration enabled.
// This seems like a weird rule, but consider the following:
// - weautocreateusers = 1 requires remoteuser = 0 (from the test immediately above this one)
// - remoteuser = 0 requires usersuniquebyusername = 1 (from the test above that)
// - usersuniquebyusername = 1 requires registerallowed = 0 on all institutions
// (for security reasons - see the comments in the request_user_authorise function above).
// So weautocreateusers = 1 requires registerallowed = 0 on all institutions, and we might
// as well display an error to that effect right away, without forcing the user to enable
// usersuniquebyusername.
if (($institutions = get_column('institution', 'name', 'registerallowed', '1')) && ($values['weautocreateusers'])) {
$form->set_error('weautocreateusers', get_string('errorregistrationenabledwithautocreate', 'auth.saml'));
$dup = get_records_sql_array('SELECT COUNT(instance) AS instance FROM {auth_instance_config}
WHERE ((field = \'institutionattribute\' AND value = ?) OR
(field = \'institutionvalue\' AND value = ?)) AND
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment