Commit 78a2ed53 authored by Francois Marier's avatar Francois Marier Committed by Gerrit Code Review
Browse files

Merge "auth/saml default remoteuser (bug #932909)"

parents 21eadf4d f07be602
...@@ -39,7 +39,7 @@ $string['errorbadconfig'] = 'SimpleSAMLPHP config directory %s is incorrect.'; ...@@ -39,7 +39,7 @@ $string['errorbadconfig'] = 'SimpleSAMLPHP config directory %s is incorrect.';
$string['errorbadcombo'] = 'You can only choose user auto creation if you have not selected remoteuser'; $string['errorbadcombo'] = 'You can only choose user auto creation if you have not selected remoteuser';
$string['errorbadinstitutioncombo'] = 'There is already an existing authinstance with this institutionattribute and institutionvalue combination'; $string['errorbadinstitutioncombo'] = 'There is already an existing authinstance with this institutionattribute and institutionvalue combination';
$string['errormissinguserattributes'] = 'You seem to be authenticated but we did not receive the required user attributes. Please check that your Identity Provider releases these SSO fields for First Name, Surname, and Email to the Service Provider Mahara is running on or inform the webmaster of this server.'; $string['errormissinguserattributes'] = 'You seem to be authenticated but we did not receive the required user attributes. Please check that your Identity Provider releases these SSO fields for First Name, Surname, and Email to the Service Provider Mahara is running on or inform the webmaster of this server.';
//$string['idpidentity'] = 'IdP Identity Service'; $string['errorremoteuser'] = 'Matching on remoteuser is mandatory if usersuniquebyusername is turned off';
$string['institutionattribute'] = 'Institution attribute (contains "%s")'; $string['institutionattribute'] = 'Institution attribute (contains "%s")';
$string['institutionvalue'] = 'Institution value to check against attribute'; $string['institutionvalue'] = 'Institution value to check against attribute';
$string['link'] = 'Link accounts'; $string['link'] = 'Link accounts';
......
...@@ -47,7 +47,7 @@ class AuthSaml extends Auth { ...@@ -47,7 +47,7 @@ class AuthSaml extends Auth {
$this->config['institutionregex'] = 0; $this->config['institutionregex'] = 0;
$this->config['institutionvalue'] = ''; $this->config['institutionvalue'] = '';
$this->config['updateuserinfoonlogin'] = 1; $this->config['updateuserinfoonlogin'] = 1;
$this->config['remoteuser'] = false; $this->config['remoteuser'] = true;
$this->config['loginlink'] = false; $this->config['loginlink'] = false;
$this->instanceid = $id; $this->instanceid = $id;
...@@ -103,6 +103,7 @@ class AuthSaml extends Auth { ...@@ -103,6 +103,7 @@ class AuthSaml extends Auth {
// Retrieve a $user object. If that fails, create a blank one. // Retrieve a $user object. If that fails, create a blank one.
try { try {
$isremote = $this->config['remoteuser'] ? true : false;
$user = new User; $user = new User;
if (get_config('usersuniquebyusername')) { if (get_config('usersuniquebyusername')) {
// When turned on, this setting means that it doesn't matter // When turned on, this setting means that it doesn't matter
...@@ -133,9 +134,15 @@ class AuthSaml extends Auth { ...@@ -133,9 +134,15 @@ class AuthSaml extends Auth {
. "somewhere else. Please turn this setting on in Site Options"); . "somewhere else. Please turn this setting on in Site Options");
throw new AccessDeniedException(); throw new AccessDeniedException();
} }
} }
$isremote = $this->config['remoteuser'] ? true : false; else {
if (!$isremote){
log_warn("usersuniquebyusername is turned off but remoteuser has not been set on for this institution: $institutionname. "
. "This is a security risk as users from different institutions with different IdPs can hijack "
. "each others accounts. Fix this in the institution level auth/saml settings.");
throw new AccessDeniedException();
}
}
if ($isremote) { if ($isremote) {
$user->find_by_instanceid_username($this->instanceid, $remoteuser, $isremote); $user->find_by_instanceid_username($this->instanceid, $remoteuser, $isremote);
} }
...@@ -282,7 +289,7 @@ class PluginAuthSaml extends PluginAuth { ...@@ -282,7 +289,7 @@ class PluginAuthSaml extends PluginAuth {
'institutionattribute' => '', 'institutionattribute' => '',
'institutionvalue' => '', 'institutionvalue' => '',
'institutionregex' => 0, 'institutionregex' => 0,
'remoteuser' => 0, 'remoteuser' => 1,
'loginlink' => 0, 'loginlink' => 0,
); );
...@@ -488,6 +495,10 @@ class PluginAuthSaml extends PluginAuth { ...@@ -488,6 +495,10 @@ class PluginAuthSaml extends PluginAuth {
$form->set_error('simplesamlphpconfig', get_string('errorbadconfig', 'auth.saml', $values['simplesamlphpconfig'])); $form->set_error('simplesamlphpconfig', get_string('errorbadconfig', 'auth.saml', $values['simplesamlphpconfig']));
} }
} }
// only allow remoteuser to be unset if usersuniquebyusername is NOT set
if (isset($values['remoteuser']) && !get_config('usersuniquebyusername') && !$values['remoteuser']) {
$form->set_error('remoteuser', get_string('errorremoteuser', 'auth.saml'));
}
if (isset($values['weautocreateusers'])) { if (isset($values['weautocreateusers'])) {
if ($values['weautocreateusers'] && $values['remoteuser']) { if ($values['weautocreateusers'] && $values['remoteuser']) {
$form->set_error('weautocreateusers', get_string('errorbadcombo', 'auth.saml')); $form->set_error('weautocreateusers', get_string('errorbadcombo', 'auth.saml'));
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment