Commit 7c3f5646 authored by Robert Lyon's avatar Robert Lyon Committed by Gerrit Code Review

Merge "Bug 995681: Allow SAML account creation with remote usernames"

parents 3a5c27c3 a3782238
......@@ -29,12 +29,11 @@ $string['errorbadlib'] = 'SimpleSAMLPHP library\'s "autoloader" file not found a
$string['errornomcrypt'] = 'PHP library "mcrypt" must be installed for auth/saml. Make sure you install and activate mcrypt eg:<br>sudo apt-get install php5-mcrypt<br>sudo php5enmod mcrypt<br>Then restart webserver.';
$string['errornomemcache'] = 'A memcache server is needed for auth/saml. Either list the paths to your memcache servers in the $cfg->memcacheservers config variable or install memcache locally.<br>To install the PHP library "memcache" locally:<br>sudo apt-get install php5-memcache<br>sudo php5enmod memcache<br>Then restart webserver.';
$string['errorbadconfig'] = 'SimpleSAMLPHP config directory %s is incorrect.';
$string['errorbadcombo'] = 'You can only choose user auto-creation if you have not selected remoteuser.';
$string['errorbadmetadata'] = 'Badly formed SAML metadata. Ensure XML contains one valid IdP.';
$string['errorduplicateidp'] = 'IdP (%s) already in use by another institution (%s). Ensure XML contains one valid and unique IdP.';
$string['errorbadinstitutioncombo'] = 'There is already an existing authentication instance with this institution attribute and institution value combination.';
$string['errormissinguserattributes1'] = 'You seem to be authenticated, but we did not receive the required user attributes. Please check that your Identity Provider releases the first name, surname, and email fields for SSO to %s or inform the administrator.';
$string['errorregistrationenabledwithautocreate'] = 'An institution has registration enabled. For security reasons this excludes user auto-creation.';
$string['errorregistrationenabledwithautocreate1'] = 'An institution has registration enabled. For security reasons this excludes user auto-creation, unless you are using remote usernames.';
$string['errorremoteuser'] = 'Matching on remoteuser is mandatory if usersuniquebyusername is turned off.';
$string['IdPSelection'] = 'IdP Selection';
$string['noidpsfound'] = 'No IdPs found';
......
......@@ -671,9 +671,6 @@ class PluginAuthSaml extends PluginAuth {
if (!get_config('usersuniquebyusername') && !$values['remoteuser']) {
$form->set_error('remoteuser', get_string('errorremoteuser', 'auth.saml'));
}
if ($values['weautocreateusers'] && $values['remoteuser']) {
$form->set_error('weautocreateusers', get_string('errorbadcombo', 'auth.saml'));
}
if (!empty($values['institutionidp'])) {
try {
......@@ -712,17 +709,17 @@ class PluginAuthSaml extends PluginAuth {
}
}
// Autocreation cannot be enabled unless no institutions have registration enabled.
// This seems like a weird rule, but consider the following:
// - weautocreateusers = 1 requires remoteuser = 0 (from the test immediately above this one)
// - remoteuser = 0 requires usersuniquebyusername = 1 (from the test above that)
// - usersuniquebyusername = 1 requires registerallowed = 0 on all institutions
// (for security reasons - see the comments in the request_user_authorise function above).
// So weautocreateusers = 1 requires registerallowed = 0 on all institutions, and we might
// as well display an error to that effect right away, without forcing the user to enable
// usersuniquebyusername.
if (($institutions = get_column('institution', 'name', 'registerallowed', '1')) && ($values['weautocreateusers'])) {
$form->set_error('weautocreateusers', get_string('errorregistrationenabledwithautocreate', 'auth.saml'));
// If we're using Mahara usernames (usr.username) instead of remote usernames
// (auth_remote_user.remoteusername), then autocreation cannot be enabled if any
// institutions have registration enabled.
//
// This is because a user self-registering with another institution might pick
// a username that matches the username from this SAML service, allowing them
// to highjack someone else's account.
//
// (see the comments in the request_user_authorise function above).
if ((!$values['remoteuser']) && ($values['weautocreateusers']) && ($institutions = get_column('institution', 'name', 'registerallowed', '1'))) {
$form->set_error('weautocreateusers', get_string('errorregistrationenabledwithautocreate1', 'auth.saml'));
}
$dup = get_records_sql_array('SELECT COUNT(instance) AS instance FROM {auth_instance_config}
WHERE ((field = \'institutionattribute\' AND value = ?) OR
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment