Change user to internal auth when removed from an external-auth institution

htdocs/admin/users/edit.php

@@ -315,14 +315,18 @@ function edituser_institution_submit(Pieform $form, $values) {
                 db_commit();
                 break;
             } else if (isset($values[$i->institution.'_remove'])) {
-                db_begin();
-                delete_records('usr_institution', 'usr', $user->id, 'institution', $i->institution);
-                handle_event('updateuser', $user->id);
-                db_commit();
+                if ($user->id == $USER->id) {
+                    $USER->leave_institution($i->institution);
+                } else {
+                    $user->leave_institution($i->institution);
+                }
                 // Institutional admins can no longer access this page
                 // if they remove the user from the institution, so
                 // send them back to user search.
                 if (!$USER->get('admin')) {
+                    if (!$USER->is_institutional_admin()) {
+                        redirect(get_config('wwwroot'));
+                    }
                     redirect('/admin/users/search.php');
                 }
                 break;

htdocs/admin/users/institutionusers.php

@@ -76,7 +76,6 @@ if ($usertype == 'requesters') {
         'righttitle' => get_string('userstobeadded', 'admin'),
         'searchparams' => array('requested' => 1),
     );
-    $update = 'addUserAsMember';
     $submittext = get_string('addmembers', 'admin');
 } else if ($usertype == 'members') {
     // LHS shows institution members, RHS shows users to be removed
@@ -86,7 +85,6 @@ if ($usertype == 'requesters') {
         'righttitle' => get_string('userstoberemoved', 'admin'),
         'searchparams' => array('member' => 1),
     );
-    $update = 'removeMember';
     $submittext = get_string('removeusers', 'admin');
 } else { // $usertype == nonmembers
     // Behaviour depends on whether we allow users to have > 1 institution
@@ -98,7 +96,6 @@ if ($usertype == 'requesters') {
         'righttitle' => get_string('userstobeinvited', 'admin'),
         'searchparams' => array('member' => 0, 'invited' => 0, 'requested' => 0)
     );
-    $update = 'inviteUser';
     $submittext = get_string('inviteusers', 'admin');
 }
 
@@ -124,11 +121,6 @@ $userlistform = pieform(array(
             'value' => $institution,
             'rules' => array('regex' => '/^[a-zA-Z0-9]+$/')
         ),
-        'update' => array(
-            'type' => 'hidden',
-            'value' => $update,
-            'rules' => array('regex' => '/^[a-zA-Z]+$/')
-        ),
         'submit' => array(
             'type' => 'submit',
             'value' => $submittext
@@ -146,30 +138,51 @@ function institutionusers_submit(Pieform $form, $values) {
         redirect($url);
     }
 
-    $institution = new Institution($values['institution']);
-    if (!in_array($values['update'], array('addUserAsMember', 'removeMember', 'inviteUser'))) {
+    $dataerror = false;
+    if (!in_array($values['usertype'], array('requesters', 'members', 'nonmembers'))
+        || !is_array($values['users'])) {
+        $dataerror = true;
+    } else {
+        foreach ($values['users'] as $id) {
+            if (!is_numeric($id)) {
+                $dataerror = true;
+                break;
+            }
+        }
+    }
+    if ($dataerror) {
         $SESSION->add_error_msg(get_string('errorupdatinginstitutionusers', 'admin'));
         redirect($url);
     }
+
+    $institution = new Institution($values['institution']);
     $maxusers = $institution->maxuseraccounts;
     if (!empty($maxusers)) {
         $members = $institution->countMembers();
-        if ($values['update'] == 'addUserAsMember' && $members + count($values['users']) >= $maxusers) {
+        if ($values['usertype'] == 'requesters' && $members + count($values['users']) >= $maxusers) {
             $SESSION->add_error_msg(get_string('institutionuserserrortoomanyusers', 'admin'));
             redirect($url);
         }
-        if ($values['update'] == 'inviteUser' 
+        if ($values['usertype'] == 'nonmembers' 
             && $members + $institution->countInvites() + count($values['users']) >= $maxusers) {
             $SESSION->add_error_msg(get_string('institutionuserserrortoomanyinvites', 'admin'));
             redirect($url);
         }
     }
     db_begin();
-    foreach ($values['users'] as $id) {
-        $institution->{$values['update']}($id);
+    if ($values['usertype'] == 'members') {
+        $institution->removeMembers($values['users']);
+    } else {
+        $update = $values['usertype'] == 'requesters' ? 'addUserAsMember' : 'inviteUser';
+        foreach ($values['users'] as $id) {
+            $institution->{$update}($id);
+        }
     }
     db_commit();
     $SESSION->add_ok_msg(get_string('institutionusersupdated'.$values['usertype'], 'admin'));
+    if (!$USER->get('admin') && !$USER->is_institutional_admin()) {
+        redirect(get_config('wwwroot'));
+    }
     redirect($url);
 }
 

htdocs/auth/user.php

@@ -375,8 +375,7 @@ class User {
         if ($institution != 'mahara' && $this->in_institution($institution)) {
             require_once('institution.php');
             $institution = new Institution($institution);
-            $institution->removeMember($this);
-            $this->reset_institutions();
+            $institution->removeMember($this->to_stdclass());
         }
     }
 
@@ -411,7 +410,11 @@ class User {
     }
 
     public function set_admin_institutions($institutions) {
-        $this->set('admininstitutions', array_combine($institutions, $institutions));
+        if (empty($institutions)) {
+            $this->set('admininstitutions', array());
+        } else {
+            $this->set('admininstitutions', array_combine($institutions, $institutions));
+        }
     }
 
     public function add_institution_request($institution, $studentid = null) {
@@ -588,7 +591,10 @@ class LiveUser extends User {
         return $this;
     }
 
-    protected function reloadLiveUser($id) {
+    protected function reloadLiveUser($id=null) {
+        if (is_null($id)) {
+            $id = $this->get('id');
+        }
         $this->commit();
         $this->find_by_id($id);
         $this->activityprefs = load_activity_preferences($id);
@@ -628,5 +634,12 @@ class LiveUser extends User {
         return $id;
     }
 
+    public function leave_institution($institution) {
+        parent::leave_institution($institution);
+        $this->find_by_id($this->get('id'));
+        $this->reset_institutions();
+    }
+
+
 }
 ?>

htdocs/lang/en.utf8/mahara.php

@@ -249,6 +249,41 @@ $string['forgotpasswordenternew'] = 'Please enter your new password to continue'
 $string['nosuchpasswordrequest'] = 'No such password request';
 $string['passwordchangedok'] = 'Your password was successfully changed';
 
+// Reset password when moving from external to internal auth.
+$string['noinstitutionsetpassemailsubject'] = '%s: Membership of %s';
+$string['noinstitutionsetpassemailmessagetext'] = 'Dear %s,
+
+You are no longer a member of %s.
+You may continue to use %s with your current username %s, but you must set a new password for your account.
+
+Please follow the link below to continue the reset process.
+
+' . get_config('wwwroot') . 'forgotpass.php?key=%s
+
+If you have any questsions regarding the above, please feel free to contact
+us.
+
+' . get_config('wwwroot') . 'contact.php
+
+Regards, %s Site Administrator
+
+' . get_config('wwwroot') . 'forgotpass.php?key=%s';
+$string['noinstitutionsetpassemailmessagehtml'] = '<p>Dear %s,</p>
+
+<p>You are no longer a member of %s.</p>
+<p>You may continue to use %s with your current username %s, but you must set a new password for your account.</p>
+
+<p>Please follow the link below to continue the reset process.</p>
+
+<p><a href="' . get_config('wwwroot') . 'forgotpass.php?key=%s">' . get_config('wwwroot') . 'forgotpass.php?key=%s</a></p>
+
+<p>If you have any questsions regarding the above, please feel free to <a href="' . get_config('wwwroot') . 'contact.php">contact us</a>.</p>
+
+<p>Regards, %s Site Administrator</p>
+
+<p><a href="' . get_config('wwwroot') . 'forgotpass.php?key=%s">' . get_config('wwwroot') . 'forgotpass.php?key=%s</a></p>';
+
+
 // Expiry times
 $string['noenddate'] = 'No end date';
 $string['day']       = 'day';

htdocs/lib/institution.php

@@ -306,10 +306,82 @@ class Institution {
         db_commit();
     }
 
+    public function removeMembers($userids) {
+        // Remove self last.
+        global $USER;
+        $users = get_records_select_array('usr', 'id IN (' . join(',', $userids) . ')');
+        $removeself = false;
+        foreach ($users as $user) {
+            if ($user->id == $USER->id) {
+                $removeself = true;
+                continue;
+            }
+            $this->removeMember($user);
+        }
+        if ($removeself) {
+            $USER->leave_institution($this->name);
+        }
+    }
+
     public function removeMember($user) {
-        $userid = is_object($user) ? $user->id : $user;
-        delete_records('usr_institution', 'usr', $userid, 'institution', $this->name);
-        handle_event('updateuser', $userid);
+        if (is_numeric($user)) {
+            $user = get_record('usr', 'id', $user);
+        }
+        db_begin();
+        // If the user is being authed by the institution they are
+        // being removed from, change them to internal auth
+        $authinstances = get_records_select_assoc('auth_instance', "
+            institution IN ('mahara','" . $this->name . "')");
+        $oldauth = $user->authinstance;
+        if (isset($authinstances[$oldauth]) && $authinstances[$oldauth]->institution == $this->name) {
+            foreach ($authinstances as $ai) {
+                if ($ai->instancename == 'internal' && $ai->institution == 'mahara') {
+                    $user->authinstance = $ai->id;
+                    break;
+                }
+            }
+            delete_records('auth_remote_user', 'authinstance', $oldauth, 'localusr', $user->id);
+            // If the old authinstance was external, the user may need
+            // to set a password
+            if ($user->password == '') {
+                log_debug('resetting pw for '.$user->id);
+                $this->removeMemberSetPassword($user);
+            }
+            update_record('usr', $user);
+        }
+        delete_records('usr_institution', 'usr', $user->id, 'institution', $this->name);
+        handle_event('updateuser', $user->id);
+        db_commit();
+    }
+
+    /**
+     * Reset user's password, and send them a password change email
+     */
+    private function removeMemberSetPassword(&$user) {
+        global $SESSION, $USER;
+        if ($user->id == $USER->id) {
+            $user->passwordchange = 1;
+            return;
+        }
+        try {
+            $pwrequest = new StdClass;
+            $pwrequest->usr = $user->id;
+            $pwrequest->expiry = db_format_timestamp(time() + 86400);
+            $pwrequest->key = get_random_key();
+            $sitename = get_config('sitename');
+            $fullname = display_name($user, null, true);
+            email_user($user, null,
+                get_string('noinstitutionsetpassemailsubject', 'mahara', $sitename, $this->displayname),
+                get_string('noinstitutionsetpassemailmessagetext', 'mahara', $fullname, $this->displayname, $sitename, $user->username, $pwrequest->key, $sitename, $pwrequest->key),
+                get_string('noinstitutionsetpassemailmessagehtml', 'mahara', $fullname, $this->displayname, $sitename, $user->username, $pwrequest->key, $pwrequest->key, $sitename, $pwrequest->key, $pwrequest->key));
+            insert_record('usr_password_request', $pwrequest);
+        }
+        catch (SQLException $e) {
+            $SESSION->add_error_msg(get_string('forgotpassemailsendunsuccessful'));
+        }
+        catch (EmailException $e) {
+            $SESSION->add_error_msg(get_string('forgotpassemailsendunsuccessful'));
+        }
     }
 
     public function countMembers() {