Merge "Bug 1580399: Stop users logging in to suspended/expired institutions"

htdocs/auth/lib.php

@@ -1676,6 +1676,21 @@ function ensure_user_account_is_active($user=null) {
         }
         die_info(get_string('accountsuspended', 'mahara', $suspendedctime, $suspendedreason));
     }
+
+    // Check to see if institution is suspended or expired
+    // If a user in more than one institution and one of them is suspended
+    // make sure their authinstance is not set to the suspended/expired institution
+    // otherwise they will not be able to login (administer via site).
+    $authinstance = get_record_sql('
+        SELECT i.suspended, CASE WHEN i.expiry < NOW() THEN 1 ELSE 0 END AS expired, i.displayname
+        FROM {institution} i JOIN {auth_instance} a ON a.institution = i.name
+        WHERE a.id = ?', array($user->authinstance));
+    if ($authinstance->suspended || $authinstance->expired) {
+        $sitename = get_config('sitename');
+        $state = ($authinstance->suspended) ? 'suspended' : 'expired';
+        throw new AccessTotallyDeniedException(get_string('accesstotallydenied_institution' . $state, 'mahara', $authinstance->displayname, $sitename));
+        return false;
+    }
 }
 
 /**

htdocs/auth/user.php

@@ -1498,19 +1498,6 @@ class LiveUser extends User {
         if ($parentid = get_field('auth_instance_config', 'value', 'field', 'parent', 'instance', $instanceid)) {
             $instanceid = $parentid;
         }
-        // Check for a suspended institution
-        // If a user in more than one institution and one of them is suspended
-        // make sure their authinstance is not set to the suspended institution
-        // otherwise they will not be able to login.
-        $authinstance = get_record_sql('
-            SELECT i.suspended, i.displayname
-            FROM {institution} i JOIN {auth_instance} a ON a.institution = i.name
-            WHERE a.id = ?', array($instanceid));
-        if ($authinstance->suspended) {
-            $sitename = get_config('sitename');
-            throw new AccessTotallyDeniedException(get_string('accesstotallydenied_institutionsuspended', 'mahara', $authinstance->displayname, $sitename));
-            return false;
-        }
 
         $auth = AuthFactory::create($instanceid);
 

htdocs/lang/en.utf8/mahara.php

@@ -245,6 +245,8 @@ $string['linksandresources'] = 'Links and resources';
 // auth
 $string['accesstotallydenied_institutionsuspended'] = 'Your institution %s has been suspended. Until it is unsuspended, you will not be able to log in to %s.
 Please contact your institution for help.';
+$string['accesstotallydenied_institutionexpired'] = 'Your institution %s has expired. Until it is unexpired, you will not be able to log in to %s.
+Please contact your institution for help.';
 $string['accessforbiddentoadminsection'] = 'You are forbidden from accessing the administration section.';
 $string['accountdeleted'] = 'Sorry, your account has been deleted. You can <a href="%scontact.php">contact the site administrator</a>.';
 $string['accountexpired'] = 'Sorry, your account has expired. You can <a href="%scontact.php">contact the site administrator</a> to have it reactivated.';