Merge "Getting suspended institutions to keep their user out. (Bug 1348024)"

htdocs/admin/users/institutions.php

@@ -1011,6 +1011,19 @@ if ($institution && $institution != 'mahara') {
                 $SESSION->add_error_msg(get_string('errorwhilesuspending', 'admin'));
             }
             else {
+                // Need to logout any users that are using this institution's authinstance.
+                if ($loggedin = get_records_sql_array("SELECT ui.usr FROM {usr_institution} ui
+                    JOIN {usr} u ON u.id = ui.usr
+                    JOIN {auth_instance} ai ON ai.id = u.authinstance
+                    JOIN {usr_session} us ON us.usr = u.id
+                    WHERE ui.institution = ?
+                    AND ai.institution = ?", array($values['i'], $values['i']))) {
+                    foreach ($loggedin as $user) {
+                        $loggedinarray[] = $user->usr;
+                    }
+                    delete_records_sql("DELETE FROM {usr_session} WHERE usr IN (" . join(',', $loggedinarray) . ")");
+                    $SESSION->add_ok_msg(get_string('institutionlogoutusers', 'admin', count($loggedin)));
+                }
                 set_field('institution', 'suspended', 1, 'name', $values['i']);
                 $SESSION->add_ok_msg(get_string('institutionsuspended', 'admin'));
             }

htdocs/auth/user.php

@@ -1470,6 +1470,20 @@ class LiveUser extends User {
         if ($parentid = get_field('auth_instance_config', 'value', 'field', 'parent', 'instance', $instanceid)) {
             $instanceid = $parentid;
         }
+        // Check for a suspended institution
+        // If a user in more than one institution and one of them is suspended
+        // make sure their authinstance is not set to the suspended institution
+        // otherwise they will not be able to login.
+        $authinstance = get_record_sql('
+            SELECT i.suspended, i.displayname
+            FROM {institution} i JOIN {auth_instance} a ON a.institution = i.name
+            WHERE a.id = ?', array($instanceid));
+        if ($authinstance->suspended) {
+            $sitename = get_config('sitename');
+            throw new AccessTotallyDeniedException(get_string('accesstotallydenied_institutionsuspended', 'mahara', $authinstance->displayname, $sitename));
+            return false;
+        }
+
         $auth = AuthFactory::create($instanceid);
 
         // catch the AuthInstanceException that allows authentication plugins to
@@ -1477,17 +1491,6 @@ class LiveUser extends User {
         try {
             if ($auth->authenticate_user_account($user, $password)) {
                 $this->authenticate($user, $auth->instanceid);
-                // Check for a suspended institution
-                $authinstance = get_record_sql('
-                    SELECT i.suspended, i.displayname
-                    FROM {institution} i JOIN {auth_instance} a ON a.institution = i.name
-                    WHERE a.id = ?', array($instanceid));
-                if ($authinstance->suspended) {
-                    $sitename = get_config('sitename');
-                    throw new AccessTotallyDeniedException(get_string('accesstotallydenied_institutionsuspended', 'mahara', $authinstance->displayname, $sitename));
-                    return false;
-                }
-
                 return true;
             }
         }

htdocs/lang/en.utf8/admin.php

@@ -1026,9 +1026,13 @@ $string['makeuserinstitutionstaff'] = 'Automatically assign institution staff pe
 $string['errorwhileunsuspending'] = 'An error occurred while trying to unsuspend';
 $string['institutionsuspended'] = 'Institution suspended';
 $string['institutionunsuspended'] = 'Institution unsuspended';
+$string['institutionlogoutusers'] = array(
+    0 => 'Logged out 1 user',
+    1 => 'Logged out %s users',
+);
 $string['suspendedinstitution'] = 'SUSPENDED';
 $string['suspendinstitution'] = 'Suspend institution';
-$string['suspendinstitutiondescription'] = 'Here you may suspend an institution. Users of suspended institutions will be unable to log in until the institution is unsuspended.';
+$string['suspendinstitutiondescription'] = 'Here you may suspend an institution. Users using an authentication method of a suspended institution will be unable to log in until the institution is unsuspended.';
 $string['suspendedinstitutionmessage'] = 'This institution has been suspended.';
 $string['unsuspendinstitution'] = 'Unsuspend institution';
 $string['unsuspendinstitutiondescription'] = 'Here you may unsuspend an institution. Users of suspended institutions will be unable to log in until the institution is unsuspended.<br /><strong>Beware:</strong> Unsuspending an institution without resetting or turning off its expiry date may result in a daily re-suspension.';