Commit 7b6a5cec authored by Robert Lyon's avatar Robert Lyon

Bug 1859120: Allow the 'parent' auth to update the roles for 'children'

This is useful when multiple institutions are using the same IdP, eg
when using the 'saml_create_institution' flag.

It allows bulk update the role* values for all the institutions using
the same institutionidpendtityid by the ones designated in
'saml_create_institution_default' flag

behatnotneeded

Change-Id: I847acffcbc40bf6509b9587006dee68d46a217ee
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
parent a7b09164
......@@ -96,6 +96,8 @@ $string['samlfieldforrolesitestaff'] = 'Role mapping for site staff';
$string['samlfieldforroleinstadmin'] = 'Role mapping for institution administrator';
$string['samlfieldforroleinststaff'] = 'Role mapping for institution staff';
$string['samlfieldfororganisationname'] = 'SSO field for Organisation';
$string['populaterolestoallsaml'] = 'Copy roles to all SAML auth instances';
$string['populaterolestoallsamldescription'] = 'If this switch is enabled then on submission of the form the values for all the "Role" fields are copied to all the other SAML auth instances that use the same Identity Provider. This field then resets back to "No".';
$string['samlfieldforautogroups'] = 'Roles have auto group administration';
$string['samlfieldforautogroupsall'] = 'Auto group administration to all groups';
$string['samlfieldforautogroupsalldescription'] = 'If enabled then the user will be added as a group admin to all groups otherwise they are only added as a group admin to groups within their institution.';
......
......@@ -1502,20 +1502,35 @@ EOF;
'defaultvalue' => is_isolated() ? false : self::$default_config['roleautogroupsall'],
'description' => get_string('samlfieldforautogroupsalldescription', 'auth.saml'),
'disabled' => is_isolated(),
),
'authloginmsg' => array(
'type' => 'wysiwyg',
'rows' => 10,
'cols' => 50,
'title' => get_string('samlfieldauthloginmsg', 'auth.saml'),
'description' => get_string('authloginmsgnoparent', 'auth'),
'defaultvalue' => self::$default_config['authloginmsg'],
'help' => true,
'class' => 'under-label-help',
'rules' => array(
'maxlength' => 1000000
)
),
)
);
if (get_config('saml_create_institution_default')) {
// Show the copy roles option if this is a 'default' one
foreach ($defaults = explode(',', get_config('saml_create_institution_default')) as $default) {
if ($institution == $default) {
$elements['rolepopulate'] = array(
'type' => 'switchbox',
'title' => get_string('populaterolestoallsaml', 'auth.saml'),
'defaultvalue' => false,
'description' => get_string('populaterolestoallsamldescription', 'auth.saml'),
'help' => false,
);
break;
}
}
}
$elements['authloginmsg'] = array(
'type' => 'wysiwyg',
'rows' => 10,
'cols' => 50,
'title' => get_string('samlfieldauthloginmsg', 'auth.saml'),
'description' => get_string('authloginmsgnoparent', 'auth'),
'defaultvalue' => self::$default_config['authloginmsg'],
'help' => true,
'class' => 'under-label-help',
'rules' => array(
'maxlength' => 1000000
)
);
return array(
......@@ -1691,7 +1706,19 @@ EOF;
'metarefresh_metadata_url' => $values['metarefresh_metadata_url'],
);
foreach(self::$default_config as $field => $value) {
$auth_children = false;
if (get_config('saml_create_institution_default') && !empty($values['rolepopulate'])) {
// Allow role changes to populate out to 'child' saml instances if this is a 'default' one
foreach ($defaults = explode(',', get_config('saml_create_institution_default')) as $default) {
if ($values['institution'] == $default) {
// Find all the instances with same institutionidpentityid
$auth_children = get_column('auth_instance_config', 'instance', 'field', 'institutionidpentityid', 'value', $entityid);
break;
}
}
}
foreach (self::$default_config as $field => $value) {
$record = new stdClass();
$record->instance = $values['instance'];
$record->field = $field;
......@@ -1703,6 +1730,18 @@ EOF;
else {
update_record('auth_instance_config', $record, array('instance' => $values['instance'], 'field' => $field));
}
if ($auth_children && preg_match('/^role/', $field)) {
// Populate the role changes to the other SAML instances
foreach ($auth_children as $child) {
$dbwhere = new StdClass();
$dbwhere->field = $field;
$dbwhere->instance = $child;
$dbdata = clone $dbwhere;
$dbdata->value = $value;
ensure_record_exists('auth_instance_config', $dbwhere, $dbdata);
}
}
}
// save the institution config
......
......@@ -838,6 +838,8 @@ $cfg->saml_log_attributes = false;
* and be mapped via the SAML instance setting 'samlfieldfororganisationname'.
* To make a new institution you need to define what institution to fetch an existing SAML
* instance from to be used as the default 'template' SAML settings.
* The 'saml_create_institution_default' can also be used as a 'parent' auth to update the
* role* values for all the other SAML configs that have the same 'institutionidpentityid' value
*/
//$cfg->saml_create_institution=true;
//$cfg->saml_create_institution_default = 'mahara';
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment