Commit ffad2513 authored by Robert Lyon's avatar Robert Lyon

Bug 1580399: Stop users logging in to suspended/expired institutions

Moving the code from LiveUser->login() to
ensure_user_account_is_active() so that internal and external logins
can use the same code. This means the check now will fall after
LiveUser->authenticate() so a user's lastlogin values will be updated.
but that should be ok as the login was successful, it's just they
can't go any further as their institution is not active.

behatnotneeded

Change-Id: Ie78a60978d5936f78af5a962ca3efdcdee148b93
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
parent aeb91f9e
......@@ -1666,6 +1666,21 @@ function ensure_user_account_is_active($user=null) {
}
die_info(get_string('accountsuspended', 'mahara', $suspendedctime, $suspendedreason));
}
// Check to see if institution is suspended or expired
// If a user in more than one institution and one of them is suspended
// make sure their authinstance is not set to the suspended/expired institution
// otherwise they will not be able to login (administer via site).
$authinstance = get_record_sql('
SELECT i.suspended, CASE WHEN i.expiry < NOW() THEN 1 ELSE 0 END AS expired, i.displayname
FROM {institution} i JOIN {auth_instance} a ON a.institution = i.name
WHERE a.id = ?', array($user->authinstance));
if ($authinstance->suspended || $authinstance->expired) {
$sitename = get_config('sitename');
$state = ($authinstance->suspended) ? 'suspended' : 'expired';
throw new AccessTotallyDeniedException(get_string('accesstotallydenied_institution' . $state, 'mahara', $authinstance->displayname, $sitename));
return false;
}
}
/**
......
......@@ -1481,19 +1481,6 @@ class LiveUser extends User {
if ($parentid = get_field('auth_instance_config', 'value', 'field', 'parent', 'instance', $instanceid)) {
$instanceid = $parentid;
}
// Check for a suspended institution
// If a user in more than one institution and one of them is suspended
// make sure their authinstance is not set to the suspended institution
// otherwise they will not be able to login.
$authinstance = get_record_sql('
SELECT i.suspended, i.displayname
FROM {institution} i JOIN {auth_instance} a ON a.institution = i.name
WHERE a.id = ?', array($instanceid));
if ($authinstance->suspended) {
$sitename = get_config('sitename');
throw new AccessTotallyDeniedException(get_string('accesstotallydenied_institutionsuspended', 'mahara', $authinstance->displayname, $sitename));
return false;
}
$auth = AuthFactory::create($instanceid);
......
......@@ -243,6 +243,8 @@ $string['linksandresources'] = 'Links and resources';
// auth
$string['accesstotallydenied_institutionsuspended'] = 'Your institution %s has been suspended. Until it is unsuspended, you will not be able to log in to %s.
Please contact your institution for help.';
$string['accesstotallydenied_institutionexpired'] = 'Your institution %s has expired. Until it is unexpired, you will not be able to log in to %s.
Please contact your institution for help.';
$string['accessforbiddentoadminsection'] = 'You are forbidden from accessing the administration section.';
$string['accountdeleted'] = 'Sorry, your account has been deleted. You can <a href="%scontact.php">contact the site administrator</a>.';
$string['accountexpired'] = 'Sorry, your account has expired. You can <a href="%scontact.php">contact the site administrator</a> to have it reactivated.';
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment