function edituser_institution_submit(Pieform $form, $values)
{
$user = new User();
if (!$user->find_by_id($values['id'])) {
return false;
}
$userinstitutions = $user->get('institutions');
global $USER, $SESSION;
foreach ($userinstitutions as $i) {
if ($USER->can_edit_institution($i->institution)) {
if (isset($values[$i->institution . '_submit'])) {
$newuser = (object) array('usr' => $user->id, 'institution' => $i->institution, 'ctime' => db_format_timestamp($i->ctime), 'studentid' => $values[$i->institution . '_studentid'], 'staff' => (int) ($values[$i->institution . '_staff'] == 'on'), 'admin' => (int) ($values[$i->institution . '_admin'] == 'on'));
if ($values[$i->institution . '_expiry']) {
$newuser->expiry = db_format_timestamp($values[$i->institution . '_expiry']);
}
db_begin();
delete_records('usr_institution', 'usr', $user->id, 'institution', $i->institution);
insert_record('usr_institution', $newuser);
if ($newuser->admin) {
activity_add_admin_defaults(array($user->id));
}
handle_event('updateuser', $user->id);
db_commit();
$SESSION->add_ok_msg(get_string('userinstitutionupdated', 'admin', $i->displayname));
break;
} else {
if (isset($values[$i->institution . '_remove'])) {
if ($user->id == $USER->id) {
$USER->leave_institution($i->institution);
} else {
$user->leave_institution($i->institution);
}
$SESSION->add_ok_msg(get_string('userinstitutionremoved', 'admin', $i->displayname));
// Institutional admins can no longer access this page
// if they remove the user from the institution, so
// send them back to user search.
if (!$USER->get('admin')) {
if (!$USER->is_institutional_admin()) {
redirect(get_config('wwwroot'));
}
redirect('/admin/users/search.php');
}
break;
}
}
}
}
if (isset($values['add']) && $USER->get('admin') && (empty($userinstitutions) || get_config('usersallowedmultipleinstitutions'))) {
if ($user->id == $USER->id) {
$USER->join_institution($values['addinstitution']);
$USER->commit();
$userinstitutions = $USER->get('institutions');
} else {
$user->join_institution($values['addinstitution']);
$userinstitutions = $user->get('institutions');
}
$SESSION->add_ok_msg(get_string('userinstitutionjoined', 'admin', $userinstitutions[$values['addinstitution']]->displayname));
}
redirect('/admin/users/edit.php?id=' . $user->id);
}
/**
* Grab a delegate object for auth stuff
*/
public function request_user_authorise($attributes)
{
global $USER, $SESSION;
$this->must_be_ready();
if (empty($attributes) or !array_key_exists($this->config['user_attribute'], $attributes) or !array_key_exists($this->config['institutionattribute'], $attributes)) {
throw new AccessDeniedException();
}
$remoteuser = $attributes[$this->config['user_attribute']][0];
$firstname = isset($attributes[$this->config['firstnamefield']][0]) ? $attributes[$this->config['firstnamefield']][0] : null;
$lastname = isset($attributes[$this->config['surnamefield']][0]) ? $attributes[$this->config['surnamefield']][0] : null;
$email = isset($attributes[$this->config['emailfield']][0]) ? $attributes[$this->config['emailfield']][0] : null;
$institutionname = $this->institution;
$create = false;
$update = false;
// Retrieve a $user object. If that fails, create a blank one.
try {
$isremote = $this->config['remoteuser'] ? true : false;
$user = new User();
if (get_config('usersuniquebyusername')) {
// When turned on, this setting means that it doesn't matter
// which other application the user SSOs from, they will be
// given the same account in Mahara.
//
// This setting is one that has security implications unless
// only turned on by people who know what they're doing. In
// particular, every system linked to Mahara should be making
// sure that same username == same person. This happens for
// example if two Moodles are using the same LDAP server for
// authentication.
//
// If this setting is on, it must NOT be possible to self
// register on the site for ANY institution - otherwise users
// could simply pick usernames of people's accounts they wished
// to steal.
if ($institutions = get_column('institution', 'name', 'registerallowed', '1')) {
log_warn("usersuniquebyusername is turned on but registration is allowed for an institution. " . "No institution can have registration allowed for it, for security reasons.\n" . "The following institutions have registration enabled:\n " . join("\n ", $institutions));
throw new AccessDeniedException();
}
if (!get_config('usersallowedmultipleinstitutions')) {
log_warn("usersuniquebyusername is turned on but usersallowedmultipleinstitutions is off. " . "This makes no sense, as users will then change institution every time they log in from " . "somewhere else. Please turn this setting on in Site Options");
throw new AccessDeniedException();
}
} else {
if (!$isremote) {
log_warn("usersuniquebyusername is turned off but remoteuser has not been set on for this institution: {$institutionname}. " . "This is a security risk as users from different institutions with different IdPs can hijack " . "each others accounts. Fix this in the institution level auth/saml settings.");
throw new AccessDeniedException();
}
}
if ($isremote) {
$user->find_by_instanceid_username($this->instanceid, $remoteuser, $isremote);
} else {
$user->find_by_username($remoteuser);
}
if ($user->get('suspendedcusr')) {
die_info(get_string('accountsuspended', 'mahara', strftime(get_string('strftimedaydate'), $user->get('suspendedctime')), $user->get('suspendedreason')));
}
if ('1' == $this->config['updateuserinfoonlogin']) {
$update = true;
}
} catch (AuthUnknownUserException $e) {
if (!empty($this->config['weautocreateusers'])) {
$institution = new Institution($this->institution);
if ($institution->isFull()) {
$institution->send_admin_institution_is_full_message();
throw new XmlrpcClientException('SSO attempt from ' . $institution->displayname . ' failed - institution is full');
}
$user = new User();
$create = true;
} else {
log_debug("User authorisation request from SAML failed - " . "remote user '{$remoteuser}' is unknown to us and auto creation of users is turned off");
return false;
}
}
/*******************************************/
if ($create) {
$user->passwordchange = 1;
$user->active = 1;
$user->deleted = 0;
$user->expiry = null;
$user->expirymailsent = 0;
$user->lastlogin = time();
$user->firstname = $firstname;
$user->lastname = $lastname;
$user->email = $email;
// must have these values
if (empty($firstname) || empty($lastname) || empty($email)) {
throw new AccessDeniedException(get_string('errormissinguserattributes1', 'auth.saml', get_config('sitename')));
}
$user->authinstance = empty($this->config['parent']) ? $this->instanceid : $this->parent;
db_begin();
$user->username = get_new_username($remoteuser, 40);
$user->id = create_user($user, array(), $institutionname, $this, $remoteuser);
/*
* We need to convert the object to a stdclass with its own
* custom method because it uses overloaders in its implementation
* and its properties wouldn't be visible to a simple cast operation
* like (array)$user
*/
$userobj = $user->to_stdclass();
$userarray = (array) $userobj;
db_commit();
// Now we have fired the create event, we need to re-get the data
// for this user
$user = new User();
$user->find_by_id($userobj->id);
if (get_config('usersuniquebyusername')) {
// Add them to the institution they have SSOed in by
$user->join_institution($institutionname);
}
} elseif ($update) {
if (!empty($firstname)) {
set_profile_field($user->id, 'firstname', $firstname);
$user->firstname = $firstname;
}
if (!empty($lastname)) {
set_profile_field($user->id, 'lastname', $lastname);
$user->lastname = $lastname;
}
if (!empty($email)) {
set_profile_field($user->id, 'email', $email);
$user->email = $email;
}
$user->lastlastlogin = $user->lastlogin;
$user->lastlogin = time();
}
$user->commit();
/*******************************************/
// We know who our user is now. Bring em back to life.
$result = $USER->reanimate($user->id, $this->instanceid);
log_debug("remote user '{$remoteuser}' is now reanimated as '{$USER->username}' ");
$SESSION->set('authinstance', $this->instanceid);
return true;
}
